ramnit | 96949441b68e28c71f0f09a3e6b76ed757720e1705fdb69946c3010b423afb30

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8067dd27c458b1570ee6ab91f5949e8_JaffaCakes118.html
Size

685KB
MD5

a8067dd27c458b1570ee6ab91f5949e8
SHA1

92c82017854fbccafdef88175bace6839e950c37
SHA256

96949441b68e28c71f0f09a3e6b76ed757720e1705fdb69946c3010b423afb30
SHA512

95694a167e1cbf291e03b7d7a179e48b56f8f6ee978d7d56cf4294d5f711ac473549dbc9b1596daa8dbb754404e0c513c2ad7a27582b6e579f7c1acd325fc20d
SSDEEP

12288:IY5d+X345d+X3t5d+X3s5d+X3D5d+X345d+X3+:IS+S+x+u+7+S+e

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 7 IoCs

pid	Process
1304	svchost.exe
2520	DesktopLayer.exe
2548	svchost.exe
264	svchost.exe
756	svchost.exe
2836	svchost.exe
2156	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
3036	IEXPLORE.EXE
1304	svchost.exe
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015c83-2.dat	upx
behavioral1/memory/1304-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1304-12-0x00000000001D0000-0x00000000001FE000-memory.dmp	upx
behavioral1/memory/2520-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2548-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2548-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2548-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/264-30-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/756-34-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2836-39-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px63B3.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6519.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6567.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px624C.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px646E.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px64BC.tmp	svchost.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a58daf14beda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424501737"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA06F751-2A07-11EF-AC4C-424EC277AA72} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000f24314ddda1739f09343d32cc5ee1a69c23e3431ae1ec76b451f0a9f5e9f81d1000000000e8000000002000020000000ccfb7689101adde433678ee3d2094b9e315191af09e85a3379c2adffb6b4cb8f90000000252a1e650a7b7e1ccf9702485f36ef301157dc883469d1603f39032fe4d380970e6abe0eba46e7b98874d0cc2fb8e6a37ac7e4b438b857dd6401e982901d2adee5e03fa70698ca3875a3e4f9f14008fb4545cb6f270d1d7c8f019031a6826e6c3030eea756238e974d5afc5de99d161bc7c3ac6cd9c8e488bf461fd7d2a57b121540ca67b60f2f7b0fe93f717997978a4000000054c1932e81cfae2f3f882a9d5fce81ffbb96f4144f8e339d6efb564b83e21f374568e8ee0b4685396ebd2b23a28be9b77045fd1c1c28c8526fa90e61cb813de3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000003badf0d165bf794471f5260bd23f4095c98dbf9ee22a8c506552fe32f0c4c195000000000e800000000200002000000004a51f0913f9204bc7d3554fba3f93b9c7d9755d2a0474f9bb4e142745e1958820000000d630c92b872e9e00d4e45660fd0464836dcf6e9d19210c8468771ff88df0726e4000000083b7ff0b94bf3374590fddb6b3b717828b502cc1b45d3ebe506f43c5d7adf883bad612ea73f3d8931ebb3a32b4a3aa7e17faa3e5022385e4db69ddf5bf1f031f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2520	DesktopLayer.exe
2520	DesktopLayer.exe
2520	DesktopLayer.exe
2520	DesktopLayer.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
264	svchost.exe
264	svchost.exe
264	svchost.exe
264	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe
2156	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2140	iexplore.exe
2140	iexplore.exe
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
2140	iexplore.exe
2140	iexplore.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2140	iexplore.exe
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3036	2140	iexplore.exe	28
PID 2140 wrote to memory of 3036	2140	iexplore.exe	28
PID 2140 wrote to memory of 3036	2140	iexplore.exe	28
PID 2140 wrote to memory of 3036	2140	iexplore.exe	28
PID 3036 wrote to memory of 1304	3036	IEXPLORE.EXE	29
PID 3036 wrote to memory of 1304	3036	IEXPLORE.EXE	29
PID 3036 wrote to memory of 1304	3036	IEXPLORE.EXE	29
PID 3036 wrote to memory of 1304	3036	IEXPLORE.EXE	29
PID 1304 wrote to memory of 2520	1304	svchost.exe	30
PID 1304 wrote to memory of 2520	1304	svchost.exe	30
PID 1304 wrote to memory of 2520	1304	svchost.exe	30
PID 1304 wrote to memory of 2520	1304	svchost.exe	30
PID 2520 wrote to memory of 2620	2520	DesktopLayer.exe	31
PID 2520 wrote to memory of 2620	2520	DesktopLayer.exe	31
PID 2520 wrote to memory of 2620	2520	DesktopLayer.exe	31
PID 2520 wrote to memory of 2620	2520	DesktopLayer.exe	31
PID 2140 wrote to memory of 2596	2140	iexplore.exe	32
PID 2140 wrote to memory of 2596	2140	iexplore.exe	32
PID 2140 wrote to memory of 2596	2140	iexplore.exe	32
PID 2140 wrote to memory of 2596	2140	iexplore.exe	32
PID 3036 wrote to memory of 2548	3036	IEXPLORE.EXE	33
PID 3036 wrote to memory of 2548	3036	IEXPLORE.EXE	33
PID 3036 wrote to memory of 2548	3036	IEXPLORE.EXE	33
PID 3036 wrote to memory of 2548	3036	IEXPLORE.EXE	33
PID 2548 wrote to memory of 2164	2548	svchost.exe	34
PID 2548 wrote to memory of 2164	2548	svchost.exe	34
PID 2548 wrote to memory of 2164	2548	svchost.exe	34
PID 2548 wrote to memory of 2164	2548	svchost.exe	34
PID 2140 wrote to memory of 2168	2140	iexplore.exe	35
PID 2140 wrote to memory of 2168	2140	iexplore.exe	35
PID 2140 wrote to memory of 2168	2140	iexplore.exe	35
PID 2140 wrote to memory of 2168	2140	iexplore.exe	35
PID 3036 wrote to memory of 264	3036	IEXPLORE.EXE	36
PID 3036 wrote to memory of 264	3036	IEXPLORE.EXE	36
PID 3036 wrote to memory of 264	3036	IEXPLORE.EXE	36
PID 3036 wrote to memory of 264	3036	IEXPLORE.EXE	36
PID 264 wrote to memory of 664	264	svchost.exe	37
PID 264 wrote to memory of 664	264	svchost.exe	37
PID 264 wrote to memory of 664	264	svchost.exe	37
PID 264 wrote to memory of 664	264	svchost.exe	37
PID 3036 wrote to memory of 756	3036	IEXPLORE.EXE	38
PID 3036 wrote to memory of 756	3036	IEXPLORE.EXE	38
PID 3036 wrote to memory of 756	3036	IEXPLORE.EXE	38
PID 3036 wrote to memory of 756	3036	IEXPLORE.EXE	38
PID 756 wrote to memory of 864	756	svchost.exe	39
PID 756 wrote to memory of 864	756	svchost.exe	39
PID 756 wrote to memory of 864	756	svchost.exe	39
PID 756 wrote to memory of 864	756	svchost.exe	39
PID 2140 wrote to memory of 2584	2140	iexplore.exe	40
PID 2140 wrote to memory of 2584	2140	iexplore.exe	40
PID 2140 wrote to memory of 2584	2140	iexplore.exe	40
PID 2140 wrote to memory of 2584	2140	iexplore.exe	40
PID 3036 wrote to memory of 2836	3036	IEXPLORE.EXE	41
PID 3036 wrote to memory of 2836	3036	IEXPLORE.EXE	41
PID 3036 wrote to memory of 2836	3036	IEXPLORE.EXE	41
PID 3036 wrote to memory of 2836	3036	IEXPLORE.EXE	41
PID 2836 wrote to memory of 2288	2836	svchost.exe	42
PID 2836 wrote to memory of 2288	2836	svchost.exe	42
PID 2836 wrote to memory of 2288	2836	svchost.exe	42
PID 2836 wrote to memory of 2288	2836	svchost.exe	42
PID 3036 wrote to memory of 2156	3036	IEXPLORE.EXE	43
PID 3036 wrote to memory of 2156	3036	IEXPLORE.EXE	43
PID 3036 wrote to memory of 2156	3036	IEXPLORE.EXE	43
PID 3036 wrote to memory of 2156	3036	IEXPLORE.EXE	43

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a8067dd27c458b1570ee6ab91f5949e8_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2620
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2164
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:664
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2288
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2156
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:275464 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:6173699 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2168
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:537606 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2584
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:7943170 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1692
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:7746562 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d47543a327f352986bee67723dfd084b

SHA1
28a838568989e6b223fadc84f9b781891d9dfc01

SHA256
0732c95161496ad7dc54295f865b0fc32af85e7e58658bb8699c540e44156790

SHA512
4d34ec1a61549e78f8375d51020bb1ffa79a2f99e5a09f9f9a92878b41655afa2fb96e4f5b72e651576e23b8d516f842372ce40e81197ac3fdf771c7198fa08a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
144498ad22144720ec635c9506f98877

SHA1
2b4c3851cc1d2b4550e336bbb29cd53e50c1f2ac

SHA256
d7ca6c32c138971e439b033c23bba9e9d661edd03678c93d2d47f012d54f00da

SHA512
3c3b85ba75e8abf647f05aa9b513cc293959c4c2ac888a5377312d5514b6e40a1a974372d1a7c96047d44edf94f8fff255ed8513e448800ecb70325f64772df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53ed1f3d94e0ed0db06621128904df8a

SHA1
3329bc0d40ef3a85e36f237a94f10a35cf208143

SHA256
05e4ad49019d574b84c0743ce4fddbf969185b5349e64e58842ddb6ccd8b91be

SHA512
a9c4edbf31f63fd1c01212650cd08246e2770c51133af09004329e2d4404252cd958ed83994efa84c2e1cf30bb0cd53da1b0d3cd81db8a48b1b9ae601760cce4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa52824392c330982d7cc8e95dbfd398

SHA1
4cfcb78e872404d618db898896e84df7b2245c6b

SHA256
e799e4eed48101bfb0e7c156d1933c7de026d5283998b33a08590d24f4463ab3

SHA512
7b07b80b1c6d96630c04a709539611289ad253f86b9a6bcaa67a59d87c6d4e0d655566c149b9412e9329c5ac372170f9e2eb9d40e5f8355ea65b0bd77c1d1fdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e147e2451ddf9b346d21f38b8c693f5

SHA1
734c4435986eb44d2cffc8c6a30b5581e3176000

SHA256
dc973cec312619d79a4d293c1c54a32de31ca20ff4c69459140f05fe20f54220

SHA512
a854e323bbaf7473c9af8576d62a33f715571badc2b38c4bd15e1427617d9c5e8a84986ade35299cef5b310406ab9710d05e04c9699621ed52149a31182cf363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c22de25e8bb07e83deedd3aa401ffe56

SHA1
27caaf7d6f9783f752779523d6aec95e04680f2f

SHA256
3b72bb0208d59686f445fdc0a7188576b414c53917dca6f731f97518df7ed1b3

SHA512
6201900476e99326049337f0690abd5b02c4fc9b431cc388f8280bcee64b645be47560a62a5316620e420013b8619429bc9f0afcbc48ff1c4c725de44ff8b335

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
922512f7a47485708e8454843e6c5ed4

SHA1
d25d16f1e26549ecb6ecdae8294e5eab91d78cb8

SHA256
3b33643816c71125751e8f6a4552b45bb1247db56aa19b8315706317957b91b9

SHA512
598a4f36fc0e9bef2595e60356807db6f2a97da6cb36c13db22c450bbc9c79e7cb52ee56fa275b1e16c58274b6c48c889d55f0362377ec062ba5edfa326c4e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e984cc1b6a9c3cc50fb6d0d1243295d

SHA1
64497ff913cecb6c0d16130c516986c2e78e7cdd

SHA256
49dcf4edda1b30044c3267214d943848c60458ce693e4597f62cd2b06b14476c

SHA512
8234ae25342b6f88273eee0b749c311bff6bf5190bc4ea7480e00f643c7c73dd19f7d75f13f47dafe03c45a7040a150babdb767dd528435ccc302cbda1084be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5DF8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5E8A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/264-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/264-29-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/756-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1304-12-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/1304-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1304-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2520-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2520-17-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2548-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2548-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2548-24-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2548-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2836-39-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download