ramnit | 4722992ce6a434bca9b801180021fdbde0df87388ca95e9ee70e07477f4dda83

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af5c07f59e5323d42968bfed01defd05_JaffaCakes118.html
Size

568KB
MD5

af5c07f59e5323d42968bfed01defd05
SHA1

96f8243111a87c770df973228b9c5c56d31a8cdd
SHA256

4722992ce6a434bca9b801180021fdbde0df87388ca95e9ee70e07477f4dda83
SHA512

7a12be5094f29ddb46d6ac7303eac2054ab20a756f4c9987c57298036c6364de9b64e89e75d603dab428dd10b6cedb42e7685a0376a857c467ced5a708014e5e
SSDEEP

6144:SPWsMYod+X3oI+YZsMYod+X3oI+YtsMYod+X3oI+YXsMYod+X3oI+YOsMYod+X3+:205d+X3r5d+X3f5d+X395d+X3i5d+X3+

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

pid	Process
2448	svchost.exe
2792	DesktopLayer.exe
2784	svchost.exe
1212	svchost.exe
2036	svchost.exe
2540	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
2448	svchost.exe
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015b85-2.dat	upx
behavioral1/memory/2448-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2792-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2784-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2792-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2036-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px190C.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1999.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px19C8.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px19F6.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px18ED.tmp	svchost.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424631186"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40404E81-2B35-11EF-BF32-6ACBDECABE1A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000959622a28550b57f3e910e453e71b9984efa569b87d0dc6da8e102873a2bf850000000000e80000000020000200000003fc7686b1dad0e65225c596090160019bd3c22685ac772a85d6539721da7ddbd20000000bf49159233ba8ae98f90b8683608c9377688401d726bd20c11875f389117a1ce4000000055796f9b3f04434b7813c659040e3c1875042fb3f8ba146ef6bef182e69686a1fb397f77eebb2e5dc4f00d52f5b816a922b29822065409fb6901868631dc18fd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000003847e01c4746b88dd469c4401369587de87a740a6df75d2c561ff2d89127901d000000000e80000000020000200000005e2f1d2b0af06dfb969d10570a169a49be7c70e4c39077477d992812a0bdc38490000000ccedefc318c01d94eec709fa894b5f86974e08b295a12a2a2f16e0e4a72e18f72be09da66770604cff7025caa38895e41d71052e4bc3968b46600cdb4d60f492c22984bae2f570bdc98c6e9973a50381d2323dc5a17468fe37f1b4c9feca23047f8c66c4f78fb223d4eda1700612dae5fd68a064f16cf78fafc54f82f5a2edfd9d776781863c980c93dad83efc8a71c0400000006acdb059907e6817e5b20b2c29ccb64cd46a6a759358aec350b1cee6c6bb2c72c4bcb1d810600b58c4bfac8c05b9032ed50c8f62768d73e5dc5d58add31bddc2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0f5fc1442bfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2784	svchost.exe
2784	svchost.exe
2792	DesktopLayer.exe
2792	DesktopLayer.exe
2784	svchost.exe
2792	DesktopLayer.exe
2784	svchost.exe
2792	DesktopLayer.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
2036	svchost.exe
2036	svchost.exe
2036	svchost.exe
2036	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1216	iexplore.exe
1216	iexplore.exe
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1216	iexplore.exe
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2444	1216	iexplore.exe	28
PID 1216 wrote to memory of 2444	1216	iexplore.exe	28
PID 1216 wrote to memory of 2444	1216	iexplore.exe	28
PID 1216 wrote to memory of 2444	1216	iexplore.exe	28
PID 2444 wrote to memory of 2448	2444	IEXPLORE.EXE	29
PID 2444 wrote to memory of 2448	2444	IEXPLORE.EXE	29
PID 2444 wrote to memory of 2448	2444	IEXPLORE.EXE	29
PID 2444 wrote to memory of 2448	2444	IEXPLORE.EXE	29
PID 2448 wrote to memory of 2792	2448	svchost.exe	31
PID 2448 wrote to memory of 2792	2448	svchost.exe	31
PID 2448 wrote to memory of 2792	2448	svchost.exe	31
PID 2448 wrote to memory of 2792	2448	svchost.exe	31
PID 2444 wrote to memory of 2784	2444	IEXPLORE.EXE	30
PID 2444 wrote to memory of 2784	2444	IEXPLORE.EXE	30
PID 2444 wrote to memory of 2784	2444	IEXPLORE.EXE	30
PID 2444 wrote to memory of 2784	2444	IEXPLORE.EXE	30
PID 2784 wrote to memory of 2404	2784	svchost.exe	32
PID 2784 wrote to memory of 2404	2784	svchost.exe	32
PID 2784 wrote to memory of 2404	2784	svchost.exe	32
PID 2784 wrote to memory of 2404	2784	svchost.exe	32
PID 2792 wrote to memory of 2636	2792	DesktopLayer.exe	33
PID 2792 wrote to memory of 2636	2792	DesktopLayer.exe	33
PID 2792 wrote to memory of 2636	2792	DesktopLayer.exe	33
PID 2792 wrote to memory of 2636	2792	DesktopLayer.exe	33
PID 1216 wrote to memory of 1428	1216	iexplore.exe	35
PID 1216 wrote to memory of 1428	1216	iexplore.exe	35
PID 1216 wrote to memory of 1428	1216	iexplore.exe	35
PID 1216 wrote to memory of 1428	1216	iexplore.exe	35
PID 1216 wrote to memory of 2684	1216	iexplore.exe	36
PID 1216 wrote to memory of 2684	1216	iexplore.exe	36
PID 1216 wrote to memory of 2684	1216	iexplore.exe	36
PID 1216 wrote to memory of 2684	1216	iexplore.exe	36
PID 2444 wrote to memory of 1212	2444	IEXPLORE.EXE	34
PID 2444 wrote to memory of 1212	2444	IEXPLORE.EXE	34
PID 2444 wrote to memory of 1212	2444	IEXPLORE.EXE	34
PID 2444 wrote to memory of 1212	2444	IEXPLORE.EXE	34
PID 2444 wrote to memory of 2036	2444	IEXPLORE.EXE	37
PID 2444 wrote to memory of 2036	2444	IEXPLORE.EXE	37
PID 2444 wrote to memory of 2036	2444	IEXPLORE.EXE	37
PID 2444 wrote to memory of 2036	2444	IEXPLORE.EXE	37
PID 1212 wrote to memory of 2520	1212	svchost.exe	38
PID 1212 wrote to memory of 2520	1212	svchost.exe	38
PID 1212 wrote to memory of 2520	1212	svchost.exe	38
PID 1212 wrote to memory of 2520	1212	svchost.exe	38
PID 2444 wrote to memory of 2540	2444	IEXPLORE.EXE	39
PID 2444 wrote to memory of 2540	2444	IEXPLORE.EXE	39
PID 2444 wrote to memory of 2540	2444	IEXPLORE.EXE	39
PID 2444 wrote to memory of 2540	2444	IEXPLORE.EXE	39
PID 2036 wrote to memory of 2592	2036	svchost.exe	40
PID 2036 wrote to memory of 2592	2036	svchost.exe	40
PID 2036 wrote to memory of 2592	2036	svchost.exe	40
PID 2036 wrote to memory of 2592	2036	svchost.exe	40
PID 2540 wrote to memory of 3032	2540	svchost.exe	41
PID 2540 wrote to memory of 3032	2540	svchost.exe	41
PID 2540 wrote to memory of 3032	2540	svchost.exe	41
PID 2540 wrote to memory of 3032	2540	svchost.exe	41
PID 1216 wrote to memory of 2856	1216	iexplore.exe	42
PID 1216 wrote to memory of 2856	1216	iexplore.exe	42
PID 1216 wrote to memory of 2856	1216	iexplore.exe	42
PID 1216 wrote to memory of 2856	1216	iexplore.exe	42
PID 1216 wrote to memory of 1660	1216	iexplore.exe	43
PID 1216 wrote to memory of 1660	1216	iexplore.exe	43
PID 1216 wrote to memory of 1660	1216	iexplore.exe	43
PID 1216 wrote to memory of 1660	1216	iexplore.exe	43

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\af5c07f59e5323d42968bfed01defd05_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2636
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2404
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2520
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2592
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3032
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:209935 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1428
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:603139 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2684
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:209940 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:865285 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74c232be6e579dc3501553f3c0e07e6c

SHA1
62c6d7be62174872b0cb36b573aec7009a2378b9

SHA256
981a6823dd7adf3970c315a0f9a44709ce78b72b1f9f59886133c0805cf80345

SHA512
18f7dbe49c27c0d768da4a044e030e95403c5390a83af499f39c59eb5917260eac957eaf5cf155d7d64b729a43393b2ac533abb4b4dcba4d518de2798be99582

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4896c1d586e8b67cddd3f1583971f75e

SHA1
c61fd3aef134919a3622c0bf21087d5db781f3c2

SHA256
974184c2dd92b2556e437551d36f15490f934c6627308824337d27a321e3e4a3

SHA512
7f60e8a5ea1558e7d3adbf5e2c3e7eb7ad95ccffa432de856f1157c181506aa73e3046feb91c0c88d19b8e830229c84e7ffc646a1a9ab3cacb8b13c9f80a4bc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af8d3989f5c609442ea969941468636d

SHA1
ac65656c68d020299bdd603d8fdf91011268b216

SHA256
a743098b7973168e4253ffd8bf51cc42c923a484b6ba073b2b8e423fe7494ac0

SHA512
246d3e353de92d35022122476b7277f0db16d3e19a8598b1a55f85dc8c679c99e174d2075a87edcae28d195cf43583a197f88e9b9e16e121560aa028dd81671f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
852822fa3b70c9fe0b6a9b601b9f013f

SHA1
7f6690cc322e86c7bc2bfeb10aca6fe449a594b4

SHA256
eb3e28e5b382b7be821d7407bc337f958d5e7a40dcdabd0327b858ae8d177ee1

SHA512
5303d56bb8daabca5e1c621d6c7b35c9691fb6872147e63fe16950e6aa55b4a15f9ce518667a0ea3403ed030a65ca5d780010fbc926f8404fda502f8b49bf093

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cda9a843c2245d76626b5cbe2b04069

SHA1
91c5d0cd69d5da431f8c231773ed85c2722d59ec

SHA256
ed5bee8966e325db628f0ab98e290645c1c08fc601aa1ada63a626a33b7ddf2b

SHA512
3c7f3d76d6ea5af0d64ed64832c82d208f48e70207ba95aa7f3b65371a665c4f2e1784dc9f42dd5def7611b5c9120c831e30c6e88b707c9b3ec2c585d0f20192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28ae3898991e031550d378353a6b68f6

SHA1
0dc14f9d99a19dfb2a83922fd97e50de842b35d8

SHA256
4d0331d31a66ca8e8494ed6f6b1f320690dc9c709851917d411e7371b7b2cf74

SHA512
eeed9fa20d60acc209bf9ada3543bf15dc1ff52edcd5a31e4b6574b78d1ea2034768fa3797e1b3d85131674ea1fa3c64b1d5efda7649c1bfe0461937d751f6c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4bee5d2fb7153e096e10f155f3e1876

SHA1
a17d4e792e8f3158a98df3e795b1761a18b7c3d3

SHA256
82bfb50c09d6ebb0e22cae2f6f6d31d588182ee29756bacb244bfef65c1d74c1

SHA512
98bc032160f86ec96e1282a13adef7547bbf21b700972d04a9c883012e11b257cf265812f43139fcedcb79f147cba5fa783e7a3323b80531ed297f3ecedbe980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcd37ffd8d07d195136a3496b5b4a920

SHA1
04978f38a6edf6f9680ff208bfd82af2c2d00227

SHA256
c7bedba7c595416fdfb25a41c17da397c2440ee7cd7d0ee46891dbaaa5dcd675

SHA512
8d5c848100863bf1dbf235f01852de82e141f8fd5f81766445b6fed18a138e37b64752f26ce56645f59787801f2d24d6fcda7e8eebe476e1ee35bd80ea37af8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0195add6b670c400e132b40d88b63cc

SHA1
ac6da22e638e2a4f2ee57d94815f4fd6244c5d7a

SHA256
3b20ed0021f450ed9c8428ea3cda3e1d79b83b8e5a98a97176b6747bdf293b7b

SHA512
69ff26dba1f5312856ffd43cd8e4089e6aecc780a63c7af64bcec1f0cb91f02a135768f4bb7c16db4ddb7fa6bfe443f3cd0ce610948b067566f10f25cf4a75c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55772beb8e56263ffb6a53a4d3da8746

SHA1
2fb93c72d853efc962bf3a0c68b7b273a2dad9b9

SHA256
902af0d859401ebdc987d94571ffe826303f2368f2e8cae6659a579b300ea71b

SHA512
ee678f2766872ac5149821809c025e44b88a518a45f8682ecda4d3e22ea1b07b3b5b9cd843cc9f230735680b54bb95fc23ff4a08c77b2851fcdeeb424e7b861a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46276f7e7f201e401bd4a398ab3e1308

SHA1
f189941f8bf32b99a09c21759619ef6e4db9b47b

SHA256
ca6dbd304fc66545ed7298573e5ce66b926d609277b47f1dbbf207034f214a71

SHA512
f9bceb42659f719829532c56ef4598cbf1669d69f404e47e502199237f37b072868648d247f339f4fa88f913b8e11491976af7b3932e4b4767d5c5f03a070317

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e9d34893dc169351c173e8c4ecc481b

SHA1
2d75d1a5b6a3699ffd62ba2d7ffb53944c98a198

SHA256
34edd40f37fc3e3379bfb7eb9fc21a98777599b1f59de656a6eee4fa5f8ddc3a

SHA512
c84225469c2fec1b7b34d0539d8c6eee765e662848c09f0931a3d964874f01808d12448f0cd529516a62b453ede5d11a30880fc47cecb50ef94fa4c32de27842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95e2646d94090c7e2a7ae78f2ad1316f

SHA1
093e25f27760cf099814b3cc1dd2b7a02cbd2583

SHA256
97f00c09c8a4ff9d39f267b2771ce64a10f04019c668ee0218b27b863a595ccc

SHA512
6e5579564c89a0adc7b1488dc0a465562b836e2ea74c65cfa3107887a1fd050ae6b358f39dfbb1c33a62e0350a451dd9113604970c02c85982d833ad10535ecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a81dffdd8c25d8d95f870072172dd050

SHA1
d470d53baa27607be05acb34f698febbe6e198d0

SHA256
bf4574fdfab19ae80f0b55080fba2d006eab3809cf4697cee5c6075db8e5631d

SHA512
8a88420474dbb31b1f85a8daf942fc5c3e8b3dd1e410be8d1cbd843978d3e5f596edc3cae939e0a2512eb3d9351205dacc0d6c480270a63e056577b1c78c2ee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
129d16c6338ced8cfca37439411cef3d

SHA1
d66e052a5d9ca6cfa74f99cdbf7c7944004cffdc

SHA256
d4059b435041ba934889e0fe999860b0b63f06be588fcff4b3e24e4065e24235

SHA512
377905a5268b3f88c8c97cc99b09a922291c594cc20eb6b915181b37bf69fd1835ee081ca5ecef4caeb9db6f966bc0c89ae8520272fff59d786ebe08e275dc42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9d0de119aa6b1141686c8a49f283e14

SHA1
81bcef27c0df4a10756c09191958f5ffa4d2d8f5

SHA256
c2ada8ecc02ee9d11d6ed26ecfa0bc9122ad8ce2e4c227a92394bfffdfd09bae

SHA512
999944f2e64adc27d82ed4495e6c2f28f179b4ab5f5db3e154225e1ae6e9dc97143a50466b53e8d64713c52c46bfd4977bb0679396d91b08a2de0c02e420da71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75530b417ca65b15122f0871b7ae723c

SHA1
88f9e51f3686ae8d5f40e7a1ecb6b62e568cc15d

SHA256
ff521cba667269dc76c2c8c53f6b251179eb4c56f1e2a006d5ddc7c29525cc2d

SHA512
d80520061087156f9cee1f7cd505945502f6f3ca776f38c3f1b5a8f8bdad5cdbcd3e9f17340471a56a93c729dcbb593964be75770dd7ae81e400e03c9e33ce4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d9976c9883a2984f66215f90f97a930

SHA1
a004d26182e81be49b4c4d9f73aecbac79726ff5

SHA256
b9178d2f81293cf3d7b02736843d4fba48d76f0e562cef3cae7676f59c63d395

SHA512
953a821e69ffa43ffc02d4e519e128600b41407f68909bc9ea061ea0c59dfc57e19384635083bebc2b2998ec6379f2bac412bce607080b56350d28940b31073f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2FE9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3098.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1212-28-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2036-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2036-34-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2448-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2448-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2784-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2784-19-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2792-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2792-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2792-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download