ramnit | 18059377b3a4bbea91f5668671951a3746e75c498afb0f4eaf9cc8f76ac10051

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ccbb10f4b7bb2aa9a5397edbcb2cc7_JaffaCakes118.html
Size

457KB
MD5

75ccbb10f4b7bb2aa9a5397edbcb2cc7
SHA1

c54c74af38f098709402b6822389a1e8e75b146a
SHA256

18059377b3a4bbea91f5668671951a3746e75c498afb0f4eaf9cc8f76ac10051
SHA512

b3152bffd2bb05b1ead764ed3b66d220429235f6ba955e52a8f1b5d9ab5f550f7f766cce6d8a440e574074312196036f061dd03b8be20d218ce7aedf07b4d414
SSDEEP

6144:B7sMYod+X3oI+YksMYod+X3oI+YzsMYod+X3oI+YcsMYod+X3oI+YQ:95d+X345d+X355d+X345d+X3+

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 5 IoCs

Processes:

svchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

pid process

2592 svchost.exe
2844 DesktopLayer.exe
2968 FP_AX_CAB_INSTALLER64.exe
1008 svchost.exe
780 DesktopLayer.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

940 IEXPLORE.EXE
2592 svchost.exe
940 IEXPLORE.EXE
940 IEXPLORE.EXE

pid	process
2592	svchost.exe
2844	DesktopLayer.exe
2968	FP_AX_CAB_INSTALLER64.exe
1008	svchost.exe
780	DesktopLayer.exe

pid	process
940	IEXPLORE.EXE
2592	svchost.exe
940	IEXPLORE.EXE
940	IEXPLORE.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2592-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2844-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2844-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1008-127-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/780-133-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2961.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px12B6.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET2913.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET2913.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422895913"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08f02dc79afda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a4a72a9ef401ac49a2645e3c030bdb9b00000000020000000000106600000001000020000000f185c23caf645fd1bf2c9e10dd7446525314a5cb31075e02b58211a18296978c000000000e80000000020000200000008397d0b5f127f7238de4b908b2d66620f27b90a5bb2fdc968e7680403b33b55b900000007221a359ef0e5a0bc34bf72fc407958b5465d3c72f105d81587a5f77bd5849ad13ca30cb1cbae24c4bc09ae72a4a2db933412f4aa7be86737c789206e31f856fc87b09aaefedc386edb83e7bea18df5c71434dd645e4acaae5366e1f6c66a0a101d8b38dc8a71a1343598db47594975a751a612481f788b35313688493e7caa0d2b1d78b7a7c0e4a1871146321ccc004400000005ce36434bfa543e3f74126d22f4ad9b71c1a84c378308fb77a4d97ca5bb5d4c03e498ebc3c07f200d031e1f542eaad24c4a3bec9583f950bc9254ed983bcf13a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a4a72a9ef401ac49a2645e3c030bdb9b00000000020000000000106600000001000020000000a27b668b24630fa557dcb7872e2d10019e7df0c3e1b3484a1ed0a32380defe6e000000000e8000000002000020000000ff43b7a43230dcbdce0aaae5aff6702ae4423a9d9da289363df20f5b2868fd12200000002c91bc7a3f5c0e755307a0bfcca6e7fa18522d6cdde57875dee595ac80100e6f400000006e77e6af60a6927a5eb13f5688f23508510bb4ff89ad0812412699bcdc1ad203eb37d3867d5767e63ef42cea25f886e57a1627e764cd20c4c347875428269081	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{00F0E821-1B6D-11EF-B9A1-EE87AAC3DDB6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

DesktopLayer.exeFP_AX_CAB_INSTALLER64.exeDesktopLayer.exe

pid	process
2844	DesktopLayer.exe
2844	DesktopLayer.exe
2844	DesktopLayer.exe
2844	DesktopLayer.exe
2968	FP_AX_CAB_INSTALLER64.exe
780	DesktopLayer.exe
780	DesktopLayer.exe
780	DesktopLayer.exe
780	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	940	IEXPLORE.EXE
Token: SeRestorePrivilege	940	IEXPLORE.EXE
Token: SeRestorePrivilege	940	IEXPLORE.EXE
Token: SeRestorePrivilege	940	IEXPLORE.EXE
Token: SeRestorePrivilege	940	IEXPLORE.EXE
Token: SeRestorePrivilege	940	IEXPLORE.EXE
Token: SeRestorePrivilege	940	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

2232 iexplore.exe
2232 iexplore.exe
2232 iexplore.exe
2232 iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2232	iexplore.exe
2232	iexplore.exe
940	IEXPLORE.EXE
940	IEXPLORE.EXE
2232	iexplore.exe
2232	iexplore.exe
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2232	iexplore.exe
2232	iexplore.exe
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
2232	iexplore.exe
2232	iexplore.exe
684	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2232 wrote to memory of 940	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 940	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 940	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 940	2232	iexplore.exe	IEXPLORE.EXE
PID 940 wrote to memory of 2592	940	IEXPLORE.EXE	svchost.exe
PID 940 wrote to memory of 2592	940	IEXPLORE.EXE	svchost.exe
PID 940 wrote to memory of 2592	940	IEXPLORE.EXE	svchost.exe
PID 940 wrote to memory of 2592	940	IEXPLORE.EXE	svchost.exe
PID 2592 wrote to memory of 2844	2592	svchost.exe	DesktopLayer.exe
PID 2592 wrote to memory of 2844	2592	svchost.exe	DesktopLayer.exe
PID 2592 wrote to memory of 2844	2592	svchost.exe	DesktopLayer.exe
PID 2592 wrote to memory of 2844	2592	svchost.exe	DesktopLayer.exe
PID 2844 wrote to memory of 2724	2844	DesktopLayer.exe	iexplore.exe
PID 2844 wrote to memory of 2724	2844	DesktopLayer.exe	iexplore.exe
PID 2844 wrote to memory of 2724	2844	DesktopLayer.exe	iexplore.exe
PID 2844 wrote to memory of 2724	2844	DesktopLayer.exe	iexplore.exe
PID 2232 wrote to memory of 2488	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 2488	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 2488	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 2488	2232	iexplore.exe	IEXPLORE.EXE
PID 940 wrote to memory of 2968	940	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 940 wrote to memory of 2968	940	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 940 wrote to memory of 2968	940	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 940 wrote to memory of 2968	940	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 940 wrote to memory of 2968	940	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 940 wrote to memory of 2968	940	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 940 wrote to memory of 2968	940	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2968 wrote to memory of 1736	2968	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2968 wrote to memory of 1736	2968	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2968 wrote to memory of 1736	2968	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2968 wrote to memory of 1736	2968	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2232 wrote to memory of 1880	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 1880	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 1880	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 1880	2232	iexplore.exe	IEXPLORE.EXE
PID 940 wrote to memory of 1008	940	IEXPLORE.EXE	svchost.exe
PID 940 wrote to memory of 1008	940	IEXPLORE.EXE	svchost.exe
PID 940 wrote to memory of 1008	940	IEXPLORE.EXE	svchost.exe
PID 940 wrote to memory of 1008	940	IEXPLORE.EXE	svchost.exe
PID 1008 wrote to memory of 780	1008	svchost.exe	DesktopLayer.exe
PID 1008 wrote to memory of 780	1008	svchost.exe	DesktopLayer.exe
PID 1008 wrote to memory of 780	1008	svchost.exe	DesktopLayer.exe
PID 1008 wrote to memory of 780	1008	svchost.exe	DesktopLayer.exe
PID 780 wrote to memory of 1424	780	DesktopLayer.exe	iexplore.exe
PID 780 wrote to memory of 1424	780	DesktopLayer.exe	iexplore.exe
PID 780 wrote to memory of 1424	780	DesktopLayer.exe	iexplore.exe
PID 780 wrote to memory of 1424	780	DesktopLayer.exe	iexplore.exe
PID 2232 wrote to memory of 684	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 684	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 684	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 684	2232	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\75ccbb10f4b7bb2aa9a5397edbcb2cc7_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2592

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1008

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1424

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275464 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:209936 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275479 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
4239dfac9149cecb8a15f1251c72842d

SHA1
f1d16fbb1daf42cb61443065194bd30abd3fdfab

SHA256
80316c48943325d16d8a5d9b89c73c467a361b9da6eaf1a853206a03c0123e3b

SHA512
653fa7a3713d0eb071fc4a4878a9bc0480a19273041e1569b14c253b961a51c0fd4a4220cf1f4de079a067cb47c8cf311d33ae2897c938f807c7bf4b7112c276

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6f2d9fa02d783b5f26f63ccdb031542b

SHA1
02898d43ec1f78059090dd082e98219f286c8f5d

SHA256
ecc843a2fe614a949e6bd052f5dd211073deb24e8db166c7fe1e63a8b6708c93

SHA512
a7feac02474971760258ce2f4f3a9a43e13a38465098da2eb07560f939ae5151ad3cf9d4d26566fbe0e07c11fc699ee5cc72983630023f883c46db6acc8888ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4df8430b6d5a8481d682d9389000138c

SHA1
8f1074200d677c237f7fa97211e449b88518d0e0

SHA256
98a67c1130682862ddff92685d5f46a0f220fe8ecff47f061b3f6806f29be093

SHA512
89cd6f18442df0d92a2abefc1d2ff855560f938e58739f6d9eb4ed928c6cd29e376769000ec8eaf84158fcb9e2aa47331d8460484feda6be3cc433015b486330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b9c74519a61b350d1ff40128b62cb558

SHA1
2e2b41be996bef8ce52ddfb9cd395ca88ce8c094

SHA256
bf11263078d1cc3b554516767f0c5de118c0537277c70e95b7c7af9d4d12e6db

SHA512
6c6f33cc46cf2e3e6541fca948c66e17ab87c5f18e41f27f5c3da6283b634997e46177d7a45bc1194edb3dad517b78557aee4f00668b1137cf0623b25ac80c52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d78051eda9201ed1c956a87abaff030d

SHA1
06242aeb9d9edc8943ea0a1540185365e8b56ca6

SHA256
d38190b7621df2a8959bc932e000779471533d7a9ba2f25f073556fb54e37f1f

SHA512
7b4ecf1dcd2481d677dd3584f03a7f01e5604449ea4cc70ad4b51850ff2e0a67c9ff88c5ec337b4980861b0d7cdb553a0016dc5d20ec376799c6b40566344eae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f6f427d461996697449504a56dda0d5e

SHA1
96df575a34efa378950384bdc3d0173a68ca6b84

SHA256
66b228c95328ed1f806ca758333b1fd1285d613870d64834fbcae474f54375f8

SHA512
913ce6a2cc40b4dd30956ad0f897e692d3e7f8f2a96d1ae9d3589f8f19b1d25907d4a05d5d761efd2215abc2b5a321e3dc1e640defad661e68f33208d5e1f628

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0d3976025b661dabaf7f28890deebc28

SHA1
7c26fd0a7f7d4c1c24ce3af78725a2a6c2243e23

SHA256
1ef761f1750e481cbe752a3c16da95f181fc538052d2bcfe8691ec6bc480552c

SHA512
e527fc33d843f27eb7f13f4c94939b0dea324fa586da9717dab1a67625d39c2b5dc1eb2d4b78ac822d1d29f29f8f57addb5a73c85cdeaecaefd0d2e9dfd2fc27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c45fa2bcedc298c215df1dc19e1e0fe9

SHA1
7135d463b853c328b5e6cfba7c84f4dfbde4719c

SHA256
84fe1659c1aadf1d99badf84d8b47f86546393ff88226253c0a7311f7abbb182

SHA512
384977255eec3a8aab35849d8cbde8544efec523cfec211f4cc83af6e2d0c151b69803fca5cb83df4c39c303bd5e5443408fbfa98fd606e5b24d1197e13bae25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1422763b103c813a1a40130049c495f0

SHA1
960afaa990ffa685932fa636d4ea7016cfb05cb1

SHA256
e1c14313b0976b6cf36f1258d0cf94f031617f00f40f62d7e1274c6b08598751

SHA512
b81d7e878f2f28c87a87ab56cca1dee9fef4f57f63d95f6dfd9a02b9410e00bba33d6928c77ef663610738b45883ae1ffcbe50df895a06ada9aa9a98d33607bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5042f92eb8748b649ebd0e2a59ec38a3

SHA1
1ff7c2beec3ad0b467308334c865060f63f1b01f

SHA256
39158fda468159a526a666271008a482cdb88a98bdf56a240df2ec62f31f70bc

SHA512
1112d2bc1f6cd6ad775bf8b7787836cd87eb2a538360da8e8c25e3efa9248f0ea2da7e06a15157df8fb11e7ce03e14364737a0333747b410001a4cf102cd4d0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e95b5fa5259c4f002afb295c5a02b2bf

SHA1
640cc6a48b7602c5fd2bc4caf4e99988b21ae893

SHA256
f8a5233446505f3eeffde04ba5fa2138dd92dfcbe552e42bf15f77154a7b0675

SHA512
2e34874dc8fffd32303d3431edaa89aef7446897f9fa0d5a5879fecb1f9d1311a49df35019252b14393e8f6d81f1ee25d206b954046139217438dd83b10600b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aa5fd2f50b8ba8e74ec195805d519342

SHA1
803f0eef68bb076a5528d5429667b4a79167ddf7

SHA256
780596d86bd973261cb82ea225a2beda80d8fdcd89b2fcd145c3db9106cb5884

SHA512
17789121f9c364a894af596de781c5a8a487fbe287cf72b78d8abf96b0bd73c0cfd74d1c71db4f28eb1fe959a23ab7f3db1639c7a6f8e8cfa2569512f5bbb58b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8e8d4be9cea2535b1b328c3c77d20d85

SHA1
b82f23ec196aea7d94963499cfdf3678b6cd647b

SHA256
bd77ab8484c761f8b4d05cb9cb6cc1e44f59b950238e8ff0b95b1df4dab36e27

SHA512
d78d2c9e501704293785b191ec5d7111e20d79a4245fc733754005e33b640967fefc8d0b43933b20423fce828d33bab49011c03bebdba1c51e867f3003afd3d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
45c173c1670c558fb049dac2dbe383ed

SHA1
23f4b5225da53ec3da9862446032ac28cc1da63a

SHA256
fecadc61c4852beb57feedbeffedc7dce5fddbed493f6b62a3358de7b1033d95

SHA512
6714cda5e01ada208bce91cbd27d50c82950abdc0af03e6e278d91642ade13e4ab692910d4355b08070a72bd2d49451fc8f09ffbf96b332da1451f80e515b0e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6ce6171ca03e93db5559a7214eb1d821

SHA1
dba58cefbb7617f27c7bcce6e32cef9bdcdd37bd

SHA256
0d20c55ef03fcdf57fe8a10b92a42a77565fa33576c0d9d33b62f5e4bc4cede0

SHA512
42216d29070bd522b24902adee0dbef79758c61f378604d44309be0236d1bb10f5bd997a533d5b59907209578095a90a6b424a4b43e796b594b401abc90fe13f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a12a6d9ba948110116fdaae74a341d16

SHA1
6f3b7393fc2386536219b28e6f21152d8823c93d

SHA256
90fe347b7f98917097d62432974a60ca8e6a447f9ac9b790584cc725158674ad

SHA512
57de6282d68e0c36219b32f7debce6c7fb17214c2e05c91e7986c7abe9fe19fb7c831312b9ea9aae696db1e17aed4bc48e578f908d5855dd5946b860a273f316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8fa74473aaa145f5de31cdff25b1346d

SHA1
5e85bb2e96d63fca8718f471eb3927076e47e02a

SHA256
5165ea48c620552c2ba2b4e369faf01fc55d5b553f1fd565fbddf309351729a8

SHA512
9fac79dad156e870870d005d740cd3b4e689b061208826801a0a39abce6ad5fca9efd55c9276014250b96287ecd4803007774cdea8c136315054649a75213910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7a98b10ed0520036c031d9eda063e020

SHA1
d6f4f3dc029c1459c664583728ab8b14298b6035

SHA256
613245bdfa71a6cb2d069fe790810f91fa135050ad6c1ca4f8a5947b6449a5e8

SHA512
8451a1e66683a38176cfdb606f2d35df93e63a1f26967d2e3f70e08d8d38996548187e19b783ea8fea98e2d29f4ed0f08996712a5aa8a8a03192975bd786c618

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0209884474aac7feaac2455729890f44

SHA1
60df66cbd39f893d3867b1f5ffff72edd74007db

SHA256
ae8ef388f1303f3d2110376ba3d005db482cb96a209421727939fe0945970f45

SHA512
6be2cafcb5b4eaa51789e07b8debb8c18f0bf4adfb64100d8617d39733f44f3344fba18c1ef9909579cc79df2a241c8ac4193995a9dab9281996d105c85af9aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e6231c502a44751933f441c53f68d8d5

SHA1
111dabedf8b10baee7e96c7faa5db3263091190f

SHA256
eff1dc87c3e2397c83bb8355ef3d3a6aabe7e7615c1f89a26841b2c8e1422be0

SHA512
f1f22ec3403aad4259f9a8db87fbd13e956ba3e870f01969101c50d5ff4939488fa31910744d0de16875397874d2fea66dded28f195d72b345a9b77e2e570ea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
59ac65932a1c355c6227ed62fee77100

SHA1
043bb0b10bc3411dc802659d535c594d75dbc00c

SHA256
2a1e2f86176562174ef63552342aa2fb71becd6d3731f21288e05da2525129b9

SHA512
b46f73d3991e679d38bdc2d95106adab619e489ac9a6cc72319fd8203aec6c63071eff42b0b0df8412720c2c3ddf8e1d2d25fb9310f550ed4059483aa5fe00a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
37ce75e79a1a7e5150df8b2b5cc2e157

SHA1
4c052a2d77f325b87d3d7e06fe06b0595fdf758d

SHA256
a387ab1838b26643f8418b5ed82ec58d8b529ce045ec020aed20b851221a020a

SHA512
035f2fb9f726d809c5018a67fe2e18aa8077f39e50078662d57ff210d73e52b5155d4c2934e26099a88d8084c789462d39c8cb23d995910127d45c1e9378853a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
6a4d89864d326230f66e77a6aa27008a

SHA1
b6c92a0ed17219976be615f38adae31708d397ea

SHA256
fcea91d529071f3b70ac1905eb0a0c7049d273c18677e666f69c84f5b05f2735

SHA512
88d296096ce599364cb1d5d6e03ca3142ae6fe70f9295c3626d18b2ff8b126cbe799d74068c67a8ac568b2cda325c6c07a568aae042a5473a7a68ce579ca2ae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ZVT7NYQ\swflash[1].cab
Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf
Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2570.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/780-133-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1008-127-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2592-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2592-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2844-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2844-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2844-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download