ramnit | d7d20c278afbc83fecbfc17c9adb9798069ddc373af17f4f0f95300075956624

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89f1bb1f7a8bffd4fa76ce65ebb4167c_JaffaCakes118.html
Size

2.7MB
MD5

89f1bb1f7a8bffd4fa76ce65ebb4167c
SHA1

dc15fa90043d3b65ae818b54e6278e64c82b87d0
SHA256

d7d20c278afbc83fecbfc17c9adb9798069ddc373af17f4f0f95300075956624
SHA512

a58d726b2788e2b99e8160a18c9dc9be7c60e52c22d173b555e1e0eb0138b70305c978b5d5082041be0d55b30a3fbe70aa5f51c71200b9ea77cc42c8fe4b5557
SSDEEP

24576:v+aDHsN+aDHsbY+aDHsYT+aDHsT+aDHsIq+aDHs1:reWh

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\cdl2414.tmp	acprotect

Executes dropped EXE 12 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exe

pid	process
2624	svchost.exe
2680	DesktopLayer.exe
2868	svchost.exe
2984	DesktopLayer.exe
2616	svchost.exe
316	DesktopLayer.exe
1852	svchost.exe
2848	DesktopLayer.exe
2852	svchost.exe
2252	DesktopLayer.exe
676	svchost.exe
1496	DesktopLayer.exe

Loads dropped DLL 27 IoCs

Processes:

IEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeIEXPLORE.EXEDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exeIEXPLORE.EXEsvchost.exeIEXPLORE.EXEDesktopLayer.exeIEXPLORE.EXE

pid	process
2068	IEXPLORE.EXE
2624	svchost.exe
2624	svchost.exe
2680	DesktopLayer.exe
2068	IEXPLORE.EXE
2868	svchost.exe
2984	DesktopLayer.exe
2068	IEXPLORE.EXE
2616	svchost.exe
2564	IEXPLORE.EXE
2068	IEXPLORE.EXE
316	DesktopLayer.exe
1852	svchost.exe
2068	IEXPLORE.EXE
2848	DesktopLayer.exe
2852	svchost.exe
2252	DesktopLayer.exe
844	IEXPLORE.EXE
2068	IEXPLORE.EXE
676	svchost.exe
844	IEXPLORE.EXE
1104	IEXPLORE.EXE
1496	DesktopLayer.exe
2260	IEXPLORE.EXE
844	IEXPLORE.EXE
1104	IEXPLORE.EXE
2564	IEXPLORE.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2624-9-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2680-33-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2680-27-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2624-22-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2616-57-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2252-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px25F9.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2647.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2453.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2869.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px257C.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2695.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000006f9ea4999179468f21073d701d3662b6808d4ec8d679204e413730efacb9e5f5000000000e80000000020000200000006b45636ca6ba4af3b637068a658bfe686728983fc87ebd65e863c45fdf05ecb420000000930d768a3748bb03ae539b596e578bf06465f05155234c274a946678ec07160740000000ca8eef342fc62b9ac923f54631eecf2647f6b869310f294a0e4eb90dcd4cb46e12231d1f31882d02678864dfbca9e9b7cd442b3324e9645d98a52fae377e917f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000d27b8a90b54fc005b5480c5dabe8f6e4d3e176b26b397a91888c2b23fb3d1df8000000000e800000000200002000000012d79019c94c9810736a14e89d9c26d7b42de80dc3e698c7e00593358feb9aca900000009b4b58b59b6f4e845f20169a05527c3b1a5b4ca2e61661bd447e4d80f702e8daa84b6627dd71661d8f59211a3ebb8f88704a4f6826fcbf372d497cb216459cb3befadf1a7946d73889cacc364fc4556fbf71be01184ad49ed2bf49381f428e47596f671781a7ef44375bfd820a74f1ceccb7276ef06bce20f95b466c28b8d94125bd76319544a090bf46683ac09307dd400000006dd00eca4da86ce4d0ed7d3ff33d676692c42abdd81984860f205eb7da4e180db88c3a3c4e3a1f7a26861e2c55bb5dabae86b8e9873c646c528c4244cb816d8e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ACCAA651-1FF4-11EF-B390-D62CE60191A1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b066758201b4da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423393987"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

DesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exe

pid	process
2680	DesktopLayer.exe
2680	DesktopLayer.exe
2680	DesktopLayer.exe
2680	DesktopLayer.exe
2984	DesktopLayer.exe
2984	DesktopLayer.exe
2984	DesktopLayer.exe
2984	DesktopLayer.exe
316	DesktopLayer.exe
316	DesktopLayer.exe
316	DesktopLayer.exe
316	DesktopLayer.exe
2848	DesktopLayer.exe
2848	DesktopLayer.exe
2848	DesktopLayer.exe
2848	DesktopLayer.exe
2252	DesktopLayer.exe
2252	DesktopLayer.exe
2252	DesktopLayer.exe
2252	DesktopLayer.exe
1496	DesktopLayer.exe
1496	DesktopLayer.exe
1496	DesktopLayer.exe
1496	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exe

pid process

1820 iexplore.exe
1820 iexplore.exe
1820 iexplore.exe
1820 iexplore.exe
1820 iexplore.exe
1820 iexplore.exe
1820 iexplore.exe

Suspicious use of SetWindowsHookEx 42 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1820	iexplore.exe
1820	iexplore.exe
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2624	svchost.exe
2680	DesktopLayer.exe
1820	iexplore.exe
1820	iexplore.exe
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2868	svchost.exe
2984	DesktopLayer.exe
1820	iexplore.exe
1820	iexplore.exe
2616	svchost.exe
316	DesktopLayer.exe
1852	svchost.exe
2848	DesktopLayer.exe
1820	iexplore.exe
1820	iexplore.exe
2852	svchost.exe
1820	iexplore.exe
1820	iexplore.exe
2252	DesktopLayer.exe
844	IEXPLORE.EXE
844	IEXPLORE.EXE
844	IEXPLORE.EXE
844	IEXPLORE.EXE
1820	iexplore.exe
1820	iexplore.exe
676	svchost.exe
1496	DesktopLayer.exe
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1820	iexplore.exe
1820	iexplore.exe
2260	IEXPLORE.EXE
2260	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 1820 wrote to memory of 2068	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 2068	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 2068	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 2068	1820	iexplore.exe	IEXPLORE.EXE
PID 2068 wrote to memory of 2624	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2624	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2624	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2624	2068	IEXPLORE.EXE	svchost.exe
PID 2624 wrote to memory of 2680	2624	svchost.exe	DesktopLayer.exe
PID 2624 wrote to memory of 2680	2624	svchost.exe	DesktopLayer.exe
PID 2624 wrote to memory of 2680	2624	svchost.exe	DesktopLayer.exe
PID 2624 wrote to memory of 2680	2624	svchost.exe	DesktopLayer.exe
PID 2680 wrote to memory of 2632	2680	DesktopLayer.exe	iexplore.exe
PID 2680 wrote to memory of 2632	2680	DesktopLayer.exe	iexplore.exe
PID 2680 wrote to memory of 2632	2680	DesktopLayer.exe	iexplore.exe
PID 2680 wrote to memory of 2632	2680	DesktopLayer.exe	iexplore.exe
PID 1820 wrote to memory of 2564	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 2564	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 2564	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 2564	1820	iexplore.exe	IEXPLORE.EXE
PID 2068 wrote to memory of 2868	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2868	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2868	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2868	2068	IEXPLORE.EXE	svchost.exe
PID 2868 wrote to memory of 2984	2868	svchost.exe	DesktopLayer.exe
PID 2868 wrote to memory of 2984	2868	svchost.exe	DesktopLayer.exe
PID 2868 wrote to memory of 2984	2868	svchost.exe	DesktopLayer.exe
PID 2868 wrote to memory of 2984	2868	svchost.exe	DesktopLayer.exe
PID 2984 wrote to memory of 2340	2984	DesktopLayer.exe	iexplore.exe
PID 2984 wrote to memory of 2340	2984	DesktopLayer.exe	iexplore.exe
PID 2984 wrote to memory of 2340	2984	DesktopLayer.exe	iexplore.exe
PID 2984 wrote to memory of 2340	2984	DesktopLayer.exe	iexplore.exe
PID 2068 wrote to memory of 2616	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2616	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2616	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2616	2068	IEXPLORE.EXE	svchost.exe
PID 1820 wrote to memory of 844	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 844	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 844	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 844	1820	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 316	2616	svchost.exe	DesktopLayer.exe
PID 2616 wrote to memory of 316	2616	svchost.exe	DesktopLayer.exe
PID 2616 wrote to memory of 316	2616	svchost.exe	DesktopLayer.exe
PID 2616 wrote to memory of 316	2616	svchost.exe	DesktopLayer.exe
PID 2068 wrote to memory of 1852	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 1852	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 1852	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 1852	2068	IEXPLORE.EXE	svchost.exe
PID 316 wrote to memory of 1052	316	DesktopLayer.exe	iexplore.exe
PID 316 wrote to memory of 1052	316	DesktopLayer.exe	iexplore.exe
PID 316 wrote to memory of 1052	316	DesktopLayer.exe	iexplore.exe
PID 316 wrote to memory of 1052	316	DesktopLayer.exe	iexplore.exe
PID 2068 wrote to memory of 2852	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2852	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2852	2068	IEXPLORE.EXE	svchost.exe
PID 2068 wrote to memory of 2852	2068	IEXPLORE.EXE	svchost.exe
PID 1852 wrote to memory of 2848	1852	svchost.exe	DesktopLayer.exe
PID 1852 wrote to memory of 2848	1852	svchost.exe	DesktopLayer.exe
PID 1852 wrote to memory of 2848	1852	svchost.exe	DesktopLayer.exe
PID 1852 wrote to memory of 2848	1852	svchost.exe	DesktopLayer.exe
PID 2848 wrote to memory of 1568	2848	DesktopLayer.exe	iexplore.exe
PID 2848 wrote to memory of 1568	2848	DesktopLayer.exe	iexplore.exe
PID 2848 wrote to memory of 1568	2848	DesktopLayer.exe	iexplore.exe
PID 2848 wrote to memory of 1568	2848	DesktopLayer.exe	iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\89f1bb1f7a8bffd4fa76ce65ebb4167c_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2632
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2340
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1052
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1568
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:2852
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2252
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2256
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:676
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1496
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1340
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:865287 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2564
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:1061894 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:1192967 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1104
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:996364 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66bb484197bea92d70b5d83f60e2bb38

SHA1
6220ba77f3a2f3ecb72f1db5d5d9f9784e3f605d

SHA256
b6be15ee429a97d2ccca85388e87693b387160f1eca9fe850df19e0ef5988993

SHA512
1ec14215609e089e9c08bfbb3592b550eb1efef4a1ea0ac60501722c71faf2469687641694617d5b4f5ad3b71c272a0a5a0ad34e776e6c7f75a281ad5e0a344b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95e0af2d0bf9596c53b263cb891dfded

SHA1
608080b919605a85c71cfd66a5379874fccf68b1

SHA256
8a614347012bced0e16960ce1f51baf0abdd2afe009c1862c6f12f54b2859931

SHA512
a2248789ea11e5ae35e00d70fd8dcabba6e070c69bdc4f606576b244e25362cc05acc1ea2131b26eb6e44e2ffeb4ae93fa5c142965d0c1bf575d9486e706c11d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ad04a3435282b719296ca76252ab4a5

SHA1
120e0fdec5c74d4e52d3181e4a52e894cb268920

SHA256
6b36c94c5262d45f9367c41fd91f66d707f03b16a99d3d2b8001dac5dbba794b

SHA512
5e5af2db33b47b6d6e1de818492818f1864f39d2af7c0f82ae226d708d45b2d5823eaee3610e468e6d405c9632f497f260f90c5413cd401dedf9a7e519e56ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b43eacb8f316b6b504b9322752cd922e

SHA1
83a4e1d09e7b2abe860d538a79d8ddacc56553e6

SHA256
66d5ad5fe25689183cf65a3916eda6005ffe0668f46b4a0066488add2e103377

SHA512
911c65d068b96103411692d967360809ca6f6dd58811db6e0205e2ffbf6f8d69e5e726fbbd59ae5713edc2609b2d247f037f35d7d79c9fae30c50a5820f024dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60424cf5007c06aedcae25f3da7744c7

SHA1
75d7eb52700e69c46bdd6ea4e3508b1dd963e3ab

SHA256
a8150bb90908c66577592ed40352206ec78887d9a3b384ebdb3f7bca2aad8003

SHA512
d805580cfc50d6332a100eaf7732ff5e6d28c5e105a51662585c00db4958bd5295291456b218b5e9b252eeff73ea56c4a82ae9c815edc4cfbb4eea6ae7bbe6b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3996d483533296aee636fb730c43b2ae

SHA1
c0f3e5eb977747467e73f9ab6e4162b82cb559d9

SHA256
3643adda4b073332ca58a37f4e29e945def27c739d00e02e283878ac204a117b

SHA512
aca4d036d86565287f308372e5e8f43379cc6882bb7247d36276c8677f829f7df419c920dbf52f65726d039482f1db30128d719773d03b5ea37058bd5b2a9f5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67c4cf9445a67b3e472bc6e917faa971

SHA1
98bdcc46b275e647baa2439f83610cb5b7b09c5e

SHA256
0595ec3a2345bb926d8dbbb73937b3b057b9b63adbd55927e740eee96b8ebd93

SHA512
17aed3f59c07d2960733c3304242ca54d34c2e55ba27f330982c80ceebe78c80c31ef6e31386cdca27c98cd994161c699e7e8c4c808354084cb11427805862f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe24ca80e3aaac0b013cb497e6b017c4

SHA1
1bb7c9a823e8a631786739abdf6d5e9839cdedc9

SHA256
c10678c2492748cf5499c108ada55f899cd63cef4d5f6004c4d1d0f9f7702bef

SHA512
77cdf8b3890c90bd722ee1bcb4d3cc96aaa9341160895a18b7fac75374edadb6d86d3f69ad533debaebc247faf010c269abebde97b858eacdd6efc5b9de379e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ae0fa38f64b1d9d2bbdbbf7234f7540

SHA1
fd0b977aa68ce5926ebce205f55cb38bf5c9786d

SHA256
709cd165c8b0dd4652975294ebd7cd9fe5ad2255fc7ff0008c6480a445f32520

SHA512
4fa597e1d0731bf79cbbe3fbe136920caf43057b7f43623d4577b032a7fdadd42a777b51c74b3aef923aa785e7cc5ea62874c9bba042931668b273e369171b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\common[1].htm

Filesize
2KB

MD5
a7d5f146cce6c8d07671f7a4cb68f692

SHA1
47e097b547614d06ae7509fd83f557f1679b9287

SHA256
44093bf866d68115a9c86a8add5bf3f858140d8d61fbb1e4b689c9f2960f5f89

SHA512
49b7e85f31f76434438a00888319492bf12ed804c26a9a8d6744c3406c513422e770f71828dffb7203f0fbe3d33d962bd11c4c6d66df1dc20b116e7a6b2d7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E0E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1EB3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\cdl2414.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
228KB

MD5
e9c85c499f6b7c7e91a44567f27ecd68

SHA1
6f89d9176e58f04c3cd48669f7a0b83660642379

SHA256
f09ec41136e8e5e5076ca495192d9326e5581c748148fa877412d466db26112d

SHA512
dd40f713857e9c574e5d34dd292d17fbb94a38c1f1d7f2cf90e043b713c42358d74327e403d3617f5985fbafd35d90c24fbfbeb97cd95a02224a24d75396a5e5

Download Submit
memory/316-80-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/316-76-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/676-140-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/676-131-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/1496-153-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/1852-89-0x0000000000300000-0x0000000000373000-memory.dmp

Filesize
460KB

Download
memory/1852-84-0x0000000000300000-0x0000000000373000-memory.dmp

Filesize
460KB

Download
memory/2252-117-0x0000000000240000-0x00000000002B3000-memory.dmp

Filesize
460KB

Download
memory/2252-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-120-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2252-124-0x0000000000240000-0x00000000002B3000-memory.dmp

Filesize
460KB

Download
memory/2616-68-0x0000000000240000-0x00000000002B3000-memory.dmp

Filesize
460KB

Download
memory/2616-64-0x0000000000240000-0x00000000002B3000-memory.dmp

Filesize
460KB

Download
memory/2616-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-14-0x0000000000300000-0x0000000000373000-memory.dmp

Filesize
460KB

Download
memory/2624-15-0x0000000000300000-0x0000000000373000-memory.dmp

Filesize
460KB

Download
memory/2624-23-0x0000000000300000-0x0000000000373000-memory.dmp

Filesize
460KB

Download
memory/2680-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-34-0x0000000000350000-0x00000000003C3000-memory.dmp

Filesize
460KB

Download
memory/2680-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2848-98-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2848-102-0x0000000000310000-0x0000000000383000-memory.dmp

Filesize
460KB

Download
memory/2852-105-0x0000000000260000-0x00000000002D3000-memory.dmp

Filesize
460KB

Download
memory/2852-111-0x0000000000260000-0x00000000002D3000-memory.dmp

Filesize
460KB

Download
memory/2868-46-0x0000000000430000-0x00000000004A3000-memory.dmp

Filesize
460KB

Download
memory/2868-40-0x0000000000430000-0x00000000004A3000-memory.dmp

Filesize
460KB

Download
memory/2984-53-0x00000000004A0000-0x0000000000513000-memory.dmp

Filesize
460KB

Download
memory/2984-54-0x00000000004A0000-0x0000000000513000-memory.dmp

Filesize
460KB

Download
memory/2984-51-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download