ramnit | cb031b4521b690b270814b1550fd76b3d05970fb32f91217f3ee3f87fe646c03

Analysis

max time kernel
118s
max time network
128s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

892627ebd5f8e590396d8ad775676478_JaffaCakes118.html
Size

671KB
MD5

892627ebd5f8e590396d8ad775676478
SHA1

4e303d036723ccdc98d0217b58c6ccf544219c04
SHA256

cb031b4521b690b270814b1550fd76b3d05970fb32f91217f3ee3f87fe646c03
SHA512

1f66dc4998b237be0983d06767deb48baec7a81240fe80ea3a69dea40384c779631eaba0f7c9f78baa6ef50f4f2dd9d0f484d5c7a2d1584f9350fada2b04410a
SSDEEP

12288:v5d+X3l5d+X395d+X3Q5d+X3j5d+X3Qf5d+X3X:f+J+h+K+b+wv+3

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 7 IoCs

pid	Process
2764	svchost.exe
2620	DesktopLayer.exe
2776	svchost.exe
2616	svchost.exe
2988	svchost.exe
864	svchost.exe
380	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2220	IEXPLORE.EXE
2764	svchost.exe
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015cf0-2.dat	upx
behavioral1/memory/2764-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2764-14-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2620-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2620-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2776-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2776-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2616-29-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2616-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/380-43-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1BBB.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1C28.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1C47.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1C76.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1B00.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1BF9.tmp	svchost.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000e5add3d3c7fba54a2f8a6b25e8cce91861234f943a22e464cb8570bae559d99a000000000e800000000200002000000066b1e7570cf42a64b441b1739d2bc7e3652e08e8b858588de3057ffa1a2d211a9000000030b6452054303fc3376c3e1cbd240a432629b1b7c6b5b19fe2a52176b831d44d123cd0dd8c0ca57ec9f23e985c5534d130abb9a9b5504ae415b5b7a7fcf9e79212ca57bd851cce5c785eed2eb763b04b3d0689a0acfea59b66d0fe2777f47b8dc1771c06052075222c94272210c0a69d349f3b3b5f86164c78fd23a67bc1961801f7dc22e1239ab0ad52cccb96c97f1e400000008875f8cfe13094749f34c9250698584ab9fedf2b5111a16d8933ab0d36ca06a68ea60a06216ad6f11190de694622274c7356f121da687830e88be29159efb273	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000fa63fc211005c46a7466384c89886b1d94f6e4dc99b44269ed3ac531e3022b33000000000e800000000200002000000079607a03dec4a308f874e7b8b3e01dd7fd7b8c974a947e5d149f89ab40bd9c87200000001ccd6379cfdbab68e173fc7ae086230bced7d9d8f415e34f68c725fdec30c9be40000000a8e855c8c9d21afc6c67227973f8c0bc89e802defef92544efd93dcfd4bbac14c563532594392fb550dd1672b13c67ae1295f0c174c46bdd83c685c18c9bd92f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e07373e5ccb3da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423371392"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{108AABC1-1FC0-11EF-AE65-4658C477BD5D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2620	DesktopLayer.exe
2620	DesktopLayer.exe
2620	DesktopLayer.exe
2620	DesktopLayer.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
380	svchost.exe
380	svchost.exe
380	svchost.exe
380	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2580	iexplore.exe
2580	iexplore.exe
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2580	iexplore.exe
2580	iexplore.exe
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2220	2580	iexplore.exe	28
PID 2580 wrote to memory of 2220	2580	iexplore.exe	28
PID 2580 wrote to memory of 2220	2580	iexplore.exe	28
PID 2580 wrote to memory of 2220	2580	iexplore.exe	28
PID 2220 wrote to memory of 2764	2220	IEXPLORE.EXE	29
PID 2220 wrote to memory of 2764	2220	IEXPLORE.EXE	29
PID 2220 wrote to memory of 2764	2220	IEXPLORE.EXE	29
PID 2220 wrote to memory of 2764	2220	IEXPLORE.EXE	29
PID 2764 wrote to memory of 2620	2764	svchost.exe	30
PID 2764 wrote to memory of 2620	2764	svchost.exe	30
PID 2764 wrote to memory of 2620	2764	svchost.exe	30
PID 2764 wrote to memory of 2620	2764	svchost.exe	30
PID 2620 wrote to memory of 2656	2620	DesktopLayer.exe	31
PID 2620 wrote to memory of 2656	2620	DesktopLayer.exe	31
PID 2620 wrote to memory of 2656	2620	DesktopLayer.exe	31
PID 2620 wrote to memory of 2656	2620	DesktopLayer.exe	31
PID 2580 wrote to memory of 3024	2580	iexplore.exe	32
PID 2580 wrote to memory of 3024	2580	iexplore.exe	32
PID 2580 wrote to memory of 3024	2580	iexplore.exe	32
PID 2580 wrote to memory of 3024	2580	iexplore.exe	32
PID 2220 wrote to memory of 2776	2220	IEXPLORE.EXE	33
PID 2220 wrote to memory of 2776	2220	IEXPLORE.EXE	33
PID 2220 wrote to memory of 2776	2220	IEXPLORE.EXE	33
PID 2220 wrote to memory of 2776	2220	IEXPLORE.EXE	33
PID 2776 wrote to memory of 2540	2776	svchost.exe	34
PID 2776 wrote to memory of 2540	2776	svchost.exe	34
PID 2776 wrote to memory of 2540	2776	svchost.exe	34
PID 2776 wrote to memory of 2540	2776	svchost.exe	34
PID 2220 wrote to memory of 2616	2220	IEXPLORE.EXE	35
PID 2220 wrote to memory of 2616	2220	IEXPLORE.EXE	35
PID 2220 wrote to memory of 2616	2220	IEXPLORE.EXE	35
PID 2220 wrote to memory of 2616	2220	IEXPLORE.EXE	35
PID 2580 wrote to memory of 1376	2580	iexplore.exe	36
PID 2580 wrote to memory of 1376	2580	iexplore.exe	36
PID 2580 wrote to memory of 1376	2580	iexplore.exe	36
PID 2580 wrote to memory of 1376	2580	iexplore.exe	36
PID 2616 wrote to memory of 2472	2616	svchost.exe	37
PID 2616 wrote to memory of 2472	2616	svchost.exe	37
PID 2616 wrote to memory of 2472	2616	svchost.exe	37
PID 2616 wrote to memory of 2472	2616	svchost.exe	37
PID 2220 wrote to memory of 2988	2220	IEXPLORE.EXE	38
PID 2220 wrote to memory of 2988	2220	IEXPLORE.EXE	38
PID 2220 wrote to memory of 2988	2220	IEXPLORE.EXE	38
PID 2220 wrote to memory of 2988	2220	IEXPLORE.EXE	38
PID 2988 wrote to memory of 2272	2988	svchost.exe	39
PID 2988 wrote to memory of 2272	2988	svchost.exe	39
PID 2988 wrote to memory of 2272	2988	svchost.exe	39
PID 2988 wrote to memory of 2272	2988	svchost.exe	39
PID 2220 wrote to memory of 864	2220	IEXPLORE.EXE	40
PID 2220 wrote to memory of 864	2220	IEXPLORE.EXE	40
PID 2220 wrote to memory of 864	2220	IEXPLORE.EXE	40
PID 2220 wrote to memory of 864	2220	IEXPLORE.EXE	40
PID 2580 wrote to memory of 2072	2580	iexplore.exe	41
PID 2580 wrote to memory of 2072	2580	iexplore.exe	41
PID 2580 wrote to memory of 2072	2580	iexplore.exe	41
PID 2580 wrote to memory of 2072	2580	iexplore.exe	41
PID 864 wrote to memory of 2104	864	svchost.exe	42
PID 864 wrote to memory of 2104	864	svchost.exe	42
PID 864 wrote to memory of 2104	864	svchost.exe	42
PID 864 wrote to memory of 2104	864	svchost.exe	42
PID 2220 wrote to memory of 380	2220	IEXPLORE.EXE	43
PID 2220 wrote to memory of 380	2220	IEXPLORE.EXE	43
PID 2220 wrote to memory of 380	2220	IEXPLORE.EXE	43
PID 2220 wrote to memory of 380	2220	IEXPLORE.EXE	43

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\892627ebd5f8e590396d8ad775676478_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2656
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2540
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2472
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2272
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2104
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:380
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:756
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:275465 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3024
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:406539 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1376
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:5321730 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2072
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:3617802 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2424
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:3879945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8274a1b63cc4702af9f1bae6095ac2b

SHA1
72e0ed89f72f45fac3ea5ddbfcabaf36eb690e72

SHA256
76c84d2015b924624c6914808e90debba62466db48bf1d291044459a509737ca

SHA512
b412a4feff3fa45c3a733e1daf34e6a617c788797d23cf0b7a75e235c214826be83ac2c8d994fdf9b485fc36881f9dd93d9e08e48d96a38d7a5ee46375a28968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
036f96225e5c0d2828afb018104067d7

SHA1
8849737c930f84ffab7599185a7f2eed71ad4ba5

SHA256
901e908a79a6d88df63924dd8aa74eb2bc45d251557a9d76c119e84f0f033f74

SHA512
447ee49522c4f7b96ed1d182885eb19b27414d741c4bf9a6657d8ec4d1f0677218af6f7d77c69acde91dbc0e9385d62071f93c0fef600efa4dd92b370a71e521

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6f9a1e35901d32db07c9a24f2cda27f

SHA1
ecb539b9dff494cc7e205160a9efc65119840a7a

SHA256
07af0bd1e8e3d65d08efa1cda4bbd670e42f71914af97119e67642c3b2ae59df

SHA512
e0b42c8bfae9d98250789b34d34597a19801205cfde9ef509f8cc96b8ceada901746ed6d104df068031ac7096bef4570fbea8350c6cdfa54634f3aa0d7f05f3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7c5425d4ca0ccddaaad1ef7488fb0bf

SHA1
f7ea8201e32b9a659658b8868abf75e50032b5d7

SHA256
18d08220b23367118196aa980c7b4881f474751322779e248f7a912a92be0faa

SHA512
a5025a46a8353a78cabddf8c972171d140caa99b330100e4761feaf229fff09d1bcf206541b85c2e09766507e3c76b7c6765146bab19695b509407e0999658f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8680e24cc10ffcdeec4ae6fa5f4184f9

SHA1
06483ca28fa1d0930f0e7a2f0c6df91078174dd9

SHA256
562c85dd06b229d89de6369b1f71eca81cf801670f7a4660c27728333030a856

SHA512
af0c6cd22aac90237e7794f10827befe041ebbd9874f6a8bfd47f2388962492c80f71bf333295f935c60ebf7f4421c9f93842be23d469501e8621a454973b7ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26368eb0b122d2129605309f5e18b575

SHA1
d40542e75c5aa0cea516dbaa654bc8d2a1ff0f11

SHA256
7b53d1b2eee2109109029aaaa699cdc468aa4f741546ddb2a0b082c9e7dadcd6

SHA512
744d292ae86ec235598a341eaa03ec0044d458107346f441f41ba424c48ba9e58a5a56740ba0ce82c871f623099e133f29917391ee5190053d23b4b7059b1f7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cfa5639707c26e1cc3188af34951f50

SHA1
cd7a7c316f56764c2edfde81df2571ae3aa76fc5

SHA256
957917a8be2494940f6944470534d4894c114ebc974adef1ae0713e61fd5e1c7

SHA512
51bff9b71c713a587c9c812d5b6515ad6721213e457bd2518149a039e2713d1a913010791ebd8838fa05121e8d6f9a91d42c4c3132186fcfed3ddbd0abd2da0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecf89c8bb7474bd82aa0ddf943db614c

SHA1
c68edc2c02fcec5459228e18ff014e25d0628503

SHA256
8f16f482ca7fe352538626ddb31f7e2716fd84bb7c6cf691341cbd64232d5e96

SHA512
b227b6439fcd2858409addffff0d05255f0f859437eb33ebeb604f34d8378e4064652d65a91bc95b531d115f25ebfce7900c50e84fe85769835954dfdb9439bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc041fb581f0ce8af4383dd434e202f1

SHA1
9785f6624880308e273da32eb1bbc0ee83805b21

SHA256
f34ac4742c90cabe9e07cb535307a72a5dbbfd640c2e81271438733b71c60cac

SHA512
552bea47b6f11dd4d13ab2a4a64ece5bcbed0bf42044b498d4d96c15c6099cdfc3f4cfdfe6e38466b653babba729bcd3bc75d81ce3e821d5703677fd93d97894

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03bf525cee986f0f01e58c4404178c58

SHA1
fface1decfb150df38a41830c82f699257e8c0ba

SHA256
1dcbd0f8749a02afd68e4c53b87279c5ae6e3129c599733091e0ec1276b12bf3

SHA512
0a14cfb66992e7f9b00e503df2641c10b1e6fd523f9d7377b4b6fa3453f81314be12743f5a65fbac56265b2a59b3cd14a80c23e0086c4ca5c1f489e2c27806e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37b18353be4ce404902c9d8c77ec95b5

SHA1
1892929180b304be6645738775484042af07f4ae

SHA256
8705e7ec5aa305266c17450ecc517ee00c00af538ff70b3110e5391a17575c28

SHA512
48a9962f67286c9316662f30990b6118095ee530d746c81d50ffebc31f50b5644225bd00fa69a4ce1c700c4570432ce027b4e0d24b587e56e2f3aefdaaee9aa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d7f215131615a21d8316abbcf59c06c

SHA1
1028bc88476e70f8b4804e74a97dcf3540e7b5f7

SHA256
af4beae31a54b398cb42014ac1ca9cdc8cb9d101403e1625c5338951868cdcff

SHA512
1d27bb12df77007f3f0b4082c579273cccb8bcd1511c060685dd1c0ce247d5114c984ed58870624256758f2e2ce03a12c80ec25b646c4de78e0c9f71de544be5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
330f61fbaaad910d80abfe67ba42b17f

SHA1
ec5cdc31147ed5d92cdee223f22ae40d86526bb9

SHA256
ebdf86228613b40f56218a96026910976b7022dbebd13a68c39acab3e8fb3d1b

SHA512
b985bd85b36c8f55f9621a8105edf980aa09e1f83a1a3c492b33dc9cf577d0763f2000a38de3ffb9ac4ba76e60d62b1506456020264d96044e6ca97fe7289c5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31c4aa6a553b1996b2ffc6bdd23d6ed8

SHA1
619380fa4f9ed1cd63dfbe1c16d6710c8f27139e

SHA256
d6e591adb89d166b332187645bea18d969a1e37b6db3a4b67a9f0c8226633439

SHA512
4ff1c5086bc811aff8e7222fa330b83e555c8545fa7cc4416ee7c2a7cb5eb92f1359c14de60c19b70178702009e5f60f4690a46a4ac9f2f35c8297d40d461197

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1ea7784597f36ce8e9698016a187217

SHA1
5f0712462ab2d257f5cf4233857be496c6239f5f

SHA256
666f8ca1be04f18df82a4bc8e839e391fd0bca852d3f2722afd79875b0885bff

SHA512
43963c0ee333ac3252511cd0b08933542f7711f757d887c2400d902bfdab4203881c0ef31a4a7b124d851cfca93bed0bcbac6b0cc254087ff0f16416fca2a0d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63ee838856510485209be3fd132711eb

SHA1
6675422dc7b986e8abf76d2c40a2ce3d9c0711dd

SHA256
a0a78106773c54b6da28cfe44b455a527c31fdd90082b57d3a2b79a01f7a3dd7

SHA512
6c7df01992e063f13a62b454c3b0175ef905d157fff53954cb2628622b37f5c365094592c57cdef42175c4cab799031fc0ba24ea0e9500e9be6bf8263b5f6fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4585e0b7d019d3e4addd0ad40faa7e31

SHA1
b11a836226819b45227639959f581362623ae562

SHA256
bdacefbf40b1003a23aef3467ebd0dc72e866680e3962d43cb34281e6a03733d

SHA512
238e7f7c960f0d0f8af242dad6f0925584ff9d59bc87636eb7c64356c8c068da35ce03fa7101727027585d72f2a1e35cfc2038368424885ce5faca250b0995ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
233afe7cdca69d9027a9160eb8ab2977

SHA1
0ce2ae83952604acc5d3f2b30bb18008ebb471ab

SHA256
965503231526154745eea5d4f94b020cfced4372028741948e20769e937b3bb9

SHA512
5b054f9764c263b23147ef537af3333747d21239f7ec11094f5c4443471e7dea032d271f142fe43b439ae89305cbe577f1a7e99f877d5fcad0a73c8a18c72f59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c606736147e0d3609dd5c17a7e558abe

SHA1
f4ab58381b24c6d1f49dfadae42a7ae7a6c3dfde

SHA256
8a932aa3afce772b4e4b71cbe2b62b3c8bfaf699009ed6c8c7041a7394bb0fa4

SHA512
7c940d2b380da8b71bc8623d4a3d59b3cd91910426c5add2fab6bd3a81596dea4a6cc06ad284c919a59c657734fcbcba7060ba692efce94df530e0bf0afddfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3140.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar31D4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/380-43-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/864-39-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2616-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2616-30-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2616-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2620-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2620-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2620-17-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2764-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2764-7-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2764-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-23-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2776-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download