ramnit | abd7244654e8bf715bfd36b9ec7802384ba715d3f37422b490277062decdb89e

Analysis

max time kernel
117s
max time network
133s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 23:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2fe7b1978ad990602552ae7ec8e7cc9_JaffaCakes118.html
Size

184KB
MD5

a2fe7b1978ad990602552ae7ec8e7cc9
SHA1

0bd36c49841cb2d1df86c4926272cab7b6b6c350
SHA256

abd7244654e8bf715bfd36b9ec7802384ba715d3f37422b490277062decdb89e
SHA512

3341266e2cb36d69ad917dd38c23fdf75ff4f1046c699c5728f3cca84e54fd70ca707a46992bfd45afa7f9119d2955639a12857423544295c7a441cef319b915
SSDEEP

3072:SlWCYyfkMY+BES09JXAnyrZalI+Y5N86QwUdedbFilfO5YFis:SlWssMYod+X3oI+Yn86/U9jFis

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1996	svchost.exe
2512	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2996	IEXPLORE.EXE
1996	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015561-2.dat	upx
behavioral1/memory/1996-8-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1996-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1996-12-0x0000000000240000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/2512-16-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2512-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2512-21-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px5A6F.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000667fe73c18a7ecc56366e796bb9f6a76387337c43b0f0e87e73e33e28c26ef23000000000e8000000002000020000000b2f0ccd03df5b65b09e64a0591a7b9f339acbc1a65ed7611f41589c420c3d456900000008b4ca6db6d8596deb1698c1525b115799acb6f8ee3ac172113e0ec83be99d74970e06d1e6dc5c36bca4e3da785bccaa7ef0a574995b756a5b97e852daf144b880e1e202d9eecb2ec5e033a9a09002773ee7e0490bbd928d2729989fe27d167d983e0a50c64145e86c4dd79f1052b8588bbed0adc61fe0d19ce21a05798828f8dc66295b0a7a8a4af30af379805125e0340000000860c3a5841ace8ccd7befe6c9573af11ec454b7ae95733df75784e9c6fd256290c7efe921732115baa2b0eca88055a6b06767b0ba87e927561e822bb9b2901b8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424397867"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{01FBFEB1-2916-11EF-B98D-FE0070C7CB2B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60aca0d722bdda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000002cdce12d99e24863642eabd6491f7eaafd5f20d34152f28387471f453c16e02d000000000e8000000002000020000000ed35dd5f471c7b8ecba4746da98010d7c3b47189e578c909cb73cf7d2b8682d3200000000c75133afea325dba9a7e35094d39c7e59bf7fb0aee2686cc56b65b8b68f728e40000000f9160f4e00301b3dc15a6d18b44ba157d0d46271902c1daab58a88af592881b774fb443ee12df40781d8b6fce36e65963c0663731c9380ebb57cfd0a8910dd66	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2512	DesktopLayer.exe
2512	DesktopLayer.exe
2512	DesktopLayer.exe
2512	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2208	iexplore.exe
2208	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2208	iexplore.exe
2208	iexplore.exe
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2208	iexplore.exe
2208	iexplore.exe
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2996	2208	iexplore.exe	28
PID 2208 wrote to memory of 2996	2208	iexplore.exe	28
PID 2208 wrote to memory of 2996	2208	iexplore.exe	28
PID 2208 wrote to memory of 2996	2208	iexplore.exe	28
PID 2996 wrote to memory of 1996	2996	IEXPLORE.EXE	29
PID 2996 wrote to memory of 1996	2996	IEXPLORE.EXE	29
PID 2996 wrote to memory of 1996	2996	IEXPLORE.EXE	29
PID 2996 wrote to memory of 1996	2996	IEXPLORE.EXE	29
PID 1996 wrote to memory of 2512	1996	svchost.exe	30
PID 1996 wrote to memory of 2512	1996	svchost.exe	30
PID 1996 wrote to memory of 2512	1996	svchost.exe	30
PID 1996 wrote to memory of 2512	1996	svchost.exe	30
PID 2512 wrote to memory of 2728	2512	DesktopLayer.exe	31
PID 2512 wrote to memory of 2728	2512	DesktopLayer.exe	31
PID 2512 wrote to memory of 2728	2512	DesktopLayer.exe	31
PID 2512 wrote to memory of 2728	2512	DesktopLayer.exe	31
PID 2208 wrote to memory of 2592	2208	iexplore.exe	32
PID 2208 wrote to memory of 2592	2208	iexplore.exe	32
PID 2208 wrote to memory of 2592	2208	iexplore.exe	32
PID 2208 wrote to memory of 2592	2208	iexplore.exe	32

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a2fe7b1978ad990602552ae7ec8e7cc9_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2728
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:603146 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2592

Network

DNS

txbbwwwhjdllts.sb1317.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

txbbwwwhjdllts.sb1317.com

IN A

Response
DNS

push.zhanzhang.baidu.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

push.zhanzhang.baidu.com

IN A

Response

push.zhanzhang.baidu.com

IN CNAME

share.jomodns.com

share.jomodns.com

IN CNAME

share.n.shifen.com

share.n.shifen.com

IN A

182.61.201.94

share.n.shifen.com

IN A

182.61.244.229

share.n.shifen.com

IN A

14.215.182.161

share.n.shifen.com

IN A

39.156.68.163

share.n.shifen.com

IN A

112.34.113.148

share.n.shifen.com

IN A

163.177.17.97

share.n.shifen.com

IN A

180.101.212.103

share.n.shifen.com

IN A

182.61.201.93
DNS

api.bing.com

iexplore.exe

Remote address:

8.8.8.8:53

Request

api.bing.com

IN A

Response

api.bing.com

IN CNAME

api-bing-com.e-0001.e-msedge.net

api-bing-com.e-0001.e-msedge.net

IN CNAME

e-0001.e-msedge.net

e-0001.e-msedge.net

IN A

13.107.5.80

182.61.201.94:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3
182.61.201.94:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3
182.61.244.229:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3
182.61.244.229:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3
14.215.182.161:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3
14.215.182.161:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3
39.156.68.163:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3
39.156.68.163:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

753 B
7.7kB
9
13
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

753 B
7.7kB
9
13
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

779 B
7.6kB
9
12
112.34.113.148:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3
112.34.113.148:80

push.zhanzhang.baidu.com

IEXPLORE.EXE

152 B
3

8.8.8.8:53

txbbwwwhjdllts.sb1317.com

dns

IEXPLORE.EXE

71 B
144 B
1
1

DNS Request

txbbwwwhjdllts.sb1317.com
8.8.8.8:53

push.zhanzhang.baidu.com

dns

IEXPLORE.EXE

70 B
255 B
1
1

DNS Request

push.zhanzhang.baidu.com

DNS Response

182.61.201.94

182.61.244.229

14.215.182.161

39.156.68.163

112.34.113.148

163.177.17.97

180.101.212.103

182.61.201.93
8.8.8.8:53

api.bing.com

dns

iexplore.exe

58 B
134 B
1
1

DNS Request

api.bing.com

DNS Response

13.107.5.80

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
359ee75688d01f76944a3e7623f6a8cf

SHA1
18d2198209ccc6c7ea300322d93b0e7dec7a078d

SHA256
370d192b99739fef65fe3051c766be68c91366272110b6e1e0f857a85bc6f776

SHA512
f5da886120a893c5f12f9c0cfd2693a1637c6bae3c66814b37555c519e2ba6b02588ccf239c631335fd522062e207dda478f2325d2ba00dca550db551bb94748

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e439e0d6c6bf87696537927f4390c5e4

SHA1
c45b36ba16d5408e1d8aa7102df675a6b201cb76

SHA256
ccec0014bf0261638079089b66c5ca70040b79f657e908e33f368f0fe8393304

SHA512
ba68a83161d2e70f1f46649c1dee7275a18c834d26a9e1e8a7e4e8450df123bb8ad4987b5bf216f4bc64d3459351407bb9d7849b622e69bea2d3438cffd1676e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b89faea38e9897491b42d440e5eaefa1

SHA1
8472ea8f7c52e7bf5cae794a451dbeceac8ffe45

SHA256
708c5d8435b70b9c79b83b2f4e65a5eff1883bbd3b0653410712593ca50b2f5c

SHA512
debde6eec9206e3923bad0902e4b4adba8e616762c64921c9a83e03887ce447ea8577af18a10d4d5ab391fea65e2b186538dc5f40a8b65b95e971cd12fa22a85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a38033ccda5dd77934ddd268683aed4

SHA1
8ee8ebc8f8260ff43c70fd52b07fddb5e56746d4

SHA256
09bccab1a5e7e939a30da41d0366fade8e96a87a1e6911bec2038011d6fecd75

SHA512
189fa50fada1ecf46a7b25ec2c4c83b03ba7d2f6ec04e2214ecdad17e368f32e8bd860f73b43dc305626893ee8d9f5e16038a16556a3b0b4bf036c6ceb63e0bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e02742c07951ed93d1e2efba1bb9f24

SHA1
f4e29ed57143a2a8fa7ead94d1f597300b31593d

SHA256
adb9dfa7eb04b7cd4a976962325c43988a79f58a78f5ff1f848d9ce11b372aef

SHA512
c61da628dc7d746d7f56ecee26dc8e59e6ea8352cdc47ded4699e530adb0ad9e1afe8071464aac95af3b600b8c7c0fbe5f54e2ee348842c0802f7d99d2b70974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bebae8681948f65f9870f99cd414cdc

SHA1
5bc2e6cb40a64be041a8b70d165f2ede16c2fe9f

SHA256
4c798c1bc871def17ed726fd09e1d64912cd9ca26df8f9fe4bce7ac93ec117b6

SHA512
c407df0e1db00f6b77d2398c3b3a03d7f7bc046215990fbd6cd2ee6fdad27d1d621a7a66084df29362765e7c2af2ddcfd83c2b4caac1ece430bc640ffdb604c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a70994e8c47be217227cda3499305911

SHA1
21ca2c21f3d62d6230cbdd158f811a4ce63ee79e

SHA256
b2cc5bd768ff9ff06987059eb400da63ca8c4044697e380395f5ee1d7697cdb0

SHA512
f88e9e3f3c7078f932be46885e1bf9faa4a0fd299f8efb833e6be870f70eda520bd0d0671539815cec590f37962dd31367d49e47bec6eb67416263d6cafa2efe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f68e932e6925bfbd66efeaed5369b80

SHA1
3865cbbbb57c9948007d9a9faf33d629ba4223e3

SHA256
050cda52006448b385a749c72a5de278beedd774ef61f4c310e110ea8ccd864c

SHA512
98118bcad010e8cbd7ed483326fde3f0c0d7fa353c4fae8a695d53536473a5e3b68ec9b418ce524781ab1d94babd2dc2790d0e67d6d2b720f3b6b11158fbdea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b9c9bb230e7ffdb9875b2fd1c601b42

SHA1
9e2b3e062e792193e5baed33b4cb56c114921b88

SHA256
6a41f5e841f92d2532dcb1e7e23ad1186979ca8283d20e608516474f0decd2df

SHA512
d48d5f9ad8730b89e50d3ea512b22347d3f7e7cc8245a8768ac6563c24c3e4ce2f6aeda7493c5279dee9b2cc2707c0f120004425c9416ddde5c9adf2d0d63d3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddc79242075e332c65c25fb728ad49ea

SHA1
9c83ebbac596fa5469a71f588f6689ce8ee82f9e

SHA256
06c17e8688b412c8c6f3de1d2e0945ee8aaaa21dafebdc11b29eee7a5dfba103

SHA512
89f9ec521d2ffa9f2d37121295909a808512d63f1b70e8d9eade97f54d60b5bdab3fab85886596f2a22aa4cf49de4c8cfbaeb4c29c266d4df990a5b9edb6ddde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7f639fdb0deae50921d167a123af0a8

SHA1
e579be52785adb56d395c5a460be3ac70e75362c

SHA256
92b5aa9baf63e7904b3b8914f917ab545c51b48c02272bfeafc5697a01955d69

SHA512
e4c1b5ebebfc25f5bb63e5ef0ec0915102a1f5c60196af92ce224cad392a761e7ac95d4ffa737e1f2433ddaee927679a326bdb2bdadd684e00b3fba1a8611dfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bf156e550a5a3b3d801c509eecbad12

SHA1
84c1c27ebd240d6d5b3f295ae243bb23893c800b

SHA256
c3c2693812c4e66f7df79d6d09c95b2477e34dea74f0a5bea98e85efa3be72b9

SHA512
0bac13d968a21d3c66fffa79065ac8610b04814b4ba90ba90a92bad7d6d472a8f3a44fe3d243f40140cdf207aa521cabcb3441b8d06da60a2602f0b5ed90d891

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0699a7abf946c6f0f75ed7858c1c3678

SHA1
9ab76d797b8fe2c91d6a524f593ed681a89beafc

SHA256
9fe5ccf0c4fae67730c0dba86de8c4e5b6769dae0bd70f9fb65a061a975187d4

SHA512
a8cf46a8c6abb90e3f4df807348469fbd50d3e92401aaaa7d1165ba840efcbe530775c35e4fadb7e866e438f651a6873a4397e3e6fa6990482f0658f40f3e968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42cdac7c13c0ac1e8b5bc47df79dd3e5

SHA1
c8d422f295e9feade5d39b3943a65646e8942817

SHA256
e851d18e5edc30550f1ee7bee2cecf9c9f4487f9c9229148a055536626e44726

SHA512
98b094086b827ea5f0bae04c262f109b6436b6cc0ae5398925f901f2c291dd3b714649911618a71cf46a67ae1992bbea8c3fc8702d3486638c1e3d82580f5cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11a3848159b006cf6b78799d3c7a587c

SHA1
24c5b0a3f717828effd8730043783e9112ff1241

SHA256
3f449d5610df6442fcba49b303adeafd7807ee78b50066a442e391d1040c8d09

SHA512
f5a1297a6d15bc5bee5946e0cea5740d43ffb0c0673cbfb0751c7f3a8b95b72e82fe02f802c6343b2d8cce8ff83d4caf7b71d22b79268098079fc44c12ad003e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b65484e54f3a28d17806071698195100

SHA1
0abd0f4bb0a84b1db97c069f6b03fb65b4b7ebfb

SHA256
42cd06fa63c7fd22a97dc9cbed50fd8239f88a3b946480a4de8ced141ddc23bd

SHA512
e3c7b4b0979fc41b4cfb098e84aaf3695cffffbb8ff6246459c63050d0f4ec06c0f8d15eb377d4c5619407ba909ada905b3ac7cc69748fcee174aef890c28b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcd0eed4bc67a583e017e497e8652177

SHA1
165f521f0e007d537dbc9843afb6387faf9c8404

SHA256
54d3a91bc696665172db563ebfeb0f82487d591bce45029f03d4234f19ad35a4

SHA512
ca53cfdd89fbbff6fc21cb5f4c8934f32c4f5a443f726fb56f4d9725bd5df12671531ca59dfb09f6efd4a87b6a1ce283eeda4b1cbf7a5128ad0b187340b79ab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36dc3682d0ec2f398fae2028f5c43dfc

SHA1
c5ae3060a26c8c396df91cc1dfd0d95442ab504a

SHA256
23789f7542a62c9e483ae50a227d93e2c9cdad5ca3037d6b595a6d40d4cd5e4f

SHA512
1970397ea628df83af21cd92da0a6b5c6483810096b6be758b20086c4dcffca9af5c767b5ca4d0cbdbc313869225de8ed7188139ab24112efb69bff34c57c9fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26bda8129fc32ef09e66844c92ff39f2

SHA1
4dd3fa227eecf9d2328777d01f299cf826f412c0

SHA256
1b778094447253d14d431e61043d4463e92a26bfda069e1c21ff7f7982b71f14

SHA512
2d727d0e02ff53e5bbd01251253bb60398e45e75b568cbc6d5ab5617ebdfe8417a3181efd136084dd28d1da6992c002ef605c8e5855b1124ab1a6887f34352ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7024.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7122.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
memory/1996-12-0x0000000000240000-0x0000000000275000-memory.dmp

Filesize
212KB

Download
memory/1996-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-18-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2512-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.