Analysis
-
max time kernel
118s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 16:07
Static task
static1
Behavioral task
behavioral1
Sample
aa96a2aeb4016fcadca7c70faaf35676_JaffaCakes118.html
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
aa96a2aeb4016fcadca7c70faaf35676_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
aa96a2aeb4016fcadca7c70faaf35676_JaffaCakes118.html
-
Size
2.7MB
-
MD5
aa96a2aeb4016fcadca7c70faaf35676
-
SHA1
4711dcc4d37d162a62b2e590bf86d993edba398c
-
SHA256
5248d27ed0f12bf7e2410e0682dd84b02789d5cac5e8007216f4be1cac12b0d9
-
SHA512
c3ecc09395066fe050fb1d0e99000551f613687aeffc728d0721c035ba521b01cb1a0da2df1e182e005e359fab8a661142e13472b394aebd4e01aed978db356a
-
SSDEEP
24576:K+aDHsJ+aDHs2+aDHsk+aDHs++aDHsz/+aDHs1:YS
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\sdl22BD.tmp acprotect -
Executes dropped EXE 7 IoCs
Processes:
svchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 2768 svchost.exe 2696 DesktopLayer.exe 2688 svchost.exe 1856 svchost.exe 340 svchost.exe 2416 svchost.exe 1248 svchost.exe -
Loads dropped DLL 16 IoCs
Processes:
IEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exeIEXPLORE.EXEsvchost.exesvchost.exesvchost.exepid process 1720 IEXPLORE.EXE 2768 svchost.exe 2768 svchost.exe 2696 DesktopLayer.exe 1720 IEXPLORE.EXE 2688 svchost.exe 1720 IEXPLORE.EXE 1720 IEXPLORE.EXE 1856 svchost.exe 2584 IEXPLORE.EXE 340 svchost.exe 2584 IEXPLORE.EXE 1720 IEXPLORE.EXE 2416 svchost.exe 1720 IEXPLORE.EXE 1248 svchost.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\svchost.exe upx behavioral1/memory/2768-6-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/2768-14-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/2696-23-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/2696-30-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/2688-40-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/340-50-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/1856-55-0x0000000000400000-0x000000000042F000-memory.dmp upx -
Drops file in Program Files directory 13 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px2463.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px2482.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px23C7.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px24FF.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px22DD.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px24EF.tmp svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{330A2921-2A68-11EF-A490-4A2B752F9250} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424543123" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000dcedb416b21adb6823eb4a2a84063bfb07e379671d61a7fa869ac3b5c84802f4000000000e80000000020000200000002a07f6f06ca404ebc082a670b5b796611701a5f139e5257002a77be2b358576e20000000dfa11ef4fbdabe801209de427602478b265b24367fc44f9319f722ed859e8af14000000044c0ac2b6e49c9c7c55d18ff64fe80213fd573f7f6b12e1466dbb0a8140ef314bd90cb49c530294389da64b0cc17107274d73fb8d8ae91c2cd27619ee4cb1bbc iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1033010b75beda01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000001e63fdfa0491bd19bca79ed0555cb3912b2beb23716719d7671c0af9ce7892cb000000000e8000000002000020000000de73e2d81e2fb1d845ea47d1b1ec4f2226c722d5bc30c89d564875dce6b8578f90000000d4c6417123c77939efe71b97abd4e2a0df0d976614aa683fc8f6147b84ee523c7a2fcaf607613dfed8b81194ca9d49ca9f8033609fa08495005bcb52de798a89d49aa42b37e2dc298fb8fb6c9a5c30bf96bfa87906f944580a3106959b60dc99d9cbefd8998b29652bd39fb965d53bd5603b121e227c9e91e81a81e3d80459db3677aa81b5126aad785bfbb243b09a4640000000592a0112ea769510e8f2aa140635c85da5f4d17d90e0670e03176a3f29fee2bac897146c683b9f3b0d595ae62a9983363b776a9140498d0a87cabe907d589be4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
DesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 2696 DesktopLayer.exe 2696 DesktopLayer.exe 2696 DesktopLayer.exe 2696 DesktopLayer.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 1856 svchost.exe 1856 svchost.exe 1856 svchost.exe 1856 svchost.exe 340 svchost.exe 340 svchost.exe 340 svchost.exe 340 svchost.exe 1248 svchost.exe 1248 svchost.exe 1248 svchost.exe 1248 svchost.exe 2416 svchost.exe 2416 svchost.exe 2416 svchost.exe 2416 svchost.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
iexplore.exepid process 1748 iexplore.exe 1748 iexplore.exe 1748 iexplore.exe 1748 iexplore.exe 1748 iexplore.exe 1748 iexplore.exe 1748 iexplore.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
Processes:
iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exeIEXPLORE.EXEsvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 1748 iexplore.exe 1748 iexplore.exe 1720 IEXPLORE.EXE 1720 IEXPLORE.EXE 2768 svchost.exe 2696 DesktopLayer.exe 1748 iexplore.exe 1748 iexplore.exe 2584 IEXPLORE.EXE 2584 IEXPLORE.EXE 2688 svchost.exe 1748 iexplore.exe 1748 iexplore.exe 1856 svchost.exe 340 svchost.exe 1748 iexplore.exe 1748 iexplore.exe 2416 svchost.exe 1748 iexplore.exe 1748 iexplore.exe 1248 svchost.exe 2820 IEXPLORE.EXE 2820 IEXPLORE.EXE 2820 IEXPLORE.EXE 2820 IEXPLORE.EXE 1748 iexplore.exe 1748 iexplore.exe 1748 iexplore.exe 1748 iexplore.exe 912 IEXPLORE.EXE 912 IEXPLORE.EXE 2024 IEXPLORE.EXE 2024 IEXPLORE.EXE 2024 IEXPLORE.EXE 2024 IEXPLORE.EXE 2024 IEXPLORE.EXE 2024 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exedescription pid process target process PID 1748 wrote to memory of 1720 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 1720 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 1720 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 1720 1748 iexplore.exe IEXPLORE.EXE PID 1720 wrote to memory of 2768 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 2768 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 2768 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 2768 1720 IEXPLORE.EXE svchost.exe PID 2768 wrote to memory of 2696 2768 svchost.exe DesktopLayer.exe PID 2768 wrote to memory of 2696 2768 svchost.exe DesktopLayer.exe PID 2768 wrote to memory of 2696 2768 svchost.exe DesktopLayer.exe PID 2768 wrote to memory of 2696 2768 svchost.exe DesktopLayer.exe PID 2696 wrote to memory of 2576 2696 DesktopLayer.exe iexplore.exe PID 2696 wrote to memory of 2576 2696 DesktopLayer.exe iexplore.exe PID 2696 wrote to memory of 2576 2696 DesktopLayer.exe iexplore.exe PID 2696 wrote to memory of 2576 2696 DesktopLayer.exe iexplore.exe PID 1748 wrote to memory of 2584 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 2584 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 2584 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 2584 1748 iexplore.exe IEXPLORE.EXE PID 1720 wrote to memory of 2688 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 2688 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 2688 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 2688 1720 IEXPLORE.EXE svchost.exe PID 2688 wrote to memory of 860 2688 svchost.exe iexplore.exe PID 2688 wrote to memory of 860 2688 svchost.exe iexplore.exe PID 2688 wrote to memory of 860 2688 svchost.exe iexplore.exe PID 2688 wrote to memory of 860 2688 svchost.exe iexplore.exe PID 1748 wrote to memory of 2820 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 2820 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 2820 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 2820 1748 iexplore.exe IEXPLORE.EXE PID 1720 wrote to memory of 1856 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 1856 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 1856 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 1856 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 340 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 340 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 340 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 340 1720 IEXPLORE.EXE svchost.exe PID 1856 wrote to memory of 1088 1856 svchost.exe iexplore.exe PID 1856 wrote to memory of 1088 1856 svchost.exe iexplore.exe PID 1856 wrote to memory of 1088 1856 svchost.exe iexplore.exe PID 1856 wrote to memory of 1088 1856 svchost.exe iexplore.exe PID 340 wrote to memory of 1448 340 svchost.exe iexplore.exe PID 340 wrote to memory of 1448 340 svchost.exe iexplore.exe PID 340 wrote to memory of 1448 340 svchost.exe iexplore.exe PID 340 wrote to memory of 1448 340 svchost.exe iexplore.exe PID 1720 wrote to memory of 2416 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 2416 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 2416 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 2416 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 1248 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 1248 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 1248 1720 IEXPLORE.EXE svchost.exe PID 1720 wrote to memory of 1248 1720 IEXPLORE.EXE svchost.exe PID 1748 wrote to memory of 912 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 912 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 912 1748 iexplore.exe IEXPLORE.EXE PID 1748 wrote to memory of 912 1748 iexplore.exe IEXPLORE.EXE PID 1248 wrote to memory of 1820 1248 svchost.exe iexplore.exe PID 1248 wrote to memory of 1820 1248 svchost.exe iexplore.exe PID 1248 wrote to memory of 1820 1248 svchost.exe iexplore.exe PID 1248 wrote to memory of 1820 1248 svchost.exe iexplore.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\aa96a2aeb4016fcadca7c70faaf35676_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:209936 /prefetch:22⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:6566916 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:537608 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:668683 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58ebf393b6d61ecba9d159c04bb2f940a
SHA1e4f8570ebefbc90807de5414e9e228572f177fc9
SHA256853c9562ccf683ee450bc8c45bd795bd262c78432ab1d65c60b52c6d3186196d
SHA5128a855f4a2c87008659ce4d065aea24515d7b5f9aa965e0495054df66842e322f46a6194d8a9c33b3d221d5ae988b4b82cb2221a37a075b486cf6e3d32e5c0f68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54eaf519179b770c005e6cccb0dbaf55f
SHA1e9ebf5b0f2ffe2ac99ced5079c6e03569761c100
SHA256e8d894a81d37d9183bfffc895da7bac784979cfc77032d9e9bcc09cf7bdd7aa4
SHA51219e7ff208ceec440551648e32a432eb13ac0b1c5296d274c9257ac56f8fcf925b2d7e3e840c11f10aa0289f63d25387928cc63ca1a1dbb37bb75f4ce9e38bc51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58eb83a7a387647d47aca432eee9d4b8d
SHA145cdc2549ba96968e103e350db15b34b30a8742f
SHA2569c657178d1484e074a4267fea38bfc26454da9b6031846d1edaf5bded46947bc
SHA512eba0efcbff0ef76dc9f680d2e1e1280d659e7eb25219253e8ae282914e73936fe585db9eb20ef15758d74710172d89f9c6e42f1a938bc23112c705bedf57d390
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD523024b4a0aa07effb9d49152dde841b3
SHA1443a6ff973b0c43a2eeca1e24e67f4a051e1d732
SHA25629dd02251dea68db1de92d414a45b4a610810818ec6b125ba3a0a4e39a61a9c6
SHA512181c1a1221a4a575db673c79418b6840e52345f864cef2798656314b3c14de84f7f9751292db4ec5fa838148fe5a551b0fed663c346a0e1c50059fdcbed449f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c3c29107087716cf00bb11b0749d74a6
SHA10cc8aafdd50dae1a46ff2f790d999d6b634c9599
SHA2565a040998edc48c2e9ece20bd74441ce441b97c3ca86204a04db1fe452a3b1bf1
SHA512173184453b63f59028b362018eb76715a473c19114ab0e8c30e75b5aa96086634eecb59be8ee55bdc7c7ab79208c831102b43df0be6eff64fadc60c6aed85e75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ca54c2eec669a3563654881e85f0bf82
SHA14490a022529d1cd403d37a6a6f0783d916797b5d
SHA256756980946502e4df51c89d697aef101ef707b21ead35b257fad5d70e01786cbf
SHA512765d788a9c4c41dcc4bdd1898c123383ce16c429e3f73ec720106c2f4dc0831439e3d0ec240e71ad63dd653e1517e2b46ad6fad645b7f37d3d82edd24f8673e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c4c1be40d33e14891880d2d5ab41bed4
SHA147486e76ea5ae5c1b022cae6f2248544ac499095
SHA2560abbd0af6c42b1d5efd0eb101a98be786b3927fa7be748c97cd5183b10f770af
SHA512a72ea8ee12584acea1da0f9b8795f5a97fa2310a2a3679ed70dba36430c0e2d6ab7cb7b11d76cd9477fcb04314853199f862399f06a48aac7df92d531b3fe8b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD554e1f93948f5bc4152ac7a048b65c37a
SHA16d553fc2891b5dbd76fb5adbe8e212b41eae88ad
SHA256267dcfe87d943aa7bce9adbebd6dbabed5ee7ab4597f7a22b33635b261cb0eef
SHA512f0e1c5123587b58ae49abfa294b72ffc1fbc08cc114b6130989ab322268fb7a947a00d2b1158ce920a505c27156c19acb7babd8deb93aab13bd3bb0874dc73a0
-
C:\Users\Admin\AppData\Local\Temp\CabC62.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\Tar1921.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
\Users\Admin\AppData\Local\Temp\sdl22BD.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
228KB
MD5e9c85c499f6b7c7e91a44567f27ecd68
SHA16f89d9176e58f04c3cd48669f7a0b83660642379
SHA256f09ec41136e8e5e5076ca495192d9326e5581c748148fa877412d466db26112d
SHA512dd40f713857e9c574e5d34dd292d17fbb94a38c1f1d7f2cf90e043b713c42358d74327e403d3617f5985fbafd35d90c24fbfbeb97cd95a02224a24d75396a5e5
-
memory/340-64-0x00000000002A0000-0x0000000000313000-memory.dmpFilesize
460KB
-
memory/340-50-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/340-67-0x00000000002A0000-0x0000000000313000-memory.dmpFilesize
460KB
-
memory/340-60-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1248-82-0x0000000000290000-0x0000000000303000-memory.dmpFilesize
460KB
-
memory/1856-61-0x00000000002D0000-0x0000000000343000-memory.dmpFilesize
460KB
-
memory/1856-55-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1856-49-0x00000000002D0000-0x0000000000343000-memory.dmpFilesize
460KB
-
memory/1856-54-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/2416-86-0x0000000000230000-0x00000000002A3000-memory.dmpFilesize
460KB
-
memory/2416-73-0x0000000000230000-0x00000000002A3000-memory.dmpFilesize
460KB
-
memory/2416-83-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/2688-37-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/2688-41-0x0000000000230000-0x00000000002A3000-memory.dmpFilesize
460KB
-
memory/2688-40-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2696-27-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/2696-30-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2696-31-0x0000000000230000-0x00000000002A3000-memory.dmpFilesize
460KB
-
memory/2696-23-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2768-20-0x0000000000230000-0x00000000002A3000-memory.dmpFilesize
460KB
-
memory/2768-13-0x0000000000370000-0x000000000037F000-memory.dmpFilesize
60KB
-
memory/2768-14-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2768-11-0x0000000000230000-0x00000000002A3000-memory.dmpFilesize
460KB
-
memory/2768-6-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB