ramnit | 65ddb883ff2ee0d26f620cc088c79880c3a7d20fdc0794702a9e6b4733c8f8b3

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76268a6eb3793235dcc99234ee4fae01_JaffaCakes118.html
Size

672KB
MD5

76268a6eb3793235dcc99234ee4fae01
SHA1

08dcd48a444ab188b9a5513dfa9089671a780df4
SHA256

65ddb883ff2ee0d26f620cc088c79880c3a7d20fdc0794702a9e6b4733c8f8b3
SHA512

b7bd7f218e6a908c87baf33d66643894de026d15deace1400634594ac9a2ab149ba8add71ea5b5190161303879178735c5847af7f488a524ddf550622d53849e
SSDEEP

12288:n5d+X3Z5d+X3p5d+X3p5d+X3Q5d+X3f5d+X3+:X+V+F+F+K+P+e

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 7 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2604 svchost.exe
2756 DesktopLayer.exe
2512 svchost.exe
2996 svchost.exe
1180 svchost.exe
2172 svchost.exe
1912 svchost.exe
Loads dropped DLL 7 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2028 IEXPLORE.EXE
2604 svchost.exe
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE

pid	process
2604	svchost.exe
2756	DesktopLayer.exe
2512	svchost.exe
2996	svchost.exe
1180	svchost.exe
2172	svchost.exe
1912	svchost.exe

pid	process
2028	IEXPLORE.EXE
2604	svchost.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2604-12-0x0000000000240000-0x000000000026E000-memory.dmp	upx
behavioral1/memory/2604-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2756-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2512-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2512-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2996-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2996-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px416.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px510.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px464.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4A2.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4D1.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px510.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e8fd5a8dafda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422904297"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007868d6ff7345654ba49e5674420c041b00000000020000000000106600000001000020000000443bfe90bfd2c2d308e9ce421809ef1e837a65154cc3ba4bfbc63798c463f9db000000000e8000000002000020000000b2e43471da7f2ff111b2622e1c2b285f437fc9f7c18e4e168ac47f780f7c4b2a20000000384173c79bc9f57d2a8b0591aaedbbd7e1a37d37227d6438dfc2684429042d8f400000007fab0e14c417b0d89b75b524dba6160c641ffdf4b92e917d7419a2c50fe06facb5fccc9f7934c98262c69af7e947d5ef68972b0357f946b73c8d86e26a98689c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007868d6ff7345654ba49e5674420c041b0000000002000000000010660000000100002000000083faee0f8387572070bd89ed13fb6b59188cc0aeddb71bc2cac6cdc38bf06ed4000000000e80000000020000200000009e4865d38f62bb19c751216797ceb021a2c50a1df031657e4f045c4eede21c1390000000c18a5ff51bae268d039232cc0515fc995436287a6e4f538470c9c0ef15c15c1754e29b2da7ad327d59ae6b1f25577e826939083672bd67d4dbc74599b30dd84d2df84d982a3d21370868874e8d718637fe3306b815084c0c431f3b112ecd017aa0c41004d642e97e79c3fe63f4c55f274cddccdfd13ef220072a657dcbd0de2b8b73fdefa7062b346a94b190bc89806a400000006302ba4dfe8de0d146ef98eac129f9ecb88543362310b70b04269fae961651c8470a549941f6f1bfe1c614644d079199051ad13676a5faa368954fd26585c4b3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8637EA71-1B80-11EF-922B-6E6327E9C5D7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

DesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2756	DesktopLayer.exe
2756	DesktopLayer.exe
2756	DesktopLayer.exe
2756	DesktopLayer.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2512	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
2172	svchost.exe
2172	svchost.exe
1912	svchost.exe
2172	svchost.exe
1912	svchost.exe
2172	svchost.exe
1912	svchost.exe
1912	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exe

pid process

2400 iexplore.exe
2400 iexplore.exe
2400 iexplore.exe
2400 iexplore.exe
2400 iexplore.exe
2400 iexplore.exe
2400 iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2400	iexplore.exe
2400	iexplore.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2400	iexplore.exe
2400	iexplore.exe
2400	iexplore.exe
2400	iexplore.exe
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2400	iexplore.exe
2400	iexplore.exe
2400	iexplore.exe
2400	iexplore.exe
2400	iexplore.exe
2400	iexplore.exe
2400	iexplore.exe
2400	iexplore.exe
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2400 wrote to memory of 2028	2400	iexplore.exe	IEXPLORE.EXE
PID 2400 wrote to memory of 2028	2400	iexplore.exe	IEXPLORE.EXE
PID 2400 wrote to memory of 2028	2400	iexplore.exe	IEXPLORE.EXE
PID 2400 wrote to memory of 2028	2400	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 2604	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2604	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2604	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2604	2028	IEXPLORE.EXE	svchost.exe
PID 2604 wrote to memory of 2756	2604	svchost.exe	DesktopLayer.exe
PID 2604 wrote to memory of 2756	2604	svchost.exe	DesktopLayer.exe
PID 2604 wrote to memory of 2756	2604	svchost.exe	DesktopLayer.exe
PID 2604 wrote to memory of 2756	2604	svchost.exe	DesktopLayer.exe
PID 2756 wrote to memory of 2992	2756	DesktopLayer.exe	iexplore.exe
PID 2756 wrote to memory of 2992	2756	DesktopLayer.exe	iexplore.exe
PID 2756 wrote to memory of 2992	2756	DesktopLayer.exe	iexplore.exe
PID 2756 wrote to memory of 2992	2756	DesktopLayer.exe	iexplore.exe
PID 2028 wrote to memory of 2512	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2512	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2512	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2512	2028	IEXPLORE.EXE	svchost.exe
PID 2400 wrote to memory of 2500	2400	iexplore.exe	IEXPLORE.EXE
PID 2400 wrote to memory of 2500	2400	iexplore.exe	IEXPLORE.EXE
PID 2400 wrote to memory of 2500	2400	iexplore.exe	IEXPLORE.EXE
PID 2400 wrote to memory of 2500	2400	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 2484	2512	svchost.exe	iexplore.exe
PID 2512 wrote to memory of 2484	2512	svchost.exe	iexplore.exe
PID 2512 wrote to memory of 2484	2512	svchost.exe	iexplore.exe
PID 2512 wrote to memory of 2484	2512	svchost.exe	iexplore.exe
PID 2028 wrote to memory of 2996	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2996	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2996	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2996	2028	IEXPLORE.EXE	svchost.exe
PID 2996 wrote to memory of 2852	2996	svchost.exe	iexplore.exe
PID 2996 wrote to memory of 2852	2996	svchost.exe	iexplore.exe
PID 2996 wrote to memory of 2852	2996	svchost.exe	iexplore.exe
PID 2996 wrote to memory of 2852	2996	svchost.exe	iexplore.exe
PID 2028 wrote to memory of 1180	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1180	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1180	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1180	2028	IEXPLORE.EXE	svchost.exe
PID 1180 wrote to memory of 2984	1180	svchost.exe	iexplore.exe
PID 1180 wrote to memory of 2984	1180	svchost.exe	iexplore.exe
PID 1180 wrote to memory of 2984	1180	svchost.exe	iexplore.exe
PID 1180 wrote to memory of 2984	1180	svchost.exe	iexplore.exe
PID 2028 wrote to memory of 2172	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2172	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2172	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2172	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1912	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1912	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1912	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1912	2028	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2128	2172	svchost.exe	iexplore.exe
PID 2172 wrote to memory of 2128	2172	svchost.exe	iexplore.exe
PID 2172 wrote to memory of 2128	2172	svchost.exe	iexplore.exe
PID 2172 wrote to memory of 2128	2172	svchost.exe	iexplore.exe
PID 1912 wrote to memory of 1612	1912	svchost.exe	iexplore.exe
PID 1912 wrote to memory of 1612	1912	svchost.exe	iexplore.exe
PID 1912 wrote to memory of 1612	1912	svchost.exe	iexplore.exe
PID 1912 wrote to memory of 1612	1912	svchost.exe	iexplore.exe
PID 2400 wrote to memory of 1464	2400	iexplore.exe	IEXPLORE.EXE
PID 2400 wrote to memory of 1464	2400	iexplore.exe	IEXPLORE.EXE
PID 2400 wrote to memory of 1464	2400	iexplore.exe	IEXPLORE.EXE
PID 2400 wrote to memory of 1464	2400	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\76268a6eb3793235dcc99234ee4fae01_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2604

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:472068 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:668678 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:734212 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:1520644 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2816

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:1389574 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5db581644c69b63f2c6747c58b78e886

SHA1
95ea8d5f5e8240d9477a39a728bdb3da3c690cfc

SHA256
0a826155a95cf2ebd78e34f5b256fa3f119e8d68774904a3f70197c172302469

SHA512
1fdb39da2a27fd46abd6abb136cfd74f3f6bc97d8033aa62298f99440398c5207228384c615a8b139b204f0a595c8dc9a296b9c36c6bf91041134b901c2f20ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a465a35f7a4a133fe5528d43dadd309e

SHA1
898cb01562a7070052ce9cbd45ea17719df379fe

SHA256
88473cbb570e33d1b0969e79a328847566c7d208629e384a715caaec3404e756

SHA512
496e1d0e35650b36aa05a74552e8c931d46cd98056468ed54989c505c64586187452d588d09fab57db369446de0c6a6afbb224b82eb50a2801168d934436834c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
62eeff55b563f2f64389515817e6d5b0

SHA1
cf9235443cd64930f7cdf3ce8676a57a73a387e8

SHA256
470931c25a3b1577974081ee934968247b79a54333b38f25b3757a29b75db995

SHA512
496039d214f641a3d0b80ac6cb02f0d47a570c144440e3eb18cb1d58ab57ed971eb64c01b97ad4433bb65642bf80a221540c4b81b6dd3c80bb8145240a942806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
431dc7267cfd25169959ab79f0636e05

SHA1
b68161a07fb50ab91dd57f03b34a92102993f23f

SHA256
db7b27a28f18a7e672a9ddca13fb0357b0fcd8fab31f97d0a99b0d6660a93ff8

SHA512
829c8bfaf362259735ae74f9fdb7609b8803c3cde0dd9728cfb3da230ca849862c4b73081d628bcf53bf728ba3c94127fb17d7690a1064861ace62e5cec03628

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
29e0b49f30a225e9d95864a9c6f8d2de

SHA1
57ccccb2bf4bdf4a9f16a1b70edd7551eecc5848

SHA256
97b4f051f3245e5d0cbd8543fe1964c64944909c4719e9d8e4b98d40c44ee859

SHA512
3585a90b071ad9e0ead3b1a386b507b9585d4df5a9157b421c42757665fcd951baeaa99497f36ab66be65cc1509a259cd86a268dbfdc83480bafd5e791f67d1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b28a9c7ae2f5188749fb898f19095cb6

SHA1
ed644ae67458628fa3173e5a0360566d1f9e5a1f

SHA256
49501393d666ef30fd34ac4c2f9189ab64e8afcaa8b413215342dbeb8ed76811

SHA512
cb938ff24fe85c081f9f7a57f17e9bf824fcc6644681034858079b13bddcfc8bd60a821cb8f7886efa240c2f885a9483e7c98b56c85e4cce703f9d0c8e0838a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
15fc330d7cc5982b23434f199b7b90a9

SHA1
0d77d8890ebbc9a248e29ef53237c48d98dc236d

SHA256
b75f83e0855fc320db361ba14433f445701283a1063bf70dc6dc57597abdbb8b

SHA512
48663d652e8a78b20eaa6500b4bcc007cb973394dd6d31bf9e063877c00a8e20e5fb54947d844eea10cb97fad54327205c8d3a67b06717abcff9b9ca544099ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
623669a9c1f0275e1f2e67d255da766b

SHA1
3130b12e52f29c248b1ae60cb3813ae690539f32

SHA256
daf0c9e4d143fee79b8262e845233d47f41d7942a6d691f3afaa397672ddb7d5

SHA512
249bea6ddcdfdf13638f2cb16e6ef17860fe3d2936aa80fbaff084b58e50a32cee2b61108c7010f32b8dbad9e81c77bedeb2d27b0e06895bb826be496e3d772c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
57b6376b79bd48df8a688b5cb3fbb597

SHA1
75642aa9561adb60aa149be5d9d9dff9e53e4582

SHA256
891200eafd8670e9564560e9c190d99ee9b848af56b3066ad03c07e308092ee7

SHA512
4952032d38d4581b9819779efc99da451551433e44fb359b9a23b35dd58b2e4f5496b1809847584fa2993c380042f04b1ceddb971bcd1601aec065327a222b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A18.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B0A.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2512-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2512-23-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2512-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2604-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2604-11-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2604-12-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2756-17-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2756-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2996-30-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2996-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2996-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download