ramnit | a61caf8bbeb8e4ed295eac0981ee1c96fddaa55d0b9ba54bfa3cf2b3510cbf89

Analysis

max time kernel
134s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75fe32487a1f4459ebfdfbb1703c23cd_JaffaCakes118.html
Size

135KB
MD5

75fe32487a1f4459ebfdfbb1703c23cd
SHA1

797940363e9cad755edb7ee2b1daac34f401d273
SHA256

a61caf8bbeb8e4ed295eac0981ee1c96fddaa55d0b9ba54bfa3cf2b3510cbf89
SHA512

0f16c0ca9c635bfe01b1dbb9433ae9942e78b152bfd367767a27018a7959608b672058ce61075b55f7b01a98effa24dd86ddb2f0cddc685cd4d1c8dce2fff258
SSDEEP

1536:SsiicbNvfe0GUyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJruH:SsiZyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

pid process

860 FP_AX_CAB_INSTALLER64.exe
2448 FP_AX_CAB_INSTALLER64.exe
2868 svchost.exe
688 DesktopLayer.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2840 IEXPLORE.EXE
2840 IEXPLORE.EXE
2840 IEXPLORE.EXE
2868 svchost.exe

pid	process
860	FP_AX_CAB_INSTALLER64.exe
2448	FP_AX_CAB_INSTALLER64.exe
2868	svchost.exe
688	DesktopLayer.exe

pid	process
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2868	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2868-1405-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/688-1412-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/688-1415-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxEDF.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETC775.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETC775.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET233A.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET233A.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd50715a2ff9c5409a7656aa00aac70b000000000200000000001066000000010000200000008e86bc81a7a084636cfc6b7f5a375705402d78711256213f69382d78dca4eb07000000000e8000000002000020000000557769b48b227cd354c5238441380af0c1b6e17ea0523928974e04246642975c200000002a654cd9e902fd7c8c36bf0311f8502ce46d9a96ebb80dac10ff0b180e38c52d40000000bc16ef8f68dd57d1729eb880c565418e4bf957e16726cab4ed25d1265c3ff91b70c906deda5a1e1390ec0de3b37e25451373b6c196df571ad422660a299a57be	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA0B1DF1-1B77-11EF-972F-E61A8C993A67} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422900599"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd50715a2ff9c5409a7656aa00aac70b000000000200000000001066000000010000200000009eb594d5250976fcb26c6539d7b89ffa17bb51e1766b6be30426ca96bbc483f9000000000e8000000002000020000000e5217f41e1135e1767672e7e843faf92d52f2c0b8f9d10729578921fa8674f3f90000000bb662a5eb74ba75b6932d27c0386943849ec26a5f392a30963f3e3f7701dece98048057414ba38fc4c009544fa87c52a4ba40e859270a3c7e8758a49f65b6a6443aa787626da6f8075ae65d1bdfa8d715042c67b6448f6014f47b0e4303eed71038045bc9e1f0798daf910854dcc3ccd2bc98be78eef1222c52508f5d9b7d7343fabcccefa8486ef85e48f817265a8e2400000002a6c6caf2d91c854a010139ab2140910a8244738e1a78e7d28dabcab9d39adf7d3562299ef9624e557f73bc1215d843299c12328c348e09f8c6fc3a5e999ef10	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a068f8c084afda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exeDesktopLayer.exe

pid process

860 FP_AX_CAB_INSTALLER64.exe
2448 FP_AX_CAB_INSTALLER64.exe
688 DesktopLayer.exe
688 DesktopLayer.exe
688 DesktopLayer.exe
688 DesktopLayer.exe

pid	process
860	FP_AX_CAB_INSTALLER64.exe
2448	FP_AX_CAB_INSTALLER64.exe
688	DesktopLayer.exe
688	DesktopLayer.exe
688	DesktopLayer.exe
688	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	2840	IEXPLORE.EXE
Token: SeRestorePrivilege	2840	IEXPLORE.EXE
Token: SeRestorePrivilege	2840	IEXPLORE.EXE
Token: SeRestorePrivilege	2840	IEXPLORE.EXE
Token: SeRestorePrivilege	2840	IEXPLORE.EXE
Token: SeRestorePrivilege	2840	IEXPLORE.EXE
Token: SeRestorePrivilege	2840	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

2112 iexplore.exe
2112 iexplore.exe
2112 iexplore.exe
2112 iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2112	iexplore.exe
2112	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2112	iexplore.exe
2112	iexplore.exe
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
2112	iexplore.exe
2112	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2112	iexplore.exe
2112	iexplore.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

iexplore.exeIEXPLORE.EXEFP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2112 wrote to memory of 2840	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2840	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2840	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2840	2112	iexplore.exe	IEXPLORE.EXE
PID 2840 wrote to memory of 860	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 860	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 860	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 860	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 860	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 860	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 860	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 860 wrote to memory of 2336	860	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 860 wrote to memory of 2336	860	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 860 wrote to memory of 2336	860	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 860 wrote to memory of 2336	860	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2112 wrote to memory of 1672	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 1672	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 1672	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 1672	2112	iexplore.exe	IEXPLORE.EXE
PID 2840 wrote to memory of 2448	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 2448	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 2448	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 2448	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 2448	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 2448	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2840 wrote to memory of 2448	2840	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2448 wrote to memory of 2520	2448	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2448 wrote to memory of 2520	2448	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2448 wrote to memory of 2520	2448	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2448 wrote to memory of 2520	2448	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2112 wrote to memory of 2376	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2376	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2376	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2376	2112	iexplore.exe	IEXPLORE.EXE
PID 2840 wrote to memory of 2868	2840	IEXPLORE.EXE	svchost.exe
PID 2840 wrote to memory of 2868	2840	IEXPLORE.EXE	svchost.exe
PID 2840 wrote to memory of 2868	2840	IEXPLORE.EXE	svchost.exe
PID 2840 wrote to memory of 2868	2840	IEXPLORE.EXE	svchost.exe
PID 2868 wrote to memory of 688	2868	svchost.exe	DesktopLayer.exe
PID 2868 wrote to memory of 688	2868	svchost.exe	DesktopLayer.exe
PID 2868 wrote to memory of 688	2868	svchost.exe	DesktopLayer.exe
PID 2868 wrote to memory of 688	2868	svchost.exe	DesktopLayer.exe
PID 688 wrote to memory of 956	688	DesktopLayer.exe	iexplore.exe
PID 688 wrote to memory of 956	688	DesktopLayer.exe	iexplore.exe
PID 688 wrote to memory of 956	688	DesktopLayer.exe	iexplore.exe
PID 688 wrote to memory of 956	688	DesktopLayer.exe	iexplore.exe
PID 2112 wrote to memory of 1256	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 1256	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 1256	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 1256	2112	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\75fe32487a1f4459ebfdfbb1703c23cd_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2868

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275464 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275483 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275503 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
cba284530c6cc7ac24c947e65b2158e7

SHA1
a162c28e434b4cb599da9af11176c98b079c884d

SHA256
90f51cdf517becb5252ed5d4aabce6a9fd2195d6863b9bffb7c1aa21fa24526b

SHA512
9b75fcb70c36dedd8a045ae716e8ee4b922f0825560fa499d7615dd3e36083cf0365f990bea2f076e328538641666396d129c7f435692db7236cb33815ed3ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e6b7854425c9a8c59a48bde1bb461af0

SHA1
3c5c0524862bb845de3c8237775d6c991a5b818c

SHA256
d8ff2fb90c5bd9cd5b281ca991f4c444bc241c77cd1064f8e5fed52390f90be6

SHA512
016e127e1a7325b97370609d4d6bc1350a4aae6c38335653a1b2f95a54d887e7b39835327db2a68efa3cd81c3da1c071fe832c7469f93f0f3fbf8705086d50ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cb6f209e786968a95bcfa471824a3629

SHA1
0175b30543ab3c761385c8f493fb72d6300cf94a

SHA256
1cc5dd7aac53a97645a3bfd16b95b2ea10e56c757ad643ff36650658dc5bc5e5

SHA512
9203ef35f67857674c27342af9e5ef3f0e344beb0251da66b2393d03992503748f7185ffdd69d7fa4c7cf4d11f75891274d20b64bdbc35d436a35f1b08e39305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
48823520786b9c9fea38c4e033405b0e

SHA1
61a37f7877d464607c4390365c3a7c4dcd2296e6

SHA256
7a53dc0d2f82617c0d7add20a84f177c98f5346180eb7b36106af88ce5c5b370

SHA512
de711acadf9437fb98a987dcc617f5b081aa6418590b4b4c2de2dcc344a6399e81a25bb0953865d23721ad0c20ef4c235b70c85cdde5032958d99a91e5a478b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
58528680d4185c53abe72684dcceb07b

SHA1
7fe119812165c288e828dfa34fe1670115e98c4a

SHA256
83b667005023fc881b1e78de11543a033bc5a237d20cb4753c97840fad1fb3a9

SHA512
243c5ac19fedc445de2e87bd846a98e2fa462b7e4de31ac2fba6a36e45fcad966b5d8027406e93639dd9414d263d73340671b67cd79c07f4cbad13037e336416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4923baa339a6f14b54e642f78b3be4fa

SHA1
e96aa16724d01d26f9bab17b237591afe7d3c553

SHA256
9e0e9301b8211202bf6ec0682ab51b3ea2b2f8f956cebd5ae4d1b87642ae2c5f

SHA512
751813c229b4d0b269be7c1d1c411a25ec23b308662b8b19f047aa9262b982862196da23c7e2dc5c064748ddf6b899990451c451d24309a20124ecffc7246202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f7e57f63539f9099b927eb181ea0d16a

SHA1
d5d253ab76fc2c8fccd0570f99ac9fa6c6e648e4

SHA256
dd79415ab9154a32eae6f8ed6466c024962590142a7280e4167dff5d753aac28

SHA512
4537c8df26ee199211609642d80dedaed0c3e0ca64a447f0b5ba0c6d6b7bb72f316aac14c79543138932451ad75d0be944af41511eb436dad3588f1fdd667623

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1ff1a11aef9cede2f8dcf6b0a2979ca3

SHA1
4252772b4059ead1521e52abd2b16b9c83366a47

SHA256
2da9cfbfee7b6595e84f38fe54657e95c4e69b05eca8375738ad27cc8284880b

SHA512
acd389dbd2f553edd3360a203addac41b1e3cb65fbc27447fb05b64052642e0eafc8528238d5dd1a7fe6d110e54b654f9724cdd9ff1f758a1583c8d6604fea07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
09caa5ffcdb03d22229d807291377ef3

SHA1
7253f3d9f80837909a56be5398453d8d54779154

SHA256
78e654a5dc9b0682652b9db63446e7acb69eeee3a3e8933204e5eeab19b8eeec

SHA512
38474d6788837118cc8dd6d031b584007655b98c27e47f50b8e74e26f25d06d49c571c72569f74cdb562443e3f63e51f1ed9c941e980a1b4f7f7fe9868f97d39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3a6904c429495521c7424a0c698aec5f

SHA1
021ca8d450bb575a8f0d9dc26a45de8a2da74106

SHA256
f625f71dbe5f249cd12dc6194cdbcb5f2ab9a341489d57e66e372be0f6033503

SHA512
d85e828ce0f4e1fc926edf0014a90bbd36ceb2c0b443dcfcac5afdeb86bed657124059513d37bf4e6456caf68a826b180634eb1f9ff157449eb2cfd072a9ecec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9a21fb6e4b738dc2eb500e790ae0f250

SHA1
27e5115f2432a7a7af7dd19a8ee59b33489a3fa2

SHA256
900a5f8bd65f6ad1addb21262f014888699d979981a7e2e72e4a0124b4276c6d

SHA512
30bd3c60b3038f4732940961063b4c290b138b251c1d471df333ed346ed3e881863d3f59587d5a203ab0bc279e7de60878f373342b5d803dd31c9c65acd225e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c2a4daca6a562991618f50fb6e0100a4

SHA1
9779263e1517a449627190bcf091b29255513591

SHA256
3fd036cf6ae9c09d9f3f7c3592cf8413fc65362da07806b2e6ef4eceec0543b9

SHA512
e998f484fc8a4e1ed517a78f0adfaca4097b653c420a8366f36ee394fd9b02c0ca5f4f716a84c51a9311793cdade8a4fa6220e7e9897e84f18bff86d28a9db28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
24e3500f807efdf4eabbbcdd896d76c2

SHA1
d235d706b6a0935a3294a46139684c1e48b91d91

SHA256
74d31111a68e150c69393b728001e5a4f918f55c0ba96afcdcc2607a7c3833d7

SHA512
f5d447a3d84f87e71773c6561ec91f83a6eff7abb1222debd7a0306fa6c411363be7df7c0a1e4adc525f284e4a08917402e87eb3005979ccbd133c18b2b00698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
14a2fd0106af72e940360419dbffbab7

SHA1
fd36680b56f379edb2c93cafa27fee8f4a0f32ce

SHA256
b520187c66c5f14fc9fec44d0a11f774b0d88880524911aa58850c1a01f77e24

SHA512
ff684a7401aa44143a536b086858c2f1a0b86de822a5292f40be19992de2ecd3e8e527b5d4d672e8527da30e90edc6247d64a9aa67838ca447cb145c24cae2d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f8fe657e0381eed4d16c0f34d271354d

SHA1
1e100ea705d8a907762bf7dbb80e1ab9cf7169fc

SHA256
9d8e7929339571425c7857e9f65d9789b1dc913420a5159421f4af36c60e343d

SHA512
aeeb1ffb351d2b2659197c5bea3a8f4a017c87d0edc04f3de26258bceac75dbf2710598d65ebeaa27c96426d70b5111f811293178fedd59e1461d37b4edb8f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3abaa83ad5251e024e01427c926bdfdf

SHA1
cd4496ae5117a61dd5f8b85dd336d6f9dd16549f

SHA256
a39f61ff51a3d20c916b8fd6d466dcce1868017dca25b60e4b23ff607d636951

SHA512
35b572ce416cadb9ba83c607959e287b43ee315f36113a874385c2ce3f92b5846a3337c5aa1a30f028966c7c5bc8bea3a8201b52fd2bb640593464e335da48be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9e0c5ef3a5d27e9053994f5cf60eea4e

SHA1
54a99f66afa03180c73d67d4204fef59f846f90e

SHA256
f49eab3bc1c9f3110e5bff155c515300000318437966a99cc3e68004a0a71e3b

SHA512
38d0771e9e8c5b846f54f1f9c8423395a4a8a23d7cf34c637b6bef0a11b6c22fbc3d4a0a7557ae9730b0dd88f19703ad57ea4df665117767eb07d0c7613b6737

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
23f80dc7db13a9a512838cbb37e48fb7

SHA1
3c4aab9844741db47b340d3351d72c194512a185

SHA256
c9a1c282fdddde5899ce6d7a525f93c164679ebf67943381c4d69e492ba3b682

SHA512
2dfd3e9271d5f9df470667b46ecc7a29c3cf996ff45718ca35580334355bf6a0c49dd0f415463bc5b399902ecfc556bd72d62ecc4a61fe97776cbd943bbafd88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fb2b60d0e616992437ca8f8d23360e39

SHA1
c6b5d6736c33520407be179807a3d3c3097a3782

SHA256
393aa18040165795aef91ef33e4f34344aa82872f5eec387f168a1457601bf75

SHA512
29bfc5625c68376e8d320c57d5352394b84bd2e98593b2f8ae5af93a515b043da4973b2b042c44ba3834cdd99c74f083f3efac1d7d0aeb71538ea3139a2e60ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5ea31bf1ee4fdbcec951421bc4574a1a

SHA1
7b2d2c1ef470fe1784f2efc581d7d73f6438e764

SHA256
1ac8764d4ae726552827a2ee147ceb04375f40a6cff5b1b4d036e07abc929b7a

SHA512
4408a5bd001b1a08832a650669c4bccb81e8a143ba2c9ee110d99e98a612e08502cc28ac805a70e555c1f7b8a971c154db0c8365ff323f2fc7cdd02ab43078cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c3d93ec49b8053ef1925d32e9405fad2

SHA1
1d6424b028186af5f6e1327cffa1589cd6dba25d

SHA256
93a270bb6acbc77f2189d575fb19f18b78faf7e2e3ff826d87cc94659e570865

SHA512
1f637bac8067faaabcc8ab5bbf5cf506a44136d29f76f6a5a10a64adb88a88bd1420174f7e8e2c9fd113871a8a916867ab41758ea0f13228f3c5f33aa06f3621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
426893adc45a8a41a69d9ee2b91bd6f8

SHA1
6cf6d18c680191c8de1d01e16cae1b3549bc44c5

SHA256
28506d76abbf207d6c72727613e4f7336adaafa99ba8bf64de353b582520d827

SHA512
cd9d1fdf6266ad187fbbb0ee6bb97c1af985fbead1bd1627e6abb4ad8679e42073bca6a05641a30c27b62f700905e0682f04e09ef40494c3f5042a7955926a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
4f5f4bb9cc7edc6d0d8fe06df18d0a06

SHA1
bf7d8b5ea04628a02586953d41e029d6208089d0

SHA256
ff2589557dd1bbdae5092595d15eec2aab0e6578f7d57df2ca185e0cf81c154c

SHA512
4663ee0a57d40b0e1b2ed69a8ea7becc8a8647bf7b65a5c4f5100f6393ff8d241961d998148dc1d2243795cbf9588a62e6d53d0e252266a6e74bd34396c865aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\swflash[1].cab
Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1DDF.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf
Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E9D.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar231B.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/688-1412-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/688-1413-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/688-1415-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2868-1405-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download