ramnit | 196fcbf51683a56c54fdaf085760a4650a9515fc676362ded5e5f269eadd350f

Analysis

max time kernel
121s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778ffb7ee3286968c0e87e40d139f5ff_JaffaCakes118.html
Size

861KB
MD5

778ffb7ee3286968c0e87e40d139f5ff
SHA1

48ea7d0664d6039d88805293ee2abbf0ea77fd27
SHA256

196fcbf51683a56c54fdaf085760a4650a9515fc676362ded5e5f269eadd350f
SHA512

035ea4a873f4f508f4875bf04a418831845f0f7ba422e088712a45fb6e1200562e470e824992f14b906a88024f47cefed4216baa0943f58f8048a128e3d51164
SSDEEP

12288:Gk5d+X3yBuv2k75d+X3yBuv2kK5d+X3yBuv2kW5d+X3yBuv2kJ5d+X3yBuv2kE:Gm+SBhkz+SBhkg+SBhkU+SBhkF+SBhkE

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2612 svchost.exe
2504 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

3000 IEXPLORE.EXE
1996 IEXPLORE.EXE

pid	process
3000	IEXPLORE.EXE
1996	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2612-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2612-12-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2504-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px2DC4.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2C7D.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005c57bfdff8484a4380029e88af2e29e600000000020000000000106600000001000020000000b77dfb444bd0bfae24148f3897e73779492db4eef26d6b3ca469c5ee99bed43d000000000e800000000200002000000040145fd21b5d05aeb3fa2ac0042eb2e4723db75b28fd9099e8b272f6934ccefb90000000c74cb7c4b5d90fdf64250a8d18287d7218cdc8a1c00cd721d4424e96363317bf3982c1b97fd465b2df31821b78a0ea65d17bc98ecf36d6a897708728b9e0df33ccc003cd5ffbb9ddeb30244fe5bce2d5c104a8988ea77f18225efab072166684373f7a002ae1c3696271d2e7081a748e2fb564048736b7dd0e7e7f9c7cdd79c24cb80a2eaa78ef8c135b17985bc24eb2400000008585a0c7da0f73a482a7c6dc28dc36a6e7ca87fa3565be8220fa628fd10e574a0262d7dc3522297a32419f3d877841c48415f3a0f5770340a80cb2e5dc6ecec4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005c57bfdff8484a4380029e88af2e29e6000000000200000000001066000000010000200000008ca3ca63302e294605da80b2a69b605dd4d1384d8821f5a8a1afbaf39f939294000000000e800000000200002000000035cfb43105b5e37ceb33082a36acb2f4406e22928c5c16cefabc6c9f3e7eec9a2000000089c8c7ae55a3194359378df90ce174ff92ab6cef2a779c1c9a34ff60207bdd23400000007cb7c1fd36937b08db225f627136a1d8c80126dcf6130f59060bbd2ab58c51eea029641dbca46ddeb85e85dc8f8f715dc338dee8d5d726a4149b2728ce0467bf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90e612f1daafda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422937621"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BB84201-1BCE-11EF-B2C4-6A55B5C6A64E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2612 svchost.exe
2504 svchost.exe

Suspicious behavior: MapViewOfSection 46 IoCs

Processes:

svchost.exesvchost.exe

pid	process
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2612 svchost.exe
Token: SeDebugPrivilege 2504 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2208 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2612	svchost.exe
Token: SeDebugPrivilege	2504	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2208	iexplore.exe
2208	iexplore.exe
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
1996	IEXPLORE.EXE
1996	IEXPLORE.EXE
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 2208 wrote to memory of 3000	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 3000	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 3000	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 3000	2208	iexplore.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 2612	3000	IEXPLORE.EXE	svchost.exe
PID 3000 wrote to memory of 2612	3000	IEXPLORE.EXE	svchost.exe
PID 3000 wrote to memory of 2612	3000	IEXPLORE.EXE	svchost.exe
PID 3000 wrote to memory of 2612	3000	IEXPLORE.EXE	svchost.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 404	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 404	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 404	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 404	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 404	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 404	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 404	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 440	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 440	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 440	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 440	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 440	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 440	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 440	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 484	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 484	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 484	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 484	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 484	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 484	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 484	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 508	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 508	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 508	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 508	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 508	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 508	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 508	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 612	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 612	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 612	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 612	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 612	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 612	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 612	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 688	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 688	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 688	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 688	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 688	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 688	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 688	2612	svchost.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:392

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:828

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:288

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1076

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:1320

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:1808

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:500

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:508

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:404

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:440

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\778ffb7ee3286968c0e87e40d139f5ff_JaffaCakes118.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:340994 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:209930 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7e848ff563838dc2f0df2800167bf4ff

SHA1
2130bb0c16b5d0bfca870a6bb8b3ce070c2f0bf7

SHA256
10e68c62a722da7f90ae7aa4d97a09cb32974f1d5bf4846ff1a30fee2fe32547

SHA512
df84af5b6bd09216078e070e066ce48744aae5f949b1377271860e5259508f870eb647eff9394f2203ce82ace2c126ae2b3b819e71514e55f17b56574ca4bdd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2c97edf48e3a4eedf7ad2b6571ab899c

SHA1
ef74a296fb3e63244cb39b07a89bd3712c3f1360

SHA256
5efdcc80031d5198ddb5849844cdd84eae7f2972684e743d527f003a664b1e79

SHA512
493e83a450ce03106487a23958175ef9d7487b84773c566a5da882fc31239ae9467ca6e1831fe77af076aa0549ef02ee99ba3dad5888f79e455925e45992d0b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
17d4862e2998534416b9b5b21fb2c131

SHA1
3b51b424dc9fd5a42dbbcdbca0911384b841de4d

SHA256
06b284341ca25c8914fd9eb4b6073f788533fa255712359f5251d4428135ae56

SHA512
3f1833ba3cd85b008e55b85040748b6bad258ed58c94ddc7549b318d296054ff18d4b33ffc6bfb0ad81903b4b4f24c37000f9f078ea5122bbc5b558d3ef59653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f98039482b1ec3d86327f94e1a345d01

SHA1
8e107357dca82656f417271f3f9d9a7475071589

SHA256
672de4784b6318566c12db9f5765cdff46292843657706a6b7bb3511c5ed0552

SHA512
280e02d32802e9c99b05dd7ce05e8d3ed19519c6a02c62c892fd1fd3a509db8b4338b4c4b5c4456279f28a33e9596e558b40c01d5e317e18efffedf5741ca48f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
396ff906f33fbe346553b7b1e8d649a3

SHA1
ff08d03c7db3f641292d3744443dca3eeef1ba66

SHA256
7ada692955f4d5cf468cfcf090b99a1490c01b50835e0dc2e1fd987b792bf63a

SHA512
2f1b727f2ed8ca032895ada0e4311a1de894bee73b707602ccd123780102b49281930208dbfe264f410015c04bd88f22048c3f7d271ec6e12c9ea0db85ff6cc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
772efa282d9cccf3b98a98269ca4de2a

SHA1
90ec408f3d886ddf5a77606e0368cd66f7846a23

SHA256
80100cbaab4c54d6395c6e8ea0ce02dc5d81fc74b506c48b4e08445893702e3d

SHA512
d3c690f447efb77c5e14a9b4d9d05ccd9486c81d956ef1354f6b76e7b9f49a299bc59b36b10febdf9b4988e0e6586f3b430659a42a1e8f31345f1ae485070507

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cb20ce1b393c412cdb9411ab2e7e8249

SHA1
823f16deee286f66b48845c2516f5ff79cac3dc8

SHA256
72143a8a31f1c1b9f9f6895f8d4aef007e9f403b9ca75e52f51ad0b1ea6544e7

SHA512
f17b5e7db517f30b98d877d4f5091556e9986e73abddb5e7ec4eab5f60e360a9ed01150a80036a7ce9172ccc3d765e7e7e251cb5f4a1aeef65f3d967c3d6880a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3de1cf9bb67c2a52a380efeac9c11e12

SHA1
6ec02b90ad003a0acfa3e44e34379a5e3afc1d57

SHA256
92af07e27398f6c212622ad6a13f72e308de7b4ea4aa1e04bfc224b690457f10

SHA512
99bbafba7e3b1e93ece030ecd900e28758af0843b0bb55e0434e72e55efe785d2f0a1381b2c06466a6c049808dcfda98e6118e7198ad23f0c3552d6e1d86822e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ba9ce598acfc31a68982fe623754061e

SHA1
aaae46365ecddc58d758778698795c33e5ba80e2

SHA256
fd8bfe71ea1f4945c2cf86f5260badea9cbd16d4eb9ac5c219c0b4b302b1b7b9

SHA512
c9a14c3565a703e872e6a125bf42115db001cc88aac92f443d5cf5074231aec9ad5f932c8b21aa8bee6f4c5593aa526fc11867b3b78faf99c3636b059eb7267e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bbed4355990963ee48bb73149d06fc04

SHA1
7b19894cc58673527059c3f53be2b7f0d525c773

SHA256
1be5c38c74094c594fe3959aae83358eb8723a294f6e99d3729db0278239b5ea

SHA512
a0768d2d761fdecea55ef625af081c66794fb709c534a6fe2f1e793df080c91b72736a0a672c8af70fe4d6c839dbb23e3457d63cf80fc2a760e377a37519820a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e7a0f34267401a5cc6081a3f0b6d9e05

SHA1
d75ab0c912a7fb51b45d751c215b92ad09b3e081

SHA256
ebf4cbb662d10053e4788259ef692c4a0a26ac2f1e194db2c62760b084697abb

SHA512
886b20af48237fc62f2b93be9e934461d89c306a84ebb74232265d908e204e5a918b2ac066724b88a50dd09cfc3a80a25689a07c3f3ee18b8f6c13ebe23a8315

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cb7bc8df7e8558fda4313c324f0957f7

SHA1
c32e324531b8b18ab7127e453ae9c907e3ddeaee

SHA256
494e23b6e291ac5696164d3d79c1a80f8fda045e8f27ecd8d39c6685197dd0eb

SHA512
1e88390a2924ccf1b222471ba39a623f330acece38b6bec3428bc474ad770ace99add4837904efd479307b5b556641b44de2008e132761b53c1140192e83d47c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5674b36e6a0d06a5000e410a92da900c

SHA1
975b9abd702fdf30943860278ffccbec967ab6cf

SHA256
203bfd4ae9580e343b31a351944f046530a8e91c2b824d8b868014c0ac7ac5d8

SHA512
35d0b93dde9bde4dff40a60803be04206e6e10df6f066ee4df6b5613341468220dfd1fe9a45fa9fc8d296cf7f0e5cfa18537db99fec0d9baab5641cbf7f48e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cbbf51b6f66df776e4f6f888a4e3c572

SHA1
844b59ab57e948a750608e22e0fba901ed516eee

SHA256
c9203202156b1c12f507fc6736df21ba6b5423edd2f3b88a7c5d6fbd004cbb52

SHA512
c2eb7f106888e6557e01eb1f191a812ffe9f632e2aef5946d7bd2b56ca407e014c5bc859542b31bd5f1a14711787202d2baf19119e54e1f23c5a8805d05a5e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
223852a1f1656e00a2ffcce49abdb803

SHA1
3cd19753d7b3e669ba70869d23c93c273a991217

SHA256
a67e4860e89fd1204effb44d80b380b5d4589565a3f273a87cb677bf734ace9b

SHA512
b0320d92a91f47dceb28dc32644398844d6260017e41808887eb365d0f0cbc2de21d10c75a3a06a552b582997ad5dae1299750fd923016565ea6aac811f22f0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a9d5d6a8528e4a554b2d008c2e7dbe8d

SHA1
0fda1508fe01eeff9696c6cec26ce65d2b25232d

SHA256
18c60cf87d22e6a690af07994d91d8be4f090aaedb974b121a36205c8954b2aa

SHA512
23d4d8f405bb4d2a91eef4148e0fd053a4756555c90b9685872c0f6f2296eb4dd989b41753463acb208166b0ac0bd3cfdb072aa2c671ced0311dfa3fd2d7d904

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab459B.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar468C.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
84KB

MD5
f178aecc5117a220065b3d94d03d6e50

SHA1
823aed599fb78de47c45515da1a6a45134e62dd3

SHA256
0371e96d26d11993c7dea0d450f5a70ac51ccbf0c95e8d8e964a57cbf9479a65

SHA512
5e1e068bd5aa1afbe88d491f20194037358d01ea9b8b17ec0cbcdee009020092e55daad88bee74461beaa58afcd2b0e366368e09ba7324805850b6eb20e14462

Download Submit
memory/2504-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-9-0x000000007765F000-0x0000000077660000-memory.dmp

Filesize
4KB

Download
memory/2612-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-10-0x0000000077660000-0x0000000077661000-memory.dmp

Filesize
4KB

Download
memory/2612-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-11-0x00000000005D0000-0x00000000005DF000-memory.dmp

Filesize
60KB

Download