ramnit | e79db2ba3284f6670aec4131de2462661d058a28bd7317e46eed54a9c8a0c7f3

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75b6818f7d5ff8dd33c7995dfc9abed4_JaffaCakes118.html
Size

681KB
MD5

75b6818f7d5ff8dd33c7995dfc9abed4
SHA1

0648eebc7ab99b0fcdaf34a091d9e7e187febe82
SHA256

e79db2ba3284f6670aec4131de2462661d058a28bd7317e46eed54a9c8a0c7f3
SHA512

44417470ad3b20d9bd462e9de397b156b88a3d6db2b83bbf3962a4e83b36bac801891f5a9b37d4b9aa0144d11e4d46dbae958ebf86fe061eb7136c3d8ae7b7ea
SSDEEP

12288:85d+X3kCdlDG5d+X3kCdlDn5d+X3YCdlDC:++ECdm+ECdF+4Cdk

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 10 IoCs

Processes:

svchost.exesvchost.exesvchostSrv.exeDesktopLayer.exeDesktopLayerSrv.exesvchost.exesvchostSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayer.exe

pid	process
2696	svchost.exe
2788	svchost.exe
2948	svchostSrv.exe
2712	DesktopLayer.exe
2440	DesktopLayerSrv.exe
448	svchost.exe
1644	svchostSrv.exe
1336	DesktopLayer.exe
2408	DesktopLayerSrv.exe
908	DesktopLayer.exe

Loads dropped DLL 9 IoCs

Processes:

IEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exeDesktopLayerSrv.exe

pid	process
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2696	svchost.exe
2696	svchost.exe
2712	DesktopLayer.exe
2340	IEXPLORE.EXE
448	svchost.exe
1336	DesktopLayer.exe
2408	DesktopLayerSrv.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2696-6-0x0000000000400000-0x000000000043D000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\svchostSrv.exe	upx
behavioral1/memory/2948-35-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2440-48-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2712-44-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2948-43-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2440-50-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2948-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2788-23-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2788-18-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2948-51-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/448-528-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1336-543-0x0000000000400000-0x000000000043D000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/908-561-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2408-560-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 18 IoCs

Processes:

DesktopLayerSrv.exeDesktopLayerSrv.exesvchost.exesvchost.exesvchostSrv.exesvchost.exesvchostSrv.exeDesktopLayer.exeDesktopLayer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px1390.tmp	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px558F.tmp	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchostSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5561.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5570.tmp	svchostSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1353.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1371.tmp	svchostSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1352.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchostSrv.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422894121"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D43C19C1-1B68-11EF-917A-EA263619F6CB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

svchostSrv.exeDesktopLayer.exeDesktopLayerSrv.exesvchostSrv.exeDesktopLayer.exeDesktopLayer.exe

pid	process
2948	svchostSrv.exe
2948	svchostSrv.exe
2712	DesktopLayer.exe
2712	DesktopLayer.exe
2948	svchostSrv.exe
2712	DesktopLayer.exe
2948	svchostSrv.exe
2712	DesktopLayer.exe
2440	DesktopLayerSrv.exe
2440	DesktopLayerSrv.exe
2440	DesktopLayerSrv.exe
2440	DesktopLayerSrv.exe
1644	svchostSrv.exe
1644	svchostSrv.exe
1644	svchostSrv.exe
1644	svchostSrv.exe
1336	DesktopLayer.exe
1336	DesktopLayer.exe
1336	DesktopLayer.exe
1336	DesktopLayer.exe
908	DesktopLayer.exe
908	DesktopLayer.exe
908	DesktopLayer.exe
908	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exe

pid process

2732 iexplore.exe
2732 iexplore.exe
2732 iexplore.exe
2732 iexplore.exe
2732 iexplore.exe
2732 iexplore.exe
2732 iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2732	iexplore.exe
2732	iexplore.exe
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2732	iexplore.exe
2732	iexplore.exe
2732	iexplore.exe
2732	iexplore.exe
2732	iexplore.exe
2732	iexplore.exe
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2732	iexplore.exe
2732	iexplore.exe
2732	iexplore.exe
2732	iexplore.exe
2732	iexplore.exe
2732	iexplore.exe
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchostSrv.exeDesktopLayerSrv.exesvchost.exesvchostSrv.exe

description	pid	process	target process
PID 2732 wrote to memory of 2340	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2340	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2340	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2340	2732	iexplore.exe	IEXPLORE.EXE
PID 2340 wrote to memory of 2696	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 2696	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 2696	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 2696	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 2788	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 2788	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 2788	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 2788	2340	IEXPLORE.EXE	svchost.exe
PID 2696 wrote to memory of 2948	2696	svchost.exe	svchostSrv.exe
PID 2696 wrote to memory of 2948	2696	svchost.exe	svchostSrv.exe
PID 2696 wrote to memory of 2948	2696	svchost.exe	svchostSrv.exe
PID 2696 wrote to memory of 2948	2696	svchost.exe	svchostSrv.exe
PID 2696 wrote to memory of 2712	2696	svchost.exe	DesktopLayer.exe
PID 2696 wrote to memory of 2712	2696	svchost.exe	DesktopLayer.exe
PID 2696 wrote to memory of 2712	2696	svchost.exe	DesktopLayer.exe
PID 2696 wrote to memory of 2712	2696	svchost.exe	DesktopLayer.exe
PID 2712 wrote to memory of 2440	2712	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2712 wrote to memory of 2440	2712	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2712 wrote to memory of 2440	2712	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2712 wrote to memory of 2440	2712	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2948 wrote to memory of 2508	2948	svchostSrv.exe	iexplore.exe
PID 2948 wrote to memory of 2508	2948	svchostSrv.exe	iexplore.exe
PID 2948 wrote to memory of 2508	2948	svchostSrv.exe	iexplore.exe
PID 2948 wrote to memory of 2508	2948	svchostSrv.exe	iexplore.exe
PID 2712 wrote to memory of 2520	2712	DesktopLayer.exe	iexplore.exe
PID 2712 wrote to memory of 2520	2712	DesktopLayer.exe	iexplore.exe
PID 2712 wrote to memory of 2520	2712	DesktopLayer.exe	iexplore.exe
PID 2712 wrote to memory of 2520	2712	DesktopLayer.exe	iexplore.exe
PID 2440 wrote to memory of 2876	2440	DesktopLayerSrv.exe	iexplore.exe
PID 2440 wrote to memory of 2876	2440	DesktopLayerSrv.exe	iexplore.exe
PID 2440 wrote to memory of 2876	2440	DesktopLayerSrv.exe	iexplore.exe
PID 2440 wrote to memory of 2876	2440	DesktopLayerSrv.exe	iexplore.exe
PID 2732 wrote to memory of 1528	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 1528	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 1528	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 1528	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2504	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2504	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2504	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2504	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2740	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2740	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2740	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 2740	2732	iexplore.exe	IEXPLORE.EXE
PID 2340 wrote to memory of 448	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 448	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 448	2340	IEXPLORE.EXE	svchost.exe
PID 2340 wrote to memory of 448	2340	IEXPLORE.EXE	svchost.exe
PID 448 wrote to memory of 1644	448	svchost.exe	svchostSrv.exe
PID 448 wrote to memory of 1644	448	svchost.exe	svchostSrv.exe
PID 448 wrote to memory of 1644	448	svchost.exe	svchostSrv.exe
PID 448 wrote to memory of 1644	448	svchost.exe	svchostSrv.exe
PID 448 wrote to memory of 1336	448	svchost.exe	DesktopLayer.exe
PID 448 wrote to memory of 1336	448	svchost.exe	DesktopLayer.exe
PID 448 wrote to memory of 1336	448	svchost.exe	DesktopLayer.exe
PID 448 wrote to memory of 1336	448	svchost.exe	DesktopLayer.exe
PID 1644 wrote to memory of 1676	1644	svchostSrv.exe	iexplore.exe
PID 1644 wrote to memory of 1676	1644	svchostSrv.exe	iexplore.exe
PID 1644 wrote to memory of 1676	1644	svchostSrv.exe	iexplore.exe
PID 1644 wrote to memory of 1676	1644	svchostSrv.exe	iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\75b6818f7d5ff8dd33c7995dfc9abed4_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2508

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2788

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:448

C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1676

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2408

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1372

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:537605 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:603139 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:865285 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:6173701 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
64KB

MD5
c2894448d11d790e9b600a564e770139

SHA1
02b582a3d61aa0fd6db6841371308cdb77428e71

SHA256
70089eb916dd9dad24b3289515473d82b9fc5d76c8c954adcc363853dc62e837

SHA512
231c24d7305be36bc4862459550f09d5125fa2092f37e703cdddb6f6f8731797fd4b2e7357149baa7bfca8623d2e99f9f037733ce13cefd3bd38465999f953ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a889bcbb17d5b3675f6c8d959ff88101

SHA1
1e2db961616a35b0c73cd1c72be9ddc9d4bc2afc

SHA256
0c2fc4ffc71fabb95d3edfb82b1dcbff859fa09dab666929987bad3c55d37643

SHA512
3ee0198e2ad8123aadd67b620465f76807cab69738044f223c8c0c3de5a336e1a8c8bf2e878d4019a8b28a5b72ae4b9d44cf6969d600d522beb969b570d707ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5c7010ef5e511d785eabc3e5a65a1c41

SHA1
0bd770f6bb1ac4706777dd5d9f5e5bf835be8c96

SHA256
e835d993002290c34209d76c9bb33da28a8b1f6183f9808c50782f880ac564b9

SHA512
96b1cf3f6d77c636372e8ee9d7130731e5a3ff4be6659757d9da638c18e536e735da0eed455e3639d4fb1beaaec0c98ab7a3d9c35c770aa126032e848154bdd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0d01e1a47173ce978f53f94949fb037f

SHA1
8adf80bf49138ba475531e560af79fe37501790a

SHA256
d823a1a9e66ca59d9479fe84e061466724195f180c79a0697baaefa4fe4d686d

SHA512
91c8b685482ea6464bb2c8b6edf3fa2609cb74b2da5ff63004819af7c6447365bef28b44aea14a3f091f265a349df2284b0edd41e765427c9f9eaa4c7b61ea4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c40896e652f1c24e467602f875ad16b7

SHA1
fdd683aea0c71fd5a35f184836df0692cf98260a

SHA256
ee6c099cdc003a44e09811c0a87b9e6883df6c1099a5760a5d135c465ca9593e

SHA512
028d1606889d3086b67ffbbd323eaca4622beb1ce2cd0495ed6b61ccc440fdb82672f5511c4e7c7d4628473a20dc9decbb5d9113d31e708c12ec036a4696df78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
72162c7d6adbfe36e8a67fb68f69c646

SHA1
0fff6428e04887e869bce890b9e06c91e0838277

SHA256
4b00f4d188f61d31e566040066f0c128045aa8d7ae8afe58f2f1383c35c2ee76

SHA512
563aa2e190dd6413700082698ccb0672cfe821e73080e54a9d118701a6fe74d12c3e0048084a1063df9cc5c694e4537d3a46273b29f3c640ddcb5c01bbb886dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7d32d4bfd362d7671e13e80cc1f2f64b

SHA1
69b1e67df5002484c98e9ad2d46af91ddcfe7abb

SHA256
9f478239f77dbfb4dc7fd5b236b7ba0dd81943bcbacf7519fa829c84eec1d03b

SHA512
ab31bf9cb6e5ba0f8807c34a7511e90081c976ba96e0827259b694b619dd30fb08692a7f842e7bcc10dd99d33e37aa3d0aade7310f1b9eb8128f11f5a812cff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9fa36dbb26b256e62afca7fcc9177805

SHA1
741ed768d0294cef43ad0dbe57a980dbfedf1c05

SHA256
9b5377fc90cdd1107345ca7d9b790f5f4f764106b355855e3f1980812ddd0c54

SHA512
ac1c3d234440618d98273d80a72c41b3be50cb316d74f062f1013557adfe345b60d68ab05a2a0f087bfc60fd83a81aa3eaa9c6cf8c8db4a1403dabde0e2a2dbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d25d2e9d8b8d023d8cec409304a20105

SHA1
002ab70348c4a66d9bd51516d1ced6e7e245186a

SHA256
68bf9513e3ef1bf4e4f26eb3ffce6bf86549bdc3c8db2c7ceb73b2c7f04fb65c

SHA512
1200b8309be5f31d7aa8bab2f02f8d1b9347bbf48bdfb790adf10a3a9bcfe6d199bff28fe6c2256723d1732fd2ec4abf5aa3b6747e688b238c1db6ef5b0840df

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF7D.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar105F.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
111KB

MD5
f9b6a36532ad339c536257d6d663ac50

SHA1
05bc904af61bd3dc99e431ce418ad3db8fbeaa96

SHA256
e359c2f9f18ff3d99b211670d64d29bf607d8a360b92866ce2e4bd7f3bd22a17

SHA512
8be67449f33a1fb18a1f11d171b0c33bff634f30778d67cea03641d8c0780dbcfcc9d59d68136696a89af0124710195f524d2753c49379d9a5e46418d2ae4f06

Download Submit
\Users\Admin\AppData\Local\Temp\svchostSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/448-532-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/448-528-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/908-561-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1336-549-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1336-543-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1644-539-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2408-560-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2408-558-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2440-47-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2440-50-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2440-48-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2696-17-0x00000000002B0000-0x00000000002DE000-memory.dmp

Filesize
184KB

Download
memory/2696-19-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/2696-6-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2712-40-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2712-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2788-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2788-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2948-51-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2948-38-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2948-43-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2948-35-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2948-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download