ramnit | 2c7c7e151825f944ea12e87c26710c9b87d88f766a7974876fcfa08c5d18bda3

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

765b609bd5331636e38166bff19c84d4_JaffaCakes118.html
Size

236KB
MD5

765b609bd5331636e38166bff19c84d4
SHA1

0e0a751ed1b5f055f02c19afd6b29b16cea064bc
SHA256

2c7c7e151825f944ea12e87c26710c9b87d88f766a7974876fcfa08c5d18bda3
SHA512

434e5a059846c72df52fdf7182be3d12e7790d73c225c94c948e67e12b4adc7c3485e718bb55e8178688110fafe1f8329636abc5a5bd6f985f1807009bb713fa
SSDEEP

3072:SKOyfkMY+BES09JXAnyrZalI+YuyfkMY+BES09JXAnyrZalI+YQ:SKrsMYod+X3oI+YLsMYod+X3oI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exe

pid process

344 FP_AX_CAB_INSTALLER64.exe
1660 svchost.exe
2768 svchost.exe
2592 DesktopLayer.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2988 IEXPLORE.EXE
2988 IEXPLORE.EXE
2988 IEXPLORE.EXE
1660 svchost.exe

pid	process
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
1660	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2768-565-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2768-562-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1660-561-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1660-548-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2592-569-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB8C4.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB8C4.tmp	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET1A44.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET1A44.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000046c50ab8dbcaf43559df4580817a225b3df63733c4834c62ea8bfb3f15f20c46000000000e80000000020000200000006cedfadfe5a5399c5ba02b90e0b742aa7bf3d414e2de8ab3311617fbdcf4e82f2000000073a151322d46ffdd7400e9c3611edee4b77c19d5d34e2b97c53c239db9f040994000000000da8aa94f2195aff645899dd9107b9071488afc52ba96baf9279db5c5eaff640fa1e095e971dc9c300e79a6ffa5b6bec02f7aca9406977a5815355535c18741	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422908781"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6E329B1-1B8A-11EF-99F9-4E559C6B32B6} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e02abdcd97afda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000248f3514559d179fa73bde484a8acae70c874d73a0c5bbad418658ab759bef01000000000e8000000002000020000000ac6e0ea9278e27e4ae8d8a435d3e7b5214dfa216c89bd0e92ee6db8c71a92ce390000000997257f9bbbefe0f2ca24c05ef4a06b3d95ba77bd4b3fb87bd4787b74a85854a790c50a5c16a60e68e4b4d56b2fafdb7f95591b0d3cbc5d851dc6856e026ff8c7f73e6cc767e5220ac2164b0ae27f6d151c82c88019e70901dada3dd8cde9f7fb0c22a1020220c3c92cc59e902b4daea84216cdc10e87b3511f37ede4b6e27ede5f2534baa9af0e31153e8ea6306961b40000000ec07c081b76aebaeeaab86e2ed27d59b2619e4abf745b7dca97c14d7e20612d0fc7747503d9cb2a68efe0a04e0471f2912f969d30de013d9d26bff7d3932a403	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

pid	process
344	FP_AX_CAB_INSTALLER64.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

2232 iexplore.exe
2232 iexplore.exe
2232 iexplore.exe
2232 iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2232	iexplore.exe
2232	iexplore.exe
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2232	iexplore.exe
2232	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
2232	iexplore.exe
2232	iexplore.exe
2232	iexplore.exe
2232	iexplore.exe
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

iexplore.exeIEXPLORE.EXEFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2232 wrote to memory of 2988	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 2988	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 2988	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 2988	2232	iexplore.exe	IEXPLORE.EXE
PID 2988 wrote to memory of 344	2988	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2988 wrote to memory of 344	2988	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2988 wrote to memory of 344	2988	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2988 wrote to memory of 344	2988	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2988 wrote to memory of 344	2988	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2988 wrote to memory of 344	2988	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2988 wrote to memory of 344	2988	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 344 wrote to memory of 2380	344	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 344 wrote to memory of 2380	344	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 344 wrote to memory of 2380	344	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 344 wrote to memory of 2380	344	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2232 wrote to memory of 1584	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 1584	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 1584	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 1584	2232	iexplore.exe	IEXPLORE.EXE
PID 2988 wrote to memory of 1660	2988	IEXPLORE.EXE	svchost.exe
PID 2988 wrote to memory of 1660	2988	IEXPLORE.EXE	svchost.exe
PID 2988 wrote to memory of 1660	2988	IEXPLORE.EXE	svchost.exe
PID 2988 wrote to memory of 1660	2988	IEXPLORE.EXE	svchost.exe
PID 2988 wrote to memory of 2768	2988	IEXPLORE.EXE	svchost.exe
PID 2988 wrote to memory of 2768	2988	IEXPLORE.EXE	svchost.exe
PID 2988 wrote to memory of 2768	2988	IEXPLORE.EXE	svchost.exe
PID 2988 wrote to memory of 2768	2988	IEXPLORE.EXE	svchost.exe
PID 1660 wrote to memory of 2592	1660	svchost.exe	DesktopLayer.exe
PID 1660 wrote to memory of 2592	1660	svchost.exe	DesktopLayer.exe
PID 1660 wrote to memory of 2592	1660	svchost.exe	DesktopLayer.exe
PID 1660 wrote to memory of 2592	1660	svchost.exe	DesktopLayer.exe
PID 2768 wrote to memory of 2784	2768	svchost.exe	iexplore.exe
PID 2768 wrote to memory of 2784	2768	svchost.exe	iexplore.exe
PID 2768 wrote to memory of 2784	2768	svchost.exe	iexplore.exe
PID 2768 wrote to memory of 2784	2768	svchost.exe	iexplore.exe
PID 2232 wrote to memory of 3008	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 3008	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 3008	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 3008	2232	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 2464	2592	DesktopLayer.exe	iexplore.exe
PID 2592 wrote to memory of 2464	2592	DesktopLayer.exe	iexplore.exe
PID 2592 wrote to memory of 2464	2592	DesktopLayer.exe	iexplore.exe
PID 2592 wrote to memory of 2464	2592	DesktopLayer.exe	iexplore.exe
PID 2232 wrote to memory of 2544	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 2544	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 2544	2232	iexplore.exe	IEXPLORE.EXE
PID 2232 wrote to memory of 2544	2232	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\765b609bd5331636e38166bff19c84d4_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1660

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:209932 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:603151 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275486 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
906bfd4fa5bb9def1e83550ea91ffeb4

SHA1
222710d68aac0a886743c46c7c554522bd2db202

SHA256
756792919d1293b51eb8ccef3b0b8e964639bf4e3665bad5f6d7856608b92d30

SHA512
126e85e216831690754444d59131e6c7f841553191aa19146613d97aec129c9f543bd13ea710ed3e10de5c2819f9bdb1c9dba34fc34618955a73b8b241a36edf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2087d1ac191f9ce2b866d1e04b310000

SHA1
b46ee75941ef9384dfae85c54931e70187ef034e

SHA256
7f3c1cf4bc3858fda42de3eccce7a46b3d41054dd932b0a53197452b72e64f7b

SHA512
bf312c7d040473b2ae10777a95484b4a882cebc076e370c4a0387d644758fd588f7ea7d54b32002a541fac2922a2d39770deff78ac6c2c100b88cbe6125243e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d59f624252fc4b91e8ae02e023ab5e51

SHA1
d9c1b4362ee2793ba2050dcd19fc02efb7f86553

SHA256
217a5ad7e64bd0c10cec3bf9e4e9d39879126980fbd5335590c748ea2e364bb8

SHA512
8b1f659f83008540f5c0949d5947972f0d7ec3f64d7190090c51654cb4681c55be010451db4c9aa301c7bba0e0f410d29cf58001f63f1ff8822adfc9e35f539c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
147de982339527ec68a86204d71adfba

SHA1
8c1e0b38b902fdef8341ec7abef1ba63ca56b6b7

SHA256
ee5e0a76a02e6ceae65a00962c59c48741858ed3ae20dc69851e1b2337c78abb

SHA512
bfcc162dbefae05c9e836232ba1d2c9fc11a6e4cd8b15fd3e799ae915425e49ecc4886ad14d0811910c1961b0388dc49a54161258f64662094f7a789be58d71a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a92bb5177dc76f3ca7e72c622c63ae90

SHA1
3a873b45cf228c2f06e3d46cd47cb3450e73d195

SHA256
00f8400032d7455506d7d46a5b039edd3b34977c01c8b4e41111c03a04e47d45

SHA512
87d5bc142e1dbfd5512b74e20b8ae6b2d7347129857c5bc700ab6c24227ca636bec443f965bb5547b20fbccf2ebfc6be80cf91c346e7c4afcbf5c5c1027c1202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0615d0d443a016a80ef34e8375ac50ac

SHA1
516c2940b5e9a64fab9ed0a07b528c39b0fae6d5

SHA256
c15f869d42cba8f86447f2e7b21a6957029dea9ec51f2522dedd55cfdcfc44dd

SHA512
070a9cc0f51c25405fa9b82bf546e47b8cdac9a88f182e29b59e5e60f0057a8588be0cb84264218fa62cd1a7c5b7e71b572d383d113fcf49a6b40620b75c59e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e983e05e8fce2656f2cc1f9cdb24b145

SHA1
cbd8ccb310cae092c1a8e6aae2668a5894cb29d9

SHA256
108d5b330f4fe9bee86fe3f561ed4c77e9b892ded5c11e77a786204fcc93f21a

SHA512
56a8e7e33d460fc9e34e1fcfd5da656afd19a108bfd8b67f41e9d81c287d0f3400ef11ad89a98e1875ebfff890fb0a507a083bf52f32d3601659727f700d5b80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
816c22794a01d8bfad3d2653d161f87b

SHA1
88641977c336d352a8ee8263d65ec3c1abb38097

SHA256
07c045a15c520a0668ba9cde2c33152be0f86a9a2e4be4322d70d22b6d5f2398

SHA512
f79f263944b6eff256f33193cfedde0959817182fc1e89887927a5e1687856c1bcc3be4e1305d3aaed3efd309dc19b713cf65e1457012a84a31e46dba3d1ea99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4492aa14e536fdd629d00b9050211103

SHA1
65ae5fb082e9d41d6b4d4f810333a94f42cbaa83

SHA256
31e1f4fca3a650fc97b7b9fa6bc1f6d416f38036572d61e97dbf419e3862804b

SHA512
980b0222d3cd5b213c058f7573da3aebf2412045c8d15ec2c46c35a5fe6877cb3307088f97277a0c4e34acdd2b8498f9cd0555b8ec9353189759ba0d3bfd195c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
abbf194f1703be64051b423cff725027

SHA1
cbfea3b1d296f5a4d8863a85f318b6f74f3d6fac

SHA256
09e578cb712bb4ae7cd0a44e8ac57a1750f0eaa68689f293ae74e7cf7ed399ff

SHA512
a762931ebe5712c685de058902919646f6f334c7e3799660f6efa2ee1c894944b1591e9e74cf967bbed9b202e5f2968b82bc529e1069bb0d415b3ef2758e7aa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f22eb475edd81106ee392cc6556dc591

SHA1
b79a21145af673567af8a8206b958ff42aa1c9a6

SHA256
f9a430f1e97d8b2de9951cec52e17d784a5950d7f7548551b3ba590b172ae1d4

SHA512
b66b3f6ad94d0ecbe7567cf1c3557ef0e5654ee544b3a3880ca024262556bc8c10b08bbbf9cd5e90fe0702c1daacf4bbd45f9cd0b23c24ed7ed2bec357e3693b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f07970e8dd2e265da72a9120125217f2

SHA1
90270cbcf076167e43a56679fd5daeddd6ad8aff

SHA256
1d2f5cba63bc44d409e1851c105ec2996292dedae5fa8ee8dc14b69fa6c9fe08

SHA512
c28d9929dbf72e253f15bb8c44f930aa6f61dc1a9e541012c7b1ff80e211aa6e7895a5fe22e61bd91ae18b47902a4391d9db7ebf121a60198e073f9771f2b7bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8adc77d3b6cd09256c5f70bdf1a4b25a

SHA1
8639f1cddf2fa20d7567f13516cafdf3bfb45598

SHA256
24b7eed10e07784d9a3ea74be48a6c03d313cc8881e284059e9fc8f9f4297363

SHA512
2eecd0fdcd5e9bc8a7e3dcc24d96960e90bfe33b7086aae20e6e1b07b95727403658f882089fd587545d1171374c998b30199fd53ace5766b89ccdc2b61d30be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
769c0fb00a0f37671b92d379d9a768d8

SHA1
8824e7c7f5298ab29c776709766870b5c6110882

SHA256
7084879e3e018ef6aa65347b0d9da98d4be824bdeb03500233eda34dd44db181

SHA512
706f7c581c5963aa31076a74766c23133f7052b8b24e32ffc0463cf8ee8d3791149e645f289d4fd4bc3852c878c20eb4fd182a1a3799d31dd47375d63239f648

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1248e471bbd6a6e94ba1601356bdaf86

SHA1
26303dc713e8cfd07ac5d91f3726a2329e04db0a

SHA256
a3e5133fd1041832babdfd62cb67356180a308144c6b80013b693fe4f04d6480

SHA512
de06f1e16007ffd436ad3f3f683df59e2a0b37352c072e454815b3c9a0c7d70b592e6f97392f2520c3a0cc4d1db183a544b6c33a5593fbf95e339f67d7e29040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1bf18384723d08af189979004d14acbe

SHA1
275a517e4f98e320d18d7d124d8e438f0e24cbe3

SHA256
1c76b475a5978cb0ad3fcbad09e4f3b20bdaf87d2628acebc61f31871faef90f

SHA512
848f9fe9df208a6a6d5fe7571b76f48b60bf4f12a59387d7804a5bfb63cb30a99790bc48a6ab2629958075719d9c1b14186d031d6519fb4ca103135a7c18fe67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
622aae1e578f955172f00a205532ee9e

SHA1
39ec56f27cf7d1ee99995f7a68ac3c9cb00abb47

SHA256
2f60a7718ffda90fe286cbb689cdbd55f8acefc257d497a068070616128df8e1

SHA512
315e21b11eb07616571d679f9c342ea9e492c765fb26a8ca340614c82f86cf15990297890be21b3a037bb69fce9eef98cf55929ea06c0186075098744abcb693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1da30657134329cf8e04cffb4a0968f7

SHA1
b06035c8442ef02cf01578813c14fa6ef5b6fecd

SHA256
b3858ab58443f9d1266ef87875f45599270593bece71370e16effaea44a70789

SHA512
6ddd4fe18c7067711e396e1e77ef7a927c11e6057393f6bfd5da3bc18f7d77de7c9685734c751adc6bcdf0f70b9a915affa9d9c5b55e58d63225fadf637b999d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4e91c2b1c00b3df97a9a7f0974987507

SHA1
0b4560b060d8c5a58d99a6cb4ad89bb3e79f919d

SHA256
d375b04400f4c4c9671b0be658c7f5b85bfc8d4e51127c6ae5ccc2d8a07d314c

SHA512
22d625a23f7e3d77088a2126dbeb51973c53a7289dd2954424631cb58fce6410b2319915d0984a2b81caa185994dd6a5e1652d627ba04a6b1fe88c3a5d2522b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bd8010645397badf089061c1411c73c9

SHA1
27f331f41688ca8da794c648f1513125a9ef774d

SHA256
c73b9fed8e5aade861614fa8bf4dd649f4398faf1c21c682468a9e49a4e6a318

SHA512
45c6b0542eb6c037120fb7ab6e65907a9a309e72523d9899bf96e424200f31ea3984f6804454f9fba584fae38405ec31dce1d4eca57f30a82065497c61ae2d4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
16e34520f064bfecf4cf179830e3cd3a

SHA1
69551b3456e07e9aee6f102c5199ac68e8acf1b2

SHA256
ca06b525357333e726fb049d66aff85d409b7269d084d4750c74c71a1461e7e8

SHA512
3d328f1e0cf826b56e2f448c69aaaf872154e945b20a7b2db5a678936078c5e2b95aed0524802bd25c64e309209e1dfe7d47c3d67ebb94b8660775fcecbecb4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\swflash[1].cab
Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1392.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf
Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1422.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1660-548-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1660-560-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/1660-561-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2592-569-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2592-567-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2768-562-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2768-557-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2768-565-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download