ramnit | 45cf74e922be512ce4528ce1911b3f749da2d0032cb8993accecd450709304ef

General

Target

a525671162868d43aacc3586a9d5f9c6_JaffaCakes118.html
Size

529KB
MD5

a525671162868d43aacc3586a9d5f9c6
SHA1

446f2907224d2bcf9cb0cefcde9de047f5015949
SHA256

45cf74e922be512ce4528ce1911b3f749da2d0032cb8993accecd450709304ef
SHA512

a6171eeeb2889cbaecbc2f8a1a5b6b39b7248dfe6d9b60290047095ca4dfd624a6d3e7b11a25f713c58a8ce1236559e5d85f187b83b7d1594d8ce811a1e17b71
SSDEEP

12288:lU5d+X3uT3aDk5d+X3uT3aDm5d+X3uT3aDe:l2+OTV+OTr+OTb

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

pid process

2816 svchost.exe
1636 svchost.exe
1736 svchost.exe
1324 svchost.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid process

2948 IEXPLORE.EXE
396 IEXPLORE.EXE
1336 IEXPLORE.EXE
1216 IEXPLORE.EXE

pid	process
2948	IEXPLORE.EXE
396	IEXPLORE.EXE
1336	IEXPLORE.EXE
1216	IEXPLORE.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2816-6-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2816-12-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1636-22-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1736-34-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1324-46-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA2E.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC938.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2896.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px69F9.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{328F6E71-2972-11EF-9A0E-5A3343F4B92A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008a89417fbdda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000d9d7d90c7dfb7c9d655edea0bf14b83b64be65606cc10f1d957e0da4aef3128c000000000e80000000020000200000004d1e716df16d7bc08f13eb59067ee1e4321305b4a00362040d54d1aa3cdd8b4a900000001ef15b5b27d639130bce199e715effec9d6f4de6cd4a1eb9f6ad1ff149db167c2603215ba48bad23c420d0d39bb72321fff7a14b5ffb358d249c3f41d95a908694992c63752807f06e5cecdbeb509b04aabd6a60a0e52654c7ff0c855798c4737260c42e19418fde5765a0a10ac6cd9e79933f30635db6446fea9592377fe8d81e82b73d6b6a2872ac5a71ffc0240d10400000009ea5c26acbd212177a820f21c5dd7be6f3407e32c1cf14d516f22e4d922509b5486b3c78443e69d0a96491ee675df7f0c46e8c31a55a5fe8ea1346918de2c8c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000009d9d226b157890112bbb8c16dc6e38f12dba144fac2a4ced9502139ae42b5280000000000e80000000020000200000003fe413f3d3af273c5e2b45dbf632448a19b8465d56434f0288811a6fa9e6759e2000000064e49bf9501097099d3bc6a3ae5e8598696fd033124a31cde44630dc4216574c400000005fc3f2713e8ccac8552da8f2b2f3598770a7bb68ecdc569ffa96657dec87c6789049a8cdd7251deacae90ac50589b3643cfdc363c019460446c15dd63e7c133f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424437482"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

svchost.exesvchost.exeiexplore.exesvchost.exesvchost.exe

pid process

2816 svchost.exe
1636 svchost.exe
2456 iexplore.exe
1736 svchost.exe
1324 svchost.exe
2456 iexplore.exe
Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid process

2948 IEXPLORE.EXE
396 IEXPLORE.EXE
1336 IEXPLORE.EXE
1216 IEXPLORE.EXE

pid	process
2948	IEXPLORE.EXE
396	IEXPLORE.EXE
1336	IEXPLORE.EXE
1216	IEXPLORE.EXE

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid	process
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe
1736	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2816	svchost.exe
Token: SeDebugPrivilege	1636	svchost.exe
Token: SeDebugPrivilege	1736	svchost.exe
Token: SeDebugPrivilege	1324	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2456 iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2456	iexplore.exe
2456	iexplore.exe
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
396	IEXPLORE.EXE
396	IEXPLORE.EXE
396	IEXPLORE.EXE
396	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
2260	IEXPLORE.EXE
2260	IEXPLORE.EXE
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
2260	IEXPLORE.EXE
2260	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 2456 wrote to memory of 2948	2456	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 2948	2456	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 2948	2456	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 2948	2456	iexplore.exe	IEXPLORE.EXE
PID 2948 wrote to memory of 2816	2948	IEXPLORE.EXE	svchost.exe
PID 2948 wrote to memory of 2816	2948	IEXPLORE.EXE	svchost.exe
PID 2948 wrote to memory of 2816	2948	IEXPLORE.EXE	svchost.exe
PID 2948 wrote to memory of 2816	2948	IEXPLORE.EXE	svchost.exe
PID 2816 wrote to memory of 384	2816	svchost.exe	wininit.exe
PID 2816 wrote to memory of 384	2816	svchost.exe	wininit.exe
PID 2816 wrote to memory of 384	2816	svchost.exe	wininit.exe
PID 2816 wrote to memory of 384	2816	svchost.exe	wininit.exe
PID 2816 wrote to memory of 384	2816	svchost.exe	wininit.exe
PID 2816 wrote to memory of 384	2816	svchost.exe	wininit.exe
PID 2816 wrote to memory of 384	2816	svchost.exe	wininit.exe
PID 2816 wrote to memory of 392	2816	svchost.exe	csrss.exe
PID 2816 wrote to memory of 392	2816	svchost.exe	csrss.exe
PID 2816 wrote to memory of 392	2816	svchost.exe	csrss.exe
PID 2816 wrote to memory of 392	2816	svchost.exe	csrss.exe
PID 2816 wrote to memory of 392	2816	svchost.exe	csrss.exe
PID 2816 wrote to memory of 392	2816	svchost.exe	csrss.exe
PID 2816 wrote to memory of 392	2816	svchost.exe	csrss.exe
PID 2816 wrote to memory of 432	2816	svchost.exe	winlogon.exe
PID 2816 wrote to memory of 432	2816	svchost.exe	winlogon.exe
PID 2816 wrote to memory of 432	2816	svchost.exe	winlogon.exe
PID 2816 wrote to memory of 432	2816	svchost.exe	winlogon.exe
PID 2816 wrote to memory of 432	2816	svchost.exe	winlogon.exe
PID 2816 wrote to memory of 432	2816	svchost.exe	winlogon.exe
PID 2816 wrote to memory of 432	2816	svchost.exe	winlogon.exe
PID 2816 wrote to memory of 476	2816	svchost.exe	services.exe
PID 2816 wrote to memory of 476	2816	svchost.exe	services.exe
PID 2816 wrote to memory of 476	2816	svchost.exe	services.exe
PID 2816 wrote to memory of 476	2816	svchost.exe	services.exe
PID 2816 wrote to memory of 476	2816	svchost.exe	services.exe
PID 2816 wrote to memory of 476	2816	svchost.exe	services.exe
PID 2816 wrote to memory of 476	2816	svchost.exe	services.exe
PID 2816 wrote to memory of 488	2816	svchost.exe	lsass.exe
PID 2816 wrote to memory of 488	2816	svchost.exe	lsass.exe
PID 2816 wrote to memory of 488	2816	svchost.exe	lsass.exe
PID 2816 wrote to memory of 488	2816	svchost.exe	lsass.exe
PID 2816 wrote to memory of 488	2816	svchost.exe	lsass.exe
PID 2816 wrote to memory of 488	2816	svchost.exe	lsass.exe
PID 2816 wrote to memory of 488	2816	svchost.exe	lsass.exe
PID 2816 wrote to memory of 496	2816	svchost.exe	lsm.exe
PID 2816 wrote to memory of 496	2816	svchost.exe	lsm.exe
PID 2816 wrote to memory of 496	2816	svchost.exe	lsm.exe
PID 2816 wrote to memory of 496	2816	svchost.exe	lsm.exe
PID 2816 wrote to memory of 496	2816	svchost.exe	lsm.exe
PID 2816 wrote to memory of 496	2816	svchost.exe	lsm.exe
PID 2816 wrote to memory of 496	2816	svchost.exe	lsm.exe
PID 2816 wrote to memory of 596	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 596	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 596	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 596	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 596	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 596	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 596	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 676	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 676	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 676	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 676	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 676	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 676	2816	svchost.exe	svchost.exe
PID 2816 wrote to memory of 676	2816	svchost.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1876

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:816

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:108

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1068

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2376

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2404

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a525671162868d43aacc3586a9d5f9c6_JaffaCakes118.html
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:275457 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:340994 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:396

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:275468 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:406544 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:275482 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:2372627 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DF8F35DA3FE88BF3E4.TMP
Filesize
16KB

MD5
52f063db8a205c4843a02954cceae8ec

SHA1
49a75a7435cc459bea61fcbf3b40fbde59db4869

SHA256
7a0e9e21725ed4f7b084e3fbf9407ff463b61d2262f017715c86582607109dce

SHA512
264cd1ed7b53c1605dc1d14629b1e4cbf6854ee006626a5f3818b78ea77801990d4540a3c2ed2242ca4fa0b866c6bfb6396a1c1096fbc1703d97afe99244f57d

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
84KB

MD5
c25baafed6fd4a75f3954528e64f8d64

SHA1
372cbe86a3fefbc39338ecd8f80b5aa05ccf2a34

SHA256
ff96bd48cb454d39b1c62fc657e9540b66a7c0b7225184d0d747341fe835eb47

SHA512
c7f4482ff598187ce80537088030d482b22e81e16d65620bbcf50a169c8dde5d89cdeb353ed4fc039920250c42de8fed3eba406e1bb248e58df907d105776e6e

Download Submit
memory/1324-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1636-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1736-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-11-0x0000000000280000-0x000000000028F000-memory.dmp

Filesize
60KB

Download
memory/2816-10-0x0000000077050000-0x0000000077051000-memory.dmp

Filesize
4KB

Download
memory/2816-9-0x000000007704F000-0x0000000077050000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads