ramnit | 49fa03aab1599f342e9b03bad2ca35fcd338283efff3ad606d9ff4b17988db33

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a88ad8935b82436f70bd67eebee5ae95_JaffaCakes118.html
Size

567KB
MD5

a88ad8935b82436f70bd67eebee5ae95
SHA1

2fd2083d78c7610cb8244c2c179e44ed6244bef4
SHA256

49fa03aab1599f342e9b03bad2ca35fcd338283efff3ad606d9ff4b17988db33
SHA512

68a473d39d12ccbebf67dbaab40edceee23ac4480a72e052620943ad5554fc9b672a96aa7e4f2e47e1a0fbac6ed6668e08307c4ee9cc7413870df964f6506b7a
SSDEEP

12288:Cc5d+X3jn5d+X3Z5d+X3B5d+X3O5d+X3+:Ce+D+V+9+M+e

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 6 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2360 svchost.exe
2744 DesktopLayer.exe
2540 svchost.exe
2936 svchost.exe
2972 svchost.exe
1772 svchost.exe
Loads dropped DLL 6 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2244 IEXPLORE.EXE
2360 svchost.exe
2244 IEXPLORE.EXE
2244 IEXPLORE.EXE
2244 IEXPLORE.EXE
2244 IEXPLORE.EXE

pid	process
2360	svchost.exe
2744	DesktopLayer.exe
2540	svchost.exe
2936	svchost.exe
2972	svchost.exe
1772	svchost.exe

pid	process
2244	IEXPLORE.EXE
2360	svchost.exe
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2360-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2360-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2744-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2540-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2540-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2540-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2936-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1772-38-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2349.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px23C6.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px23F5.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px22AD.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2397.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0159c382dbeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{63D329F1-2A20-11EF-9DC1-C63262D56B5F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000cb0343661500d12b51b1f858f0a0a92ef8b3b1b6e6277ab7e06c8479b137f77d000000000e80000000020000200000008b6f83b61c5b7a81fdafade96b11533a6dc599e829f795c662cf77a7bd4ff93a200000004fd8cf729f53b2f44bca9deac38f51f65c4491ed5b513ee855acb804dcbb597a40000000b47c7141a8311bee10c6907c46026d95461cf6938dae41d385437885c6a6d5fabfe9dbce627c10b3a26bce5d78f2dc51a3799f916171592ea798285ef5411656	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424512275"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000000da8f4567fbe9ecc034c28f06dda421c7ef596fe9735dda3908b19a60fcbf6fb000000000e8000000002000020000000bbd794146a7f19a4b1d6673f4940631978a3120bf66d4c4a923da69aeb5211be90000000bf9987856dd3f2c1a3709d1318e5d6d5d77714f355fcfe1d7a23c9bc6d9db014a1a205876ce16c10dd20e4cdfc03574104e8700aaf929c6d402a9f44046f1db836c1e691a9c5935b442ae88c616308ddb6f523393d7c6042374bd8e5d2e76296f9a42fd45c418925cb3cbdf4a2fa5b7d16c02f4e59c920b70c66086d8d5068b34bd79287e7f7e6cceee6c01f5d0e9480400000005e42802da8daa871dfcb08fdf03cb6e79b8d5c34da87ae63ddd80730e6a951b9c73f478855f713303caaaa699eb13f260973528bd7fe4bcaefda192d1f679901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

DesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exe

pid process

1792 iexplore.exe
1792 iexplore.exe
1792 iexplore.exe
1792 iexplore.exe
1792 iexplore.exe
1792 iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1792	iexplore.exe
1792	iexplore.exe
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
1792	iexplore.exe
1792	iexplore.exe
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
1792	iexplore.exe
1792	iexplore.exe
1792	iexplore.exe
1792	iexplore.exe
1792	iexplore.exe
1792	iexplore.exe
1792	iexplore.exe
1792	iexplore.exe
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1832	IEXPLORE.EXE
1832	IEXPLORE.EXE
1832	IEXPLORE.EXE
1832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1792 wrote to memory of 2244	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 2244	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 2244	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 2244	1792	iexplore.exe	IEXPLORE.EXE
PID 2244 wrote to memory of 2360	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2360	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2360	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2360	2244	IEXPLORE.EXE	svchost.exe
PID 2360 wrote to memory of 2744	2360	svchost.exe	DesktopLayer.exe
PID 2360 wrote to memory of 2744	2360	svchost.exe	DesktopLayer.exe
PID 2360 wrote to memory of 2744	2360	svchost.exe	DesktopLayer.exe
PID 2360 wrote to memory of 2744	2360	svchost.exe	DesktopLayer.exe
PID 2744 wrote to memory of 2636	2744	DesktopLayer.exe	iexplore.exe
PID 2744 wrote to memory of 2636	2744	DesktopLayer.exe	iexplore.exe
PID 2744 wrote to memory of 2636	2744	DesktopLayer.exe	iexplore.exe
PID 2744 wrote to memory of 2636	2744	DesktopLayer.exe	iexplore.exe
PID 1792 wrote to memory of 2372	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 2372	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 2372	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 2372	1792	iexplore.exe	IEXPLORE.EXE
PID 2244 wrote to memory of 2540	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2540	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2540	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2540	2244	IEXPLORE.EXE	svchost.exe
PID 2540 wrote to memory of 2676	2540	svchost.exe	iexplore.exe
PID 2540 wrote to memory of 2676	2540	svchost.exe	iexplore.exe
PID 2540 wrote to memory of 2676	2540	svchost.exe	iexplore.exe
PID 2540 wrote to memory of 2676	2540	svchost.exe	iexplore.exe
PID 1792 wrote to memory of 2556	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 2556	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 2556	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 2556	1792	iexplore.exe	IEXPLORE.EXE
PID 2244 wrote to memory of 2936	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2936	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2936	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2936	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2972	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2972	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2972	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 2972	2244	IEXPLORE.EXE	svchost.exe
PID 2936 wrote to memory of 2004	2936	svchost.exe	iexplore.exe
PID 2936 wrote to memory of 2004	2936	svchost.exe	iexplore.exe
PID 2936 wrote to memory of 2004	2936	svchost.exe	iexplore.exe
PID 2936 wrote to memory of 2004	2936	svchost.exe	iexplore.exe
PID 2972 wrote to memory of 800	2972	svchost.exe	iexplore.exe
PID 2972 wrote to memory of 800	2972	svchost.exe	iexplore.exe
PID 2972 wrote to memory of 800	2972	svchost.exe	iexplore.exe
PID 2972 wrote to memory of 800	2972	svchost.exe	iexplore.exe
PID 2244 wrote to memory of 1772	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 1772	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 1772	2244	IEXPLORE.EXE	svchost.exe
PID 2244 wrote to memory of 1772	2244	IEXPLORE.EXE	svchost.exe
PID 1772 wrote to memory of 2232	1772	svchost.exe	iexplore.exe
PID 1772 wrote to memory of 2232	1772	svchost.exe	iexplore.exe
PID 1772 wrote to memory of 2232	1772	svchost.exe	iexplore.exe
PID 1772 wrote to memory of 2232	1772	svchost.exe	iexplore.exe
PID 1792 wrote to memory of 1744	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1744	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1744	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1744	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1832	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1832	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1832	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 1832	1792	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a88ad8935b82436f70bd67eebee5ae95_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2360

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2232

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275464 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:603139 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:6566913 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:6763522 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b3c82f671623113098dfb1935e8fbf5f

SHA1
975368c852e56f62dfb88a6160e8428cdfcd5a69

SHA256
25629736bf70d0ff8acace96970c5a8353daadfc43ba5c4889f150ed218f5a9e

SHA512
27569e26aef8de067c41c8738a7b62750ac4e1367bbf6dab790e083793477bfab3d6713a6339009c434269ce99d693262552a6039509f10d2696643bb3162d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e786c7c3f19e926072adaa1e125c21a1

SHA1
54f28ea2cc4c543e90f9371812c68f2940222666

SHA256
da8c6abb4047546e8f811c44501802f2121120ae2849ca125013599fddc7f99c

SHA512
b1f3399229d3a8bb0b5f1f3cd24e000641400685befb4879ed0db85df573bc86443c0983fd7539d6d7a2ef345eaf261aef0332a41ccc100960917605143bb650

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
135c98278bdb62e24fb0a79f4e40b038

SHA1
6da9a3d6d0f644d58ad5a5f8da02de06792c4d67

SHA256
70ca5cbb1e509e216bad9c8c6135da4e2727216b02cc48a9e8df8224b761cf70

SHA512
78e7b06c7e88710cde27c90bdfd89bc920be3ceccc359c8ae5474e42bfd5e4cc5281839120a7d55430fbb52292068bfee72b01dfb9da31a927f7c154b890be66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
534790bd374622c2c85963a58d35250b

SHA1
20d70bb158055343a80f0603c5d2c6203755bf7d

SHA256
65648f5bb298642fc56ac7b07a49285969862efc2aa4951ffb899d8361e7b7db

SHA512
f06b9ab4f12d225d08a8102a5cdabe3e90b1338236ef70060762dd682d8e6108d05f4ae7468f4dcf9a124b669e1f6ffd7f5f79ec2ed5664d1afcd10cb11ccb91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1b632ad255fb9fc9e45ec0ec590cb252

SHA1
3e98ab596beebcd4c9e1251bbf8dbba4ed192287

SHA256
1208ba7ce9c6bd70a779aa82966fb981823df0d22698a4262c7d9afb5b7653f1

SHA512
d416c7e3b7b4453d9a13b6dbd92ce2b65fbaf5d6410af0bcd906b7a4b7083fe0e901f780fa1b57866fe62d17c59198bd59ded55ad44603e4dac8bf9aa3655d28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cee966e05245345fa7ec1d2fe29560f3

SHA1
9119c0aeac4910bd69e9401ddf00a943ffbf4828

SHA256
43a432413f77972944041d13a16e3e1d059778016e272c46ed6d1b1e507a282a

SHA512
8d5b972e7bdf9e194f92c5bea40b946c0d0b46dd9b72e3f9766276b96a383e0da50e741609a9fbccba0a8f5d442cf4259db425b0bdb8c4fa34cdc6843af991f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
57bbc099d21cd3643aa3cc9086dc804a

SHA1
ea91a7d1c8119e081b5a1a2be2a7e3735338ac93

SHA256
15dfc6bc6767824ae472802384bbd95a81edf3a5a9ae104bfe2835453d9e204a

SHA512
a40172aacff924df2340d2a1a3347da1d30829b7ded0557a75944919d045704842c2e394801308f1fb36002b67e1e854971ccd258786de40a8983dbd2cee679b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2b541c0066345d1b2970ff6d43c785d2

SHA1
ff6f23022c40381a4e82d69341ee7688d3918053

SHA256
ed8734642432eaa5dc844d3547405bb155636e7071a686b146c5d441e5e63b80

SHA512
e36aaca606decbd95963c9cfe39d02d1aab6b87c6bf66218844e769ce26cf27e517b218ccf885ecb2faed443242fccb6faad232ae233d337d2a7eddb2e158c61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
520a5e50c5250128887b7c275ddbb336

SHA1
6a40fdba16cb738df46bf98d4308cedd62851fe2

SHA256
c3671776fbda16014c0be7af802e6970d2fa1896512f0c43c43c0404323ae7f4

SHA512
4f35738397e598407f66073ce9df8293f10e826d629582aabbc3831f4cb64e0f9405c87272692e798b41d82a4844814f4b877b28120f2ea341a7a2bf150f7611

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
803de707be5078e81d02333733e2c863

SHA1
ba27de479af67f2a522b14bb1593bfd7f8a329aa

SHA256
d7373ff20b92358c487504862b3ea4d59ca68de1ad7101ae5264eb4d252d86fa

SHA512
9e52a710062249246c65bc0b09712025d2df2c608e3f86b733118b7c64724705c1627199599edda9e18b44b1147312b8d9017f2d946b0803d090df4a41ba9297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
681f1bf74930398e2a232fb3f58845af

SHA1
90f021f2974e3ac2f9eb5f2851bd3043a9aeb795

SHA256
35b53c8e518b2608aa835b93baf8b5fcc3b6f7280d415c6cd08f96aac4cf14f3

SHA512
e105b2ff499e9381ea044c9ae3364d059b822ee5c20fa544402c6a888604ad4c8832771892b4023771da87fe508d0c1266b4b6775e0646234eb7f5b354e5b8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B20.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D45.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1772-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2360-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2360-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2360-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2540-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2540-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2540-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2540-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2744-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2744-17-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2936-30-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2936-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download