ramnit | 97fd0a0d478e7e203335c2a6ef301881ab601a8007083413551127af8b315812

Analysis

max time kernel
119s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8007efb864f1a4294904b66d22460444_JaffaCakes118.html
Size

134KB
MD5

8007efb864f1a4294904b66d22460444
SHA1

86920e2e71e77970b6d16549dd44d17754ccd74a
SHA256

97fd0a0d478e7e203335c2a6ef301881ab601a8007083413551127af8b315812
SHA512

e84e960dbe9707be126678cdc570c6a61498e4d881aabd91daaaa839b743c8de02c4d14c9714594a0a8a28819c7bc2f2d488bb250e8ad835db02ede0e5fab656
SSDEEP

1536:S83aoIU4yLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy+:S8T4yfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

pid process

472 FP_AX_CAB_INSTALLER64.exe
1452 FP_AX_CAB_INSTALLER64.exe
1452 svchost.exe
1984 DesktopLayer.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2736 IEXPLORE.EXE
2736 IEXPLORE.EXE
2736 IEXPLORE.EXE
1452 svchost.exe

pid	process
472	FP_AX_CAB_INSTALLER64.exe
1452	FP_AX_CAB_INSTALLER64.exe
1452	svchost.exe
1984	DesktopLayer.exe

pid	process
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
1452	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/1452-819-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1984-825-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1984-829-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxBF78.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET29FE.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET29FE.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET2491.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET2491.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423131552"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007ace7cf917bc264da270d097c498befd000000000200000000001066000000010000200000007e42e43c00ab31873a38866f6d430bc2869cd7974d7bfb09055ed6bae39a5b29000000000e80000000020000200000007679a6f05c3f81481a546664381e0cafe4583d721c0c7e14bf3b7b8f0100b82a900000003739f6ff8e493594f2f43d7fdb30f65394518bd6f4141db41af71644b6f451072a1c11242a9969270c85d2c307ec5ded6a1be770de6fea6b46dcc6a560c78d9f2f17db0d026d47081049f8954bfd7d344152850f3cc6fb48d314669bec8dc92768a59622cea8ac626882cff93594c73d2b5fc4716483307908bb663c231e8326157aee5e0d739728cc71a17f7ee9da3d4000000045f9423ba2502aa1df166812d85d059ea59efd737be7216460229f80018c269f14d4b14998c62ec6eb27219650548d7d8836101ae4fa82e6c6e6956b411bbf3e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4BE6011-1D91-11EF-8AAC-6EAD7206CC74} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007ace7cf917bc264da270d097c498befd0000000002000000000010660000000100002000000039f95f0d88a8251476b181881788398835b715c26180639e2fdcac198be19ab7000000000e8000000002000020000000a5996d76d6efab6a87eff4b00071e50f8fa853eea0fc197e5ebdb6b74c9b5e6a20000000b9b3c3eee4f75e31a9437080e7951794f9411dd4663aabe751e4d9e68aed08844000000044af7e2b953b047e107f18e130a0201b18c6b31754e0b79c7c91075766ee775340385f6a0477261f98dba521fc78a4c3afa354b8d842fc9a2549e132b29e422d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403f576b9eb1da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exeDesktopLayer.exe

pid process

472 FP_AX_CAB_INSTALLER64.exe
1452 FP_AX_CAB_INSTALLER64.exe
1984 DesktopLayer.exe
1984 DesktopLayer.exe
1984 DesktopLayer.exe
1984 DesktopLayer.exe

pid	process
472	FP_AX_CAB_INSTALLER64.exe
1452	FP_AX_CAB_INSTALLER64.exe
1984	DesktopLayer.exe
1984	DesktopLayer.exe
1984	DesktopLayer.exe
1984	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	2736	IEXPLORE.EXE
Token: SeRestorePrivilege	2736	IEXPLORE.EXE
Token: SeRestorePrivilege	2736	IEXPLORE.EXE
Token: SeRestorePrivilege	2736	IEXPLORE.EXE
Token: SeRestorePrivilege	2736	IEXPLORE.EXE
Token: SeRestorePrivilege	2736	IEXPLORE.EXE
Token: SeRestorePrivilege	2736	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

2848 iexplore.exe
2848 iexplore.exe
2848 iexplore.exe
2848 iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2848	iexplore.exe
2848	iexplore.exe
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2848	iexplore.exe
2848	iexplore.exe
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2848	iexplore.exe
2848	iexplore.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2848	iexplore.exe
2848	iexplore.exe
884	IEXPLORE.EXE
884	IEXPLORE.EXE
884	IEXPLORE.EXE
884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

iexplore.exeIEXPLORE.EXEFP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2848 wrote to memory of 2736	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2736	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2736	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2736	2848	iexplore.exe	IEXPLORE.EXE
PID 2736 wrote to memory of 472	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 472	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 472	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 472	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 472	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 472	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 472	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 472 wrote to memory of 2308	472	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 472 wrote to memory of 2308	472	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 472 wrote to memory of 2308	472	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 472 wrote to memory of 2308	472	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2848 wrote to memory of 2284	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2284	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2284	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2284	2848	iexplore.exe	IEXPLORE.EXE
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1452 wrote to memory of 892	1452	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1452 wrote to memory of 892	1452	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1452 wrote to memory of 892	1452	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1452 wrote to memory of 892	1452	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2848 wrote to memory of 2192	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2192	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2192	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2192	2848	iexplore.exe	IEXPLORE.EXE
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	svchost.exe
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	svchost.exe
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	svchost.exe
PID 2736 wrote to memory of 1452	2736	IEXPLORE.EXE	svchost.exe
PID 1452 wrote to memory of 1984	1452	svchost.exe	DesktopLayer.exe
PID 1452 wrote to memory of 1984	1452	svchost.exe	DesktopLayer.exe
PID 1452 wrote to memory of 1984	1452	svchost.exe	DesktopLayer.exe
PID 1452 wrote to memory of 1984	1452	svchost.exe	DesktopLayer.exe
PID 1984 wrote to memory of 2420	1984	DesktopLayer.exe	iexplore.exe
PID 1984 wrote to memory of 2420	1984	DesktopLayer.exe	iexplore.exe
PID 1984 wrote to memory of 2420	1984	DesktopLayer.exe	iexplore.exe
PID 1984 wrote to memory of 2420	1984	DesktopLayer.exe	iexplore.exe
PID 2848 wrote to memory of 884	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 884	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 884	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 884	2848	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8007efb864f1a4294904b66d22460444_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2308
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:892
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275466 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2284
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:3486726 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2192
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:3879950 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
aaa8f8f200c99399c755f31470f497e3

SHA1
b971c51d87fdf6b6988b9950755367f69b69dff6

SHA256
fdacac2d9f57b14052a282236060c61dbfd03e1e8458df1441ee330fa70b72c0

SHA512
f35b9f2f9697ee48db233d20342f50824b38c54973f7dbada3058af9fe4ccbcb14d26355ecf8efdae9a7c1b9bc4088628634c74db810bd537640735a7bc1b596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16620f9f75e383da3490acf532d32e57

SHA1
c998545a58f12490b07f6f0efd04b625bbcfb903

SHA256
45ca3a1746f1397e9ce112cc480e739004a350327303983e3e827f2094402812

SHA512
aa2f2a1e87a23d69bcfde8267d3041741d301f96bba4b48a1723403aa56cc37c652ebe34ca124e4f1a72d3327c416bf82fcb94b3257120085e2a8e4f83ed1ebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5f2a154a6a6f7894b5b35c6e5d83dcc

SHA1
d11b4f2e16e59a7862c76946a7b0b81d14d454e7

SHA256
f7d38356bc94e398c35fb2df34f77e684082348680eaea3d31c3bf8245837bd6

SHA512
298a3820e07ebdf302270ee480e3d4e626d0f68bef7bd93d708bb429dd08443d84734bb1ce3c97b7ab1cf88b0c1daf6893721268a7958be963fcbe16c340bce2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cbe455bb4c02a6799f93f3810b5717e

SHA1
a654df53954dc3bf8a0af7da542b7c2c836a9b56

SHA256
87fa2bc8a82b6b8ef1282226dcce6cf04a6f7a290d0e3ce7295d6aaed497d5e7

SHA512
aaf4929ee9c384eab6fd51fd193579422472acb5f3459021bbe1746a593d2c1931e00d190ad1dc0a46dc082500cf0a8db8d8f19c91bcb488bbf69f7741a9c644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbb927785d3acd5b9fa83dfa840cd552

SHA1
ad8eeed53c31e666dab773a60c5652b1a028bd3a

SHA256
c870e453a0435b223a30c0a3c8535a799a30d0b60038b1129569aabb88b16470

SHA512
920beaf6ac5a352640a9b7943577725972c73c592aa7911d550a32fa131a343c1aec2052a121f49d876784de4116aeb7f214f90263f03768742d12c77b3c2159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5601541872cf37bc6ddef8e8a58c0f2b

SHA1
588f6ebf9b8cfedcae507d24a24de337f8aef0e5

SHA256
8f0dced06068e8269b9b0ddde5d559e57d2643ee4acb2c0e6d1b7e5c4aad5798

SHA512
7db883c5fc895076b4e859abdcff23149e1ca2fad42df5aaf7d5b703432728e4627d36a7f4ef04dec7be72f8a357a445fc7b67bc4a3437fb0469a4dd5b4515d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b42d7a375edc1f1e1623ba751b53495

SHA1
5e9ff58bbd4852b2d88d3357e106f6885af1b900

SHA256
af511a5210c3de95ff363cce505ff92ece77d66818ab75212fb760946d88c9a4

SHA512
b4c22dbe05884a35dcbec5c990b715128b35795a08d904a7e0e666f97b111e8ecafaf9cad0c54e48d74171fefcd7bdbbc7d5351e9f67727b17bee6631b40cbc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93d73ed8db2fb0a15cdbb7f84215b23f

SHA1
c38b5a49e7cc7160eeef4e56f823abe6b2560217

SHA256
e3a4f4d39df4571f4c1e5d2c8025ba29705d4c86f1b9d59d7b68c448c2e9871d

SHA512
ac12499cf5c5c7c3a85e7898c0045bfcb6e9aac5e3b93f98b8d2037337da1cfed62a9353ab38712d4d686bd785f793e38dccb3afe85e7a2068acfa37a4e85eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acf32b644516d369ff5f04020e0f0fbc

SHA1
ca7d5913e15e6f848704bf3914082ba27d506ba9

SHA256
12fb8a039466410bcdf3434238c6c72e86c9a013589671442d5be791814b616f

SHA512
4f2517dbff79991a0bc605ffc349a35bcf1e2715fd7fbeef1b878474efb9d373f64dddefffe99a8f8cfc422e3ffb3184b6382861713c3980fadcef0dbac167cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
746e25b9f3b97b449128cbfbd827516e

SHA1
6cbbab0f239e3a9aa7d27bdb987230bbabbd9f17

SHA256
65dfa46a8790518f854d7322093ef1f57a2d5958866688c2d40dc63c2d711ab0

SHA512
09aee536b2764f449119e0d26ba4fe8b361dd51e01b48e6d842ba101c56369e0af7af3bef15dacc9852f87902eb1f59e50fb9d3a1eaa4812e1040ef84306b5cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59d81a8e591ad91714f13efb1770b0bc

SHA1
841c03ce2b9b706f4d9464e6fbd72641c220ac91

SHA256
5c4745dc633e9e7051eba2cc9abdd752d8017ed3d4f753eb1a836f7223bc9ef9

SHA512
7a56d83025a26ceb4817602cf276e3240bfaf0cc56a93d5713aedfef336dcae87ca6a9f9548efc0cc77ba22e20829b4626c21822132cf49aeb3f19508f209d42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d967d9989c7e222d1666fbe8638f022a

SHA1
fd3b84166683d2799571e39d386e938111191996

SHA256
08846347aef0cb7a9af1a4e120eb4e2b9775f2a6dc5830e18035d8eff1b0bc0f

SHA512
2f22ac27c8edf94b71f99bac05b8257e2db986d42bcb938889a7e02737c5b7dd118a808cdb0249a3ee65c4cb9920789653abbad5dbb1f0a36b18ade510aab84d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3ee2d64d54a5780ae4bb55d4b7b1169

SHA1
a8de618e3ccc46628417b696431051c3efd1ffe3

SHA256
4e0b010cbddcd431e14530ee37fbbc165b9c8aaa1b10eb9a88542b0dc52b07b6

SHA512
084e62e46342e55788a8361f9e7902ad53330bd7895611532075473ba33fbdaeb78b09084732bf0ec4611bda2e16be1dd28eca85c1cfde4cc9de2936501e50eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a31434ee86378935f2c13eac18e551fe

SHA1
263c2e49565963f556ca90e7e20f1a5e2611ab8d

SHA256
6487f08c1c900354b242f1b12ac7f0337db4b59fd0e89e1816482401aa5e6f88

SHA512
32fc97b9464c87f0f5a52bd6cdb2dd261226d1776a0ea548691ae7d52ae5af52be1fc5976e0e71a8e424a0b16063253cf0852631afcaa3cddb9abbf45eac8396

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b83ba185917025283e6ca563bb51d0ea

SHA1
56b03d9283c9876e562b3881f9fa9f7353f6cf55

SHA256
8b1a57e3ba92eb132fef9ba94de0d5ab227ad865f4d9c53da48b84dc2b237979

SHA512
cdf0b3109b32508515780cd56238a83db008b2b95ddc3f5e98288168f1bb68c4a6105f40bbb22df0298528ea20cfc6186a9a227772e4670ad84a83c8fb8f9776

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86ccd5e92497d981b068d7d8a1628aeb

SHA1
26d786c05d13c6baf845bb2c9ba6410a489ecdd7

SHA256
6d7c35e37722a97ac43be81cb600b414172bbf26e608f93cb157e3f8ed22512e

SHA512
e5b0e7b1f9c22ca2b8bf7013e613eca0e141a4978a4356b21d3a2e7e13a403d06c2f263cf1bcdb9969503ac893774cd33f0380c36423cb9ea1080828488b9fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
709b59fed308aed15339e1b2c1cdddef

SHA1
09dc9d589407110038ea7a2ebaf680ef1ceac015

SHA256
c29a33cdab96cd475ccc2d473db8accd75768e46cdd085820872b4d84e58d81c

SHA512
8147c81aadd60e9b43c2489c71102382f312b37f9f6994167cab95a7e2e056e5ba1a40159231acfc00c7b5fc8b88b0589da7652e8193587fe59c53fca39c0f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c37ccf7e2b9d323d42e71cb77c72531

SHA1
c6117a50539e0624f71496adfbb85893b072a7eb

SHA256
ea53b14913b996492d9d912a68357be4c8f5c58c2eae7c0616530d60bb4ae137

SHA512
a0775612819bbf3a379e031b1192c8705638579a52d7c10118e40f6cb474764a03d8191d76c85f51a231ef8df624c8cfbc15ec66a4081c6c9d7742107ec6f4c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43febc5a94c91c65a2621e764890585a

SHA1
3b65ed046a07ce39d8de54d947949f2a6ce41544

SHA256
96586b504022583905a59a1108ea29065a75ca1d52f47ab22660d3a7b8bc5a21

SHA512
d0fba74154855a8fb82023ef9756a327ff0a74ecfc38c83750fbcf086c2d5efe7e184a54ec46448563738a2e3d85a6fb7ae12334b5418e4ee89a6aea44f5ed48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db4280e298adf423604c46844ecba060

SHA1
5af962300c1c33a0a4509574ff5201b965c922f4

SHA256
2b3844e174d786f4a2e8ba2ade30aaa5d4446935c6bfcd4e3989470bb7fc49bd

SHA512
c7d1eb10adc747c9c87a919893d6ec1c123d37ccf991c3c731dab5b3d1f5f2addcf7ef717d6aa8f324fe674c60f85017cc6f60d5e8244ef3c7f0ab78edcea6f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73fec39ca138aec86d001b35118827f0

SHA1
7dbba59a5406825ebdb82948b7d44e3841a6b8cd

SHA256
1ad8daef1aa596a1f83b28f4dca09b773c4d08fb704f8221e4bccb7ec1fed186

SHA512
7bf2c4f65094ce6eb0e5c6424a7820f73727975cc52c923fdc938012b25add7f41a3439b459328cf49e8232cbefb14e3a2d8d79403397325b013cf0f8c957bc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce090af0ec2e5674128683b075c93be7

SHA1
5753b2db5430f042b106ac6363a8c9e825505689

SHA256
f612b62b6f54b0b3c8e0c6f07c5b847c9dbf8f872ade76f0948ceee61991d2d7

SHA512
2ef988638b1171b036bef8fe0a6b0e4407106f89e68bbfa0cf7fc2da41575e937ee5195e7fd621d61c9e9e49340713888bf269a77a73d358e95200d5d86bc0f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
cea4faead35b9a84cab8bfb565e1785b

SHA1
24cfb03faf480b5ccca1fa07a44a96103e89e3a9

SHA256
40335aedcd5fe74e241ae5b1062314f3ec1ca928f180dc1dbcfd87322e982688

SHA512
2518348a8f916e53a851cddf1ff7486beceef583cbc83e11c939679bfd7b3551ca81d105934bfa7afd95872a29fdddce5e04e8b582b8b9136333e984ee60dad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1DDF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1EAD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2473.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1452-819-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-829-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-825-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-827-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download