ramnit | 0dbd433c0ee4905a38768052bc4edb2bd262707bddeffc70e240a6b5f3e2023f

Analysis

max time kernel
135s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1a6861f77ca0886c29535482fe0eb0b_JaffaCakes118.html
Size

521KB
MD5

d1a6861f77ca0886c29535482fe0eb0b
SHA1

df81fbd04e308857f77a417b53a719540b7ae74e
SHA256

0dbd433c0ee4905a38768052bc4edb2bd262707bddeffc70e240a6b5f3e2023f
SHA512

287a2cc55b3b782f7dfa0630386cd117c6ad622624cae157b9fa2237f327d323bc3d7bf87d7d3c08d6e7520217104bde24cb8970a79cf34b3b72160de25c77e8
SSDEEP

6144:SQ5sMYod+X3oI+YGVsjVW4sMYod+X3oI+YGVsjVFsMYod+X3oI+YGVsjVP:tF5d+X3zjVWG5d+X3zjVx5d+X3zjVP

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2652	svchost.exe
2568	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	IEXPLORE.EXE
800	IEXPLORE.EXE

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000160d9-2.dat	upx
behavioral1/memory/2652-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2652-11-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2568-23-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2568-24-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5F20.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5476.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000e5f75078f8a1bd4f592ac125df6d7102d6c1edd0b8f315baafed482b0c69c6e3000000000e8000000002000020000000fa6f0f770900f1a337439c402a3ea70d693234eaad374683af17eee6d5637a7d900000004bc9e972195425e7696029c58a8f466ef8e9423acb666d750fff71e44e8806a389ffb1873d5ddb92c92decb9f5b340d03fac4b4d776cb54c0852cbd2b6c4e578e0d5b028968853c5f4879ea5728047f114e7d03d70f5f1373e98f81d7ca7089bce6516e983a67cfcb42bec5666f001588c06b6a8937e7bd35e9d1e46300f2f6bac02b8a43a3cfc9fca9cc3e57cfd0fa9400000008c436b105b0ed83e787e7a96c3f03ea9ed5aa7ce0b656b367428df1de725e4f198d74f1b92fb8901f5d26863653e007748d4e72849e0a6ab4461a2dc0bad62db	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431864425"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0055c480b01db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000818499f89b0460032f67d3a1f5fd2866cd21736126e0b7ed35657a472332d559000000000e8000000002000020000000b1723cb95695ea896d28f0ada75d2295f728528ca054e9b17b31d84beccba8e820000000a4cc80874813d7f60c052c924f1e398208af01a4da8cdd565e80524097990a00400000003b4e39dc63c53fec6464ae03380496d31f9a5654b0f51e6f0d11f7e194223e73b51c5705e1965f5a26f46163e8e0b781f45c19b6b3eacf8a337692920409d21a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{71716AB1-6CFE-11EF-9584-DA9ECB958399} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2652	svchost.exe
2568	svchost.exe

Suspicious behavior: MapViewOfSection 51 IoCs

pid	Process
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	svchost.exe
Token: SeDebugPrivilege	2568	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2704	iexplore.exe
2704	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
800	IEXPLORE.EXE
800	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2748	2704	iexplore.exe	30
PID 2704 wrote to memory of 2748	2704	iexplore.exe	30
PID 2704 wrote to memory of 2748	2704	iexplore.exe	30
PID 2704 wrote to memory of 2748	2704	iexplore.exe	30
PID 2748 wrote to memory of 2652	2748	IEXPLORE.EXE	31
PID 2748 wrote to memory of 2652	2748	IEXPLORE.EXE	31
PID 2748 wrote to memory of 2652	2748	IEXPLORE.EXE	31
PID 2748 wrote to memory of 2652	2748	IEXPLORE.EXE	31
PID 2652 wrote to memory of 380	2652	svchost.exe	3
PID 2652 wrote to memory of 380	2652	svchost.exe	3
PID 2652 wrote to memory of 380	2652	svchost.exe	3
PID 2652 wrote to memory of 380	2652	svchost.exe	3
PID 2652 wrote to memory of 380	2652	svchost.exe	3
PID 2652 wrote to memory of 380	2652	svchost.exe	3
PID 2652 wrote to memory of 380	2652	svchost.exe	3
PID 2652 wrote to memory of 388	2652	svchost.exe	4
PID 2652 wrote to memory of 388	2652	svchost.exe	4
PID 2652 wrote to memory of 388	2652	svchost.exe	4
PID 2652 wrote to memory of 388	2652	svchost.exe	4
PID 2652 wrote to memory of 388	2652	svchost.exe	4
PID 2652 wrote to memory of 388	2652	svchost.exe	4
PID 2652 wrote to memory of 388	2652	svchost.exe	4
PID 2652 wrote to memory of 428	2652	svchost.exe	5
PID 2652 wrote to memory of 428	2652	svchost.exe	5
PID 2652 wrote to memory of 428	2652	svchost.exe	5
PID 2652 wrote to memory of 428	2652	svchost.exe	5
PID 2652 wrote to memory of 428	2652	svchost.exe	5
PID 2652 wrote to memory of 428	2652	svchost.exe	5
PID 2652 wrote to memory of 428	2652	svchost.exe	5
PID 2652 wrote to memory of 472	2652	svchost.exe	6
PID 2652 wrote to memory of 472	2652	svchost.exe	6
PID 2652 wrote to memory of 472	2652	svchost.exe	6
PID 2652 wrote to memory of 472	2652	svchost.exe	6
PID 2652 wrote to memory of 472	2652	svchost.exe	6
PID 2652 wrote to memory of 472	2652	svchost.exe	6
PID 2652 wrote to memory of 472	2652	svchost.exe	6
PID 2652 wrote to memory of 488	2652	svchost.exe	7
PID 2652 wrote to memory of 488	2652	svchost.exe	7
PID 2652 wrote to memory of 488	2652	svchost.exe	7
PID 2652 wrote to memory of 488	2652	svchost.exe	7
PID 2652 wrote to memory of 488	2652	svchost.exe	7
PID 2652 wrote to memory of 488	2652	svchost.exe	7
PID 2652 wrote to memory of 488	2652	svchost.exe	7
PID 2652 wrote to memory of 496	2652	svchost.exe	8
PID 2652 wrote to memory of 496	2652	svchost.exe	8
PID 2652 wrote to memory of 496	2652	svchost.exe	8
PID 2652 wrote to memory of 496	2652	svchost.exe	8
PID 2652 wrote to memory of 496	2652	svchost.exe	8
PID 2652 wrote to memory of 496	2652	svchost.exe	8
PID 2652 wrote to memory of 496	2652	svchost.exe	8
PID 2652 wrote to memory of 612	2652	svchost.exe	9
PID 2652 wrote to memory of 612	2652	svchost.exe	9
PID 2652 wrote to memory of 612	2652	svchost.exe	9
PID 2652 wrote to memory of 612	2652	svchost.exe	9
PID 2652 wrote to memory of 612	2652	svchost.exe	9
PID 2652 wrote to memory of 612	2652	svchost.exe	9
PID 2652 wrote to memory of 612	2652	svchost.exe	9
PID 2652 wrote to memory of 688	2652	svchost.exe	10
PID 2652 wrote to memory of 688	2652	svchost.exe	10
PID 2652 wrote to memory of 688	2652	svchost.exe	10
PID 2652 wrote to memory of 688	2652	svchost.exe	10
PID 2652 wrote to memory of 688	2652	svchost.exe	10
PID 2652 wrote to memory of 688	2652	svchost.exe	10
PID 2652 wrote to memory of 688	2652	svchost.exe	10

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:612
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1944
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1896
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:2648
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1180
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:844
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:280
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:544
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1080
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1120
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1068
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:548
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2508
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\d1a6861f77ca0886c29535482fe0eb0b_JaffaCakes118.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:340994 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2568
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:209930 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e89f416dd33e9debb90731da0c17312

SHA1
a3891572eb49beeb3774f2304d2613d38403a0ff

SHA256
c63f67bb1780055e4f06f76765a35630754b0b0577a8208e53d88cebcfa2fe0e

SHA512
591460fe12d45f380c308fc0b2a7942b823b9818113f126a1c35ff3c8528c6c816bdcca282b5cee110516a65a40b12afd81333289e72cc7f7f8da2190ce563d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2edbb1f9cdd2f58a1ae64ca50ff6c5ea

SHA1
8d400c12844b97db94e0e7e05d5dd566488b135f

SHA256
0123bf14d1ddd33969e2ef00cc16e832ce09dcaa328679d80ed39f1944358279

SHA512
b1079dc52a1ef863adab5ef3c2658b6d572b7f999602606d2d0a2a80b269c5651c55ef6545affc189e47cd3474b27bd1fe8bb7aeba3c53da6435e4ac35c4f593

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bb3f3bfc7a1e888fa0742376e66a69e

SHA1
7c048ff74231b45150c94096b2141ba862466f9f

SHA256
83e8aa01071cd3ca234d88ac9d4a7633eeed18dd83a1d581b71f29b89b419bc9

SHA512
e9a867d41da83dd9fa66ca2a6074c6a2a64cf09b892fc318f8bdcda40c1267674c3f22d61affd1fb4c846d43365299aa33ef4084a8b98161d996b4e10c037e34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b3eba95189717f5aeb9edb6c25f858b

SHA1
f8fec55a5b9b20e78c5cfa507df9be4be0572b8f

SHA256
9839fd901ee63e8e03a4b8f28807660717522fce3a89ed740da1508fa753234f

SHA512
721d7daeb81ffd8fc5a0af5a78190c0265e470da6b78056c08b691d70f864516a1481e5a513a4f263409a55d96b98897c5097d9cac33a5ad13342ff018fec9a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4edc05e83f514dfc811b79f551ee86c2

SHA1
9b16d687a18ffc56bab2166ee1e836ec71666612

SHA256
73e1694e9761756be74d4f8f032f3831f32b4c7944e96f79340c4a04359f228f

SHA512
0d33696a4cd4c3888056d2c8bd66da9ec1aa164190ff2cc64f66e208bf6d5281a0668919d57ed5a712e8cdb6af7ee9085354dae071ef297c70afa0eb1d9afe4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a07f065589462e25ed8f0b98bd5c143d

SHA1
3bbed4043638a0bf75c8fb8a08ab47f8938898ad

SHA256
35e65299e8c2fe7ea6b36259f513c52aec777890968eb28fb0971dcec49ef4bd

SHA512
fdd9ae60ffcbc5378bf5519706eda32f98be118a8e1494e566d8a4fae7503f9278e03087845e2e2e1a7696fc1874c1d9b84573ae17992989687e831e5cb18d02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2776981de3fa4cd7b7fc01f697df729c

SHA1
a62f2b2e2344636909d69bce2c0f1634b4244c28

SHA256
8e1815bba54d0c5596e43d86bb0c6097d612fcd7c6178ca5e683eeab8292c263

SHA512
fa8bb68c1228e16ab476f5e43e176f7233622e78a896d57ced236c27f4b6c5dec0f5f9b1e824ba4232b0e7d221914b7e9e529e9775517666aa5aea4337edf32e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
021966271126624d4370324f49b64c9b

SHA1
b6d2a21e8fd9303385b915d929ea5fe76a68003a

SHA256
e97e18b6b4b695662c4c5197e3d5948f1af81f4af76db39c611f3a892469943e

SHA512
819324afc28e93cd050fb604518cd237ca08372e88b2e05111297ed64faf08a8cbcc58fd0805d9e0f9b07f9c20d5d6fb6822eb754795f1dc454121c6a5022503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74cbb7e9acba8bfc9d3c44f1a4f2afbb

SHA1
2766e94622bfda5df4b53a888a35daf174436d19

SHA256
2be500b186e3e39887f2b25370ec8d6fc0e06dadea9db3ef9cf41f453d3f4c47

SHA512
5e9f862b6f9398e1d0b8e2077b537668638b20c5e179d03ca2256ca3ce073459a7c86c2d2b3a4a01d3cb9da15614e43c55eee0b33414e37a1d6f65af466f5099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b5e9a5315093f9ce260cedc3bed6636

SHA1
272c900d25fd36926a46e63bee957dbd7a58e739

SHA256
b165ac16702fe206645bea1140088c983f082a15c3121a52b6d8efeccec7fea4

SHA512
ef8c54a6e6de6bce1a924fcadf41d21abb50a8cafff54418f658b7dff16306f5401578053685154ef6019ac6acc062e02c72916cfda356d4ccd6ad5360fc67c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16354bca529ee0a5ac34051f59b05246

SHA1
81f22a87fa48820fd23ec36034560f619ca86bf9

SHA256
e83e90616ebce7975f3958999eb3f8725bc747284bbcca6ea8e339f363b41016

SHA512
3e2bbc5e0cd1d0a12984640f254bd4c85bddeef3a0fa6f2b9c3863e3db76d24ff18cc1afb48fcf9ceb120fd71eb6b940e2958245d801f5271d5e2b6d0bcea6d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e753bcb0a09f7ecf3d7f0c4ebd767820

SHA1
d7834529c2db32e3efbb55903d87b939f1ca73be

SHA256
b6cc9ae0b2ba2da6ca4520e85f196170ee8caa724ccecdf637cce5782d1a2b9b

SHA512
6a345dcdbba6323c979c7b6aa42f4fe19ab8675391bc17c8e658dfccfd607a969b7c8ae9cd27f31b588eb84a7e46fcb8b0834135b322414328277c8978709dfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d416627682ddad3d555872b31cdd5a05

SHA1
cedcfe43b0de7a9a9fe1be5fc9aa2f899cacdfa5

SHA256
076317d5499410529b7114123c4f5742119afe117c181490c9d7b2b1ae32b1d9

SHA512
862f53d6e967c49e1d47810047994302627d2cc7654e85364315eb749257d1f7907290b4d70a6b429d2a056d5294e87037cc776d90c66239dd0867cf33b14440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6297838c87899aeff35ffd5268bb133c

SHA1
e8df5a8a86dc302696acba03c3703755e3f7b866

SHA256
c297b5e96d67eac40faa83827e5a295f2f188a4eb45e68a8f79aa8dfa5ed7308

SHA512
121258ad0875f93dc0239eaea4a505516e02eacf0efcbff2cb9d855b2b9b3557812be9208aafc676fc18a5ab16da9fa3c141a11c499e901fe0c5c4080e0a1e48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb5cae9ca25f82fdb2a52894e7142d44

SHA1
ca1f9d570d71d764585f30ecd7635435e5d2221b

SHA256
a047ba27f6c7a24ba27f5aa2664e6a7960bd2acf2ba48928c7aef4dec7c5865b

SHA512
3276974fa460cf21a97cc4bf545af2d197f7fa716ed723b3e5d099d809380a67201421a96efce082bfb727532645f7098821a6f297b381246bb8a5fc0f64e65c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
230b3a44dc8cea0d4ea01c2cc3357dfa

SHA1
2501a3bb00d404f6140f4e57a581e835045413ca

SHA256
43a78cae367faed5a1d804cafc25516743efd57742e598de3ea5e22584691c4c

SHA512
5c98c5514707e67446124a39dcc001383b5db520cc990db308acf33dba878d26cf6f8fc866a2a40d9ca2502075e98cdc5e2c3fbe389bf190ddcf8e348a52c5fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68b3447ad55eb0ed773c66b15307860c

SHA1
134e9fcf9e5eeb25c22631eec9f1fb2a46e8415c

SHA256
505531067cb6fe597404f4bcec2d1cce6079fe67e59db6fd6908eea64c4cbe5a

SHA512
4531580ce2b7f108bcf8001c619fd7492a6027bd780a0c6955dd6457a1ae19be76f1ed1a7d1a1036de795187663195c17289ed45ee2f53c5552c773adbb2bcf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f22c157c2a2f62dd9a913c5089c42579

SHA1
43b05dfe6c0260c6534ad3b03c72b4ec58eba5be

SHA256
cac35f4d5460fce9d74d4d6b8c755b9d9fc66add4fcc0b0ff27e37d2c18154d5

SHA512
a3d0480e2a7d289498ec3a55c744808d5045a53c88a12e7065db9bf23006d76f5ef20b92338709203ed69b6cc2f9e7e0adf8fce0defea45f7d578cc5d81fdcc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b7b42877be68fcd9658aa67caecfe46

SHA1
e0c7a633a284ac121c5eb3c311212dd8b76374f0

SHA256
7edee158fe8a7254126b73d429a788d13cf348309a4380d7e98dbe16abfb9114

SHA512
b46e78e9c676c2ed6db124a495c1c274ce16f3ae5c391d435c00e4acb15a47530cbfe42a83636ee825cd9f819799ad33578f5feffc089f6fafd1d69423ac456c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\jquery-1.8.1.min[1].js

Filesize
90KB

MD5
e7155ee7c8c9898b6d4f2a9a12a1288e

SHA1
d1b0ac46b41cbde7a4608fb270745929902bac7c

SHA256
fc184f96dd18794e204c41075a00923be7e8e568744231d74f2fdf8921f78d29

SHA512
00f96415745519916c4ef53daafba8fa6eb9de9b75b2a1e3d55f9588ff759b80a90988f0c79450214ba13ec06f4f4cc915fbb2a493f4f1983b9aea63e9e99fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab784D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar78ED.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
84KB

MD5
666faefb80b2c2c4028875ce8cd6f3a0

SHA1
1673f5ea1664c67f539a7c31f7fe7cea5a7ae63b

SHA256
da43233d34e8369e6802cea5dbfa9fa46b07b544bd85edd8f256692a5d34fbd4

SHA512
c375ced9c64a0c33e2af498fcdb81c995cc6254e9f6d9f8d7fbd90571abe4ac00d3a1eae51eee4e45c88aa77ed765d86014c043950ff06c0367957ec6786b41b

Download Submit
memory/2568-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-10-0x0000000000280000-0x000000000028F000-memory.dmp

Filesize
60KB

Download
memory/2652-9-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/2652-8-0x0000000077DBF000-0x0000000077DC0000-memory.dmp

Filesize
4KB

Download