ramnit | 2c2f76d39e83073e9e4fd4f557ebdf290e4bfc9e4d9573e1a0c8a97caf4b4110

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8cbe8ce0bb5b3a23c919851b7831d0d_JaffaCakes118.html
Size

461KB
MD5

a8cbe8ce0bb5b3a23c919851b7831d0d
SHA1

3ca4c7f2af27a1ba0adb71b012bb680783943460
SHA256

2c2f76d39e83073e9e4fd4f557ebdf290e4bfc9e4d9573e1a0c8a97caf4b4110
SHA512

772936a68cb51c416e9cc5ce1eb554de2e058e1cd05792a957e4b01766b409285ea954ecfb8bbbfef5206b0bc228b85b2f7054e1710c50e499bc05cbe972183e
SSDEEP

6144:SpZsMYod+X3oI+YzklUNsMYod+X3oI+YksMYod+X3oI+YdsMYod+X3oI+YQ:Ql5d+X3z5d+X3o5d+X335d+X3+

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 7 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exe

pid process

2524 svchost.exe
2664 DesktopLayer.exe
2440 svchost.exe
1228 FP_AX_CAB_INSTALLER64.exe
2992 svchost.exe
1612 svchost.exe
408 DesktopLayer.exe
Loads dropped DLL 6 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

1652 IEXPLORE.EXE
2524 svchost.exe
1652 IEXPLORE.EXE
1652 IEXPLORE.EXE
1652 IEXPLORE.EXE
1652 IEXPLORE.EXE

pid	process
2524	svchost.exe
2664	DesktopLayer.exe
2440	svchost.exe
1228	FP_AX_CAB_INSTALLER64.exe
2992	svchost.exe
1612	svchost.exe
408	DesktopLayer.exe

pid	process
1652	IEXPLORE.EXE
2524	svchost.exe
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2524-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2664-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2440-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1612-145-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/408-147-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEFE.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px197A.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1989.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxF9A.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET194B.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET194B.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000bd41b4d7f56fe3521fd22d86ff80e5b38cd55e18223cd1ceae5287b583ea34dc000000000e8000000002000020000000d2ebef5ac0a84600e8aaa777aea2b5b36483da830a9595223f91f121b8ac372a2000000021503363900c340ccb0eceb225afd32aec36751042631ce8b0cd7d230ff9e04c4000000057ea6288d418495773c295d2a860d28a6b8bc293684c4190c9b50a49296e8e9e131f05c6b29a6d861a859470e0f5519ed53947fbea43c5f04195c1d890857b43	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d1ad4137beda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000008f7e26e5cc0bcda500c5c27e7388e17af1ae9cc0dc6a5e2b01dd79b012d63d77000000000e8000000002000020000000eb612522f8123e825a414f7cfaf8a506c905bacb2b5229036c09ee7ae82d582290000000108dbddc274c6dcd8cdad3e6bfdff77fd367038a7c7e3b33c22369a8f818be5f0a18c1debce468379aa044fd4a956a23a37859f4f2fbf3c186543fd8c56bd6d744337c6ade9c4fb8c830fe9068672f86a13486b779bd2ffbf5b17a87cff984efc888932b9552e40df0f316455cd4e356ca794a040fcb61345c9a62eefd08e2e5fa8504c23acb3c1bd50cf365c7c5595b40000000e50e0fa2bc5045ad4f156e45fa478cba7582063d9ecc86b22bd3d957abd4ab66c2a6ec38ee35a82a48b20b959fa8c05bde8f71ba907a4e2aa677e1c78e935789	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424516611"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7C3E6E51-2A2A-11EF-A43E-62EADBC3072C} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

DesktopLayer.exesvchost.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

pid	process
2664	DesktopLayer.exe
2664	DesktopLayer.exe
2664	DesktopLayer.exe
2664	DesktopLayer.exe
2440	svchost.exe
2440	svchost.exe
2440	svchost.exe
2440	svchost.exe
1228	FP_AX_CAB_INSTALLER64.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
1612	svchost.exe
408	DesktopLayer.exe
408	DesktopLayer.exe
408	DesktopLayer.exe
408	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	1652	IEXPLORE.EXE
Token: SeRestorePrivilege	1652	IEXPLORE.EXE
Token: SeRestorePrivilege	1652	IEXPLORE.EXE
Token: SeRestorePrivilege	1652	IEXPLORE.EXE
Token: SeRestorePrivilege	1652	IEXPLORE.EXE
Token: SeRestorePrivilege	1652	IEXPLORE.EXE
Token: SeRestorePrivilege	1652	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exe

pid process

2372 iexplore.exe
2372 iexplore.exe
2372 iexplore.exe
2372 iexplore.exe
2372 iexplore.exe
2372 iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2372	iexplore.exe
2372	iexplore.exe
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
2372	iexplore.exe
2372	iexplore.exe
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2372	iexplore.exe
2372	iexplore.exe
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
2372	iexplore.exe
2372	iexplore.exe
476	IEXPLORE.EXE
476	IEXPLORE.EXE
2372	iexplore.exe
2372	iexplore.exe
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
2372	iexplore.exe
2372	iexplore.exe
1832	IEXPLORE.EXE
1832	IEXPLORE.EXE
1832	IEXPLORE.EXE
1832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2372 wrote to memory of 1652	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 1652	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 1652	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 1652	2372	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 2524	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 2524	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 2524	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 2524	1652	IEXPLORE.EXE	svchost.exe
PID 2524 wrote to memory of 2664	2524	svchost.exe	DesktopLayer.exe
PID 2524 wrote to memory of 2664	2524	svchost.exe	DesktopLayer.exe
PID 2524 wrote to memory of 2664	2524	svchost.exe	DesktopLayer.exe
PID 2524 wrote to memory of 2664	2524	svchost.exe	DesktopLayer.exe
PID 2664 wrote to memory of 2656	2664	DesktopLayer.exe	iexplore.exe
PID 2664 wrote to memory of 2656	2664	DesktopLayer.exe	iexplore.exe
PID 2664 wrote to memory of 2656	2664	DesktopLayer.exe	iexplore.exe
PID 2664 wrote to memory of 2656	2664	DesktopLayer.exe	iexplore.exe
PID 2372 wrote to memory of 2424	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 2424	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 2424	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 2424	2372	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 2440	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 2440	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 2440	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 2440	1652	IEXPLORE.EXE	svchost.exe
PID 2440 wrote to memory of 2640	2440	svchost.exe	iexplore.exe
PID 2440 wrote to memory of 2640	2440	svchost.exe	iexplore.exe
PID 2440 wrote to memory of 2640	2440	svchost.exe	iexplore.exe
PID 2440 wrote to memory of 2640	2440	svchost.exe	iexplore.exe
PID 2372 wrote to memory of 2428	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 2428	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 2428	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 2428	2372	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 1228	1652	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1652 wrote to memory of 1228	1652	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1652 wrote to memory of 1228	1652	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1652 wrote to memory of 1228	1652	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1652 wrote to memory of 1228	1652	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1652 wrote to memory of 1228	1652	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1652 wrote to memory of 1228	1652	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1228 wrote to memory of 588	1228	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1228 wrote to memory of 588	1228	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1228 wrote to memory of 588	1228	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1228 wrote to memory of 588	1228	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2372 wrote to memory of 476	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 476	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 476	2372	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 476	2372	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 2992	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 2992	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 2992	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 2992	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 1612	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 1612	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 1612	1652	IEXPLORE.EXE	svchost.exe
PID 1652 wrote to memory of 1612	1652	IEXPLORE.EXE	svchost.exe
PID 2992 wrote to memory of 408	2992	svchost.exe	DesktopLayer.exe
PID 2992 wrote to memory of 408	2992	svchost.exe	DesktopLayer.exe
PID 2992 wrote to memory of 408	2992	svchost.exe	DesktopLayer.exe
PID 2992 wrote to memory of 408	2992	svchost.exe	DesktopLayer.exe
PID 1612 wrote to memory of 2384	1612	svchost.exe	iexplore.exe
PID 1612 wrote to memory of 2384	1612	svchost.exe	iexplore.exe
PID 1612 wrote to memory of 2384	1612	svchost.exe	iexplore.exe
PID 1612 wrote to memory of 2384	1612	svchost.exe	iexplore.exe
PID 408 wrote to memory of 1056	408	DesktopLayer.exe	iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a8cbe8ce0bb5b3a23c919851b7831d0d_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2524

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2992

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2384

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275464 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2424

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275468 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:668683 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:476

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:603158 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
052db3caaf5a3f242de627d26b0b7e96

SHA1
edb787499db577394a62c1e88654759bbef2c11e

SHA256
2814c0c2eecd551ab20241695578956c017a5b447c9a8d5d440f4516b0471978

SHA512
b78539066107b3b8d71799cfc452e38f5ddf2c1a680c70066dddd7e63b6ec2e7b3705816715d11f576c9a24ce1f4d9e4c1f094524867c6abbdc8fb3344bde503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dcff52c8a11bcaed3f50a1d838452044

SHA1
009b86f59438d8f11c751b457addf1c32b215f02

SHA256
aa8d31387678d7d1999fffa79cc589f3383cafbd0677d3a88d53d15a33e93ecd

SHA512
a5f12c8128cd0b443ce6771c2fcae0f33b6557f18d7116848e84fcd0632ffa6de0098330834ee8df77106b08c8882b81f86d97aa6ce91cbfffc0fd37dc0bf55e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
624f6d48e47de5722948fdb4fa04bd6a

SHA1
0dbf98b0b889aabab1b911c5b30dc02fc87eb619

SHA256
2fb492abae32bee37550de5e60e9721ee8c636257cf85a0496b55cd646209886

SHA512
19f43358f9575e77e06948c2c40cb7019681b30a9467040197334be5408955ff49237b74dcf83e73eb17d6cfdba2089350004bfe29b23563d2565535e6c0749b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fb52ba1400e39c3ecd9e5bddac8cc2b9

SHA1
00b1836d1fee1d8db5f73af76fc63fa868837ac2

SHA256
8a17c1e3598347c54a12523cd0b5a88eaf97ad77e4f5fdd3f375f53013e23eda

SHA512
20bd0b0627a2afbaa6535ce2584bf90aaad5ed677ec836cc56b383c3a6fe6edc323235d3d58c0d3c4484a0e69986f689bcb9c0f023dc187cda6c6e316b978d64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dbddc5d9733951b412cb2dd0a966a144

SHA1
c495a8e0d1cb589be8f4c3f3b5446563208ca29f

SHA256
d9d6d6f80654ec9e486742a6fa72c4f5c49d68a88083f05c7d7133889523fb5f

SHA512
503b4dcad909b61889d05bc747145e5ca37ee31ef9282205574577d17340cd536742fda9dee0afb53dcbf478e99af85560eb6bcc4d59934ff5614dc99dd121c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
83bb08e0931ada45aa8a94b350c0c62e

SHA1
d120f7bbf2f5572af83efff6ef871e29cc6654be

SHA256
b51439f1f360597b2609742be4ff91d66840eeb7b9f5d84d4f859ad51b8c187e

SHA512
149fb9a972d7c7a754441d3eeae012cdfa0d890ef875e23c294a8960fa3f9ecb43697f55791b52914352ec8aded93bcb958cca4bb04b9e272141277aff883d48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
76fb9d2bd0f0695227ac36e94397009b

SHA1
b41ba695115ae64d25b5d7a31206111af5997da6

SHA256
9c569c3c2b314204c35c49b44cc0d198119d9557b0690c74e5340a199baa47a4

SHA512
54a8fcf8c4a2fbedb72f1dd01ebefc3710e8bb4055ced51e8c1ec1a2cf61302ecec047d11923d679c0ddaffd0354f4ea0a5eccb38097b08095b2720df63e3f69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
12d9738926304492828d10fa8589bb7e

SHA1
b44787fac54b4fe376f598d221f33bdaff377f00

SHA256
7b235530c057350022af84c93605476a13d74927a46a595ba9a193da04bf3006

SHA512
dba8557dff481efe2aa61d5008cdead5eba9169fea1e6855843f56d0c6a7da117e4f26d6a7fdc6961d45e4a28d9f4a3ea25581ce04983a41e39483c34d7c00d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b1f82a6ae9647ce2259499c8a38421c3

SHA1
49e252549c305822b886702e3a93fba005976080

SHA256
912fff98b285026ae9a7f1b240c9838c86ff65e2a044a0cf4891560757293203

SHA512
83cacfd1323df4485c81cf76761ef9c9735108366e1aa373985ba3bd258d84ca5d9f7b44c265543437feba52088b17be368664e57dbc3fbdb80fce9a6762e221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c0f167fcfa202e3de52fc0c275eb8ba7

SHA1
36bf3c91e1529f2de2b47cf1ea3cbc3420a51568

SHA256
cff39e50f8b089ca38b860196a22bd541048f7d204deb69d5b4b0d185a2d1d31

SHA512
0abca78b98d22e8a6cb1964e88da51493e76f5cf928159f44a18c00fa100947723574abbeec4ba141aadd387e6f4406447685dd9847ba103bdb6dee690f37550

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
748de706e0877f50ace85d485dd6d570

SHA1
4aa3626ba6729dbb4b36621be6ee353d79fcfe38

SHA256
a5a18d1691677dc0300700bc6467e375ab080eeaaf0093852f8c15fb03587fbb

SHA512
97459f221bd29d76981a94cf508c3bbbe66a676bcebeb8e61d7b27f6b07bd5e86daf0b565bee314cb06cd735b0cbdc59a4d245f7f7928e4d41e55e983943b0fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fe19f998329a1ec6cd7bb21e6e83f0c3

SHA1
d9acec55fcc7d01e744efc2ca2946ed80d5e03fd

SHA256
a5e442f6e218673ae240461c1ff7639fe032d89e310ac1145117f935820a774e

SHA512
21bb7880e14992a2afff12f41c1643cc51d9cca4b572d89b6a57bd94d4e6dff99799e7abf8765e85b9ba047a21885cb5640af6fdcbce4bdbbf3ed187c14ac9fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c0a1b34db680423e4b39b635d9a67129

SHA1
4836fdf4f12cc1f23fe282171b0718dea058e058

SHA256
f4e2ddddd59381c040bf2310fb8baff26ee8167d4c80549678dd972f344ff656

SHA512
0cfb412ae767ab0da9bc86c7d78d30e6da04f1410fe1bf7ea72ec4de493a68a59e22a05eb6ad8776d22ce06e1b21cbffb1757290d0c38b0b40e0284bd7926669

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e6d8fffc3a04c6ff46474c490671f00e

SHA1
9daeec11b1a076d49bbf6f9555ac69f06b3981b3

SHA256
098a109e11c75717621548caf0c674882fe204571a1ee8382abf109c5e69bab1

SHA512
55547964c313e6b5d477567804d49e5ad9affe15dca418efbb81fc0b98095d6a89f5070b1f043e2ae4b7b06489064796d4c417221292f98556a0d9fa5c5b0fad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dee5c86063c3d3c96d9acc83d6e35b3e

SHA1
708ec9a249f267ad92c8dc3426f8422bdd3350e4

SHA256
6ee80a7d90acde397a08ea9520e17976e376b713b5d5c2fe7ec41ede961cdccf

SHA512
1f3eaba5845b71c3c2ab8efb2a4ffe2f660c619f28b03110a787c000f093e3cf74e4dc10b4f203dd6b1ceb6c7d454b34c63b7bbab80e348168253a65708dc12f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
250a6c7a3edd3f6ab5c15d80dce5ff4e

SHA1
cc453e561c7c1fe56a0f65e360d9bb180f1520a1

SHA256
c53fdfcae8f4ef51254d0fa2df781ab4b4c926d3119e10c146ff1788e44a8b74

SHA512
3e117c5825677cc7f311a8d70c8957076fc5aa587b62347801d3bff4ba7826dfd305d4bc8e980e527498b0d22af469285b4c076a404178457a27f3da670bd29a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bbf3e50e64a10fe9679f87c2f34ad9f7

SHA1
79a33732bcbd91b14892c43404fbc549517a8bbb

SHA256
889c2e1556c3415f19913e28ef2477c95da8c9580dd5f67cd5f99ca8aad79e0c

SHA512
8904420b3e6d9604370f24fcc3ffccb10c7cd04eb5d13a92da4bbfba2c6434a8513f026aa22a59b52bc9643b6ae4d070939748856434012cd67b9ed7d9c822ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5f45f7bb4a6a72f260796a8efc33226a

SHA1
eb196c80bbb04c6f779af9c7180cacecc852adeb

SHA256
75dfc5949e57d1c81ec7d7d11b17514a3cabb9fe1523e05a33a78e03d3612703

SHA512
9c01421775b0010bf8775b870c96def00ab5d27b64904be8e8600814350be4a46d30b5ab09836e1fe8aa7e09d9c9595f374665e3b6660ce9d4376a4edf93fcd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
032c565a74cb4004b1ce00f407c7495c

SHA1
ce53d0d6413489da4208b7805dd03a0e8e1f0bdd

SHA256
00f8abc44800243595a9b6be21dc04e06c2006985e30b72c6a9002e33807dae8

SHA512
7ad41116a71ff46d2465859595a0f0de7aa55aa6db470792ccb6e8fdc377b6be5668d615017e043a3c025e810536cd12720d7a5cbf419c2d5e8716b435c78a8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6028c991bf8a84c79695079611844488

SHA1
b5db3b29b01d91ca7c92419f1e68c5692dd2f441

SHA256
bdfbd21bd3c9258135c2971c18c6fb7776517f28f7d3970492166fe5db4194e7

SHA512
c458ad72c365411bf75217185aee022bb68d057764409bf84106b37c36be8fbcc5c5e66159a9f07bda3ec5fed12d1464d71ed908c2c41342d77376662395d5c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
43b0dcb2ad35f9ca771247841e9a6e9c

SHA1
b72f83d7147d6e90fa3a8f8183a3d34dc26e2026

SHA256
c611633ded532b76674aa64bd918a53f3e4175685b4ce6b3ffe8c84ab3e4c42f

SHA512
2d0fe7e081d1f7b5fca5f958874f8b572dfe82079ea7e09f10f87aa7725cd70daec0e89c616f187909586f2d76ad0be000d300ab80e181dce7ec3fe1bab9e6ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DODQ7AEY\swflash[1].cab
Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1392.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf
Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1460.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/408-147-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1612-143-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1612-590-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1612-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2440-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2524-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2524-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2664-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2664-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download