ramnit | 208bb2a7f5225d7cbd90bf2b6fee9cd658ba51c13a9eb3536c7089c837065d8d

Analysis

max time kernel
71s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4ec269f7620514ad5304bad378c63dc_JaffaCakes118.html
Size

464KB
MD5

d4ec269f7620514ad5304bad378c63dc
SHA1

3f4c177e1a64e3eb4ec67cea746ed963cd6bfddf
SHA256

208bb2a7f5225d7cbd90bf2b6fee9cd658ba51c13a9eb3536c7089c837065d8d
SHA512

d15e6c8be3e6645e652a5e612e54ed442571fdf14f5eb50f4e489f423a332ac872bb2a2fd8f8caf40d7764c88805d099b23771c3f5dfd763ca148899aff30dfc
SSDEEP

6144:S1bsMYod+X3oI+YKODfsMYod+X3oI+YMsMYod+X3oI+YtsMYod+X3oI+YQ:mv5d+X3x5d+X3k5d+X3v5d+X3+

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

pid	Process
2748	svchost.exe
2080	DesktopLayer.exe
108	svchost.exe
2872	svchost.exe
2056	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2136	IEXPLORE.EXE
2748	svchost.exe
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018ce8-2.dat	upx
behavioral1/memory/2748-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2748-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2080-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2080-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/108-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px1F34.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px22AD.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px225F.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px22BD.tmp	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BDE79871-6E0B-11EF-8595-E61828AB23DD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f4e8931802db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b0000000002000000000010660000000100002000000089cdfd1f9c4daf7c3e06ea9c5ca2d85d39b30c81cf3606d7e2a98c3f58e35c2a000000000e800000000200002000000056e5844bae73e87993bdcd6f4a5894f6057c10ce26f31c8af6b8e7ecbc23b399200000002cb2c2d309195efcf71138f104b5136227e52be69c082ce3b7dbb0c227112f07400000002396383042043a8bdedbc4af69895b85c54adae2107109763e31cf37b631d880884b40903e3d93b6cc13423197d14f709d3ccfc80c1dec2cb79b91ce78179fdd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000002c8c6f984e7c33520c1f68259b51179d15863c5d30b40ae780e274011e6acd61000000000e80000000020000200000002613f56b9473e9179663834958a4bd9141c7285dc8597ddc988d6fdd82d658ad900000000699a005e11880e0be9d3e4fd7d724d107c73e07f2ec5d387160433311191a71f37214f0f04f68dd7e7ce2378617d73dd267ee9ab826b93a3f0b275326a543d5ccca9ba4cfd78020737ed6bfa775e0597e09396416fea03cba14dbbab226c334c7c7f73559a7d7bd49da8ae3d6196c9ac242e69d6ac2e494fbb4b125c1ec6f3ad9c12ac7c91a5cfdc536c3242c8fd50e40000000d00c0b6cfb5d3a4050093c9318515c7b6fae57d079d1e197391e57f6e024e7526f995b42a64385d72dcb1b2663c07f06a1734ef4091187027f89813452789a11	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431980089"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2080	DesktopLayer.exe
2080	DesktopLayer.exe
2080	DesktopLayer.exe
2080	DesktopLayer.exe
108	svchost.exe
108	svchost.exe
108	svchost.exe
108	svchost.exe
2056	svchost.exe
2056	svchost.exe
2872	svchost.exe
2056	svchost.exe
2056	svchost.exe
2872	svchost.exe
2872	svchost.exe
2872	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1120	iexplore.exe
1120	iexplore.exe
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
1120	iexplore.exe
1120	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2136	1120	iexplore.exe	29
PID 1120 wrote to memory of 2136	1120	iexplore.exe	29
PID 1120 wrote to memory of 2136	1120	iexplore.exe	29
PID 1120 wrote to memory of 2136	1120	iexplore.exe	29
PID 2136 wrote to memory of 2748	2136	IEXPLORE.EXE	30
PID 2136 wrote to memory of 2748	2136	IEXPLORE.EXE	30
PID 2136 wrote to memory of 2748	2136	IEXPLORE.EXE	30
PID 2136 wrote to memory of 2748	2136	IEXPLORE.EXE	30
PID 2748 wrote to memory of 2080	2748	svchost.exe	31
PID 2748 wrote to memory of 2080	2748	svchost.exe	31
PID 2748 wrote to memory of 2080	2748	svchost.exe	31
PID 2748 wrote to memory of 2080	2748	svchost.exe	31
PID 2080 wrote to memory of 2804	2080	DesktopLayer.exe	32
PID 2080 wrote to memory of 2804	2080	DesktopLayer.exe	32
PID 2080 wrote to memory of 2804	2080	DesktopLayer.exe	32
PID 2080 wrote to memory of 2804	2080	DesktopLayer.exe	32
PID 1120 wrote to memory of 2628	1120	iexplore.exe	33
PID 1120 wrote to memory of 2628	1120	iexplore.exe	33
PID 1120 wrote to memory of 2628	1120	iexplore.exe	33
PID 1120 wrote to memory of 2628	1120	iexplore.exe	33
PID 2136 wrote to memory of 108	2136	IEXPLORE.EXE	34
PID 2136 wrote to memory of 108	2136	IEXPLORE.EXE	34
PID 2136 wrote to memory of 108	2136	IEXPLORE.EXE	34
PID 2136 wrote to memory of 108	2136	IEXPLORE.EXE	34
PID 108 wrote to memory of 1732	108	svchost.exe	35
PID 108 wrote to memory of 1732	108	svchost.exe	35
PID 108 wrote to memory of 1732	108	svchost.exe	35
PID 108 wrote to memory of 1732	108	svchost.exe	35
PID 2136 wrote to memory of 2872	2136	IEXPLORE.EXE	36
PID 2136 wrote to memory of 2872	2136	IEXPLORE.EXE	36
PID 2136 wrote to memory of 2872	2136	IEXPLORE.EXE	36
PID 2136 wrote to memory of 2872	2136	IEXPLORE.EXE	36
PID 2136 wrote to memory of 2056	2136	IEXPLORE.EXE	37
PID 2136 wrote to memory of 2056	2136	IEXPLORE.EXE	37
PID 2136 wrote to memory of 2056	2136	IEXPLORE.EXE	37
PID 2136 wrote to memory of 2056	2136	IEXPLORE.EXE	37
PID 2056 wrote to memory of 2556	2056	svchost.exe	38
PID 2056 wrote to memory of 2556	2056	svchost.exe	38
PID 2056 wrote to memory of 2556	2056	svchost.exe	38
PID 2056 wrote to memory of 2556	2056	svchost.exe	38
PID 2872 wrote to memory of 2400	2872	svchost.exe	39
PID 2872 wrote to memory of 2400	2872	svchost.exe	39
PID 2872 wrote to memory of 2400	2872	svchost.exe	39
PID 2872 wrote to memory of 2400	2872	svchost.exe	39
PID 1120 wrote to memory of 2900	1120	iexplore.exe	40
PID 1120 wrote to memory of 2900	1120	iexplore.exe	40
PID 1120 wrote to memory of 2900	1120	iexplore.exe	40
PID 1120 wrote to memory of 2900	1120	iexplore.exe	40
PID 1120 wrote to memory of 2720	1120	iexplore.exe	41
PID 1120 wrote to memory of 2720	1120	iexplore.exe	41
PID 1120 wrote to memory of 2720	1120	iexplore.exe	41
PID 1120 wrote to memory of 2720	1120	iexplore.exe	41
PID 1120 wrote to memory of 2416	1120	iexplore.exe	42
PID 1120 wrote to memory of 2416	1120	iexplore.exe	42
PID 1120 wrote to memory of 2416	1120	iexplore.exe	42
PID 1120 wrote to memory of 2416	1120	iexplore.exe	42

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\d4ec269f7620514ad5304bad378c63dc_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2804
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2400
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2556
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:406533 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:734213 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:603143 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2720
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:996357 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6590b30e695a144ecb8012684a71d7c9

SHA1
9e3196d8ebadf331fca682c6b28163d4214ddd5d

SHA256
1e55a2120ce4682bc98f1463954359aeecc255d470824834356c34a642037016

SHA512
4aa5334f3c215a2af5357decdbcbdf382727da8fd80f7615aadd34ce8e70ea31844bc772f8438a06b03e2ba7d6a46370e0218e0ea349667ba38879942ad81738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d353c6cc4461edb3cb45111a71eb743e

SHA1
e20df05510abdea591947bbee98ca68d047176be

SHA256
23cd4e5e78201820367943347816e16fc8429b6b10ba4b613559d1d0ca8b9c66

SHA512
6389db9627f080515fb83794ce400a78adae301290b71b2181d7883cbf5962c5b2f67bf9503d80401ec74cb3b18ba1dc5868ba448be51cfd2af82bfba68de378

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79dc7c70f863e5f15187aa774c8fc420

SHA1
e0a323c3fdeb60755250115baa507c4061d3c50a

SHA256
287bc72dc258c0749bd8bae8ad396485437d2effffec6a49251fc6338cc6ec00

SHA512
c67e274165816c995cbf15536cbb0c19c393a9228c7f03920d39825012f4f4c03f39cb4e3bb517b8fb504e6aeae794802267b37660ab5e41af891a9694aa1b96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5242c3c6aaae738c7b22dbede13fafb

SHA1
ad90b3686111c9d4f80f28915ebd21640b4663f5

SHA256
8d9ee9072cb76e6e1a85cef0fda9afa0819b37a9ace18d7d669d51cab349ec50

SHA512
e373d0f455863982b463911591f5c67c57fea136f273c6b3190c7cb4c36a0939dfa580b7d841d2ffdc6c7816fac8d0cd2864836d463a26911adb05479ea4e940

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
791375f513e1b75c214607a5a736d242

SHA1
4ab863bd6eb5d62bc96d3b73e3fa1d370ed0d348

SHA256
82f936cb65e7b19f55b723ca274bff87e4ff49e5b0365fb5334fc0a8fe2adab9

SHA512
7beb16f65f62010e811adfcc5acbfcd47c1083e4c0e6c4e191d1660cdf9080d5a368b4045b611df04ddf8c813485f3f20642c3223942a5a7bad2eb96aaf7e92c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e909f1c9ace175364332af29ff003880

SHA1
57ea2f1683d45e7324c8df8fa2d63ca9225011b8

SHA256
4227013fd647e39d1736332ccb58c8a6b40323e001260247e2ec2412461924c3

SHA512
3b590ca480bf38db63c49f483f0a0e7fae0add3f37bd5689cd3c6cc60e2933d186f15578b2f7c4637dd8804d570f81ea7aad28140a1e72a611f91ea2fd2587d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eedde67f9e0438c3423b9c1b414c239f

SHA1
cd2f199aac8147b527b479b0d38e927cb213e9b6

SHA256
6dda6aacbd09a5cebb138a528f238191450f4141627cea650f2bdde327ce46be

SHA512
b61aca4718c19d6cf14396f321dd6708f839d3e60e304b51cc354fdcc2a301b9f7aacdc7cc0b23998dbd8c54c9181226689457b46c9cb2462945218c4c4dd079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cfd5aef8cb56d1415c7fb3d08838436

SHA1
96aeddcfc8bab14a0c1933a31b7028b22ece0f68

SHA256
219bbe37370bb3bc6bda6562fc74fc56260bf27dbed8424c70ca4d44990b34b9

SHA512
d813379b23a5b7a88f020a5c4a0909e2e75ee7bf5910dff828b0e00ae8759e25a205749968872aca821452559f27e80e97d28b76975dfe3fc6614964f36760c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8ed6cc628e2035c5d4c339b7bb4dd0f

SHA1
dc69253e108a9ccb21fc5188bd2cffa2e07d8aab

SHA256
4d20d8ad3f1ba47698b72c4dafd7604f9b2aacab34d376da273004de3c3db887

SHA512
eb8c00e5b4899877c5db63698c84ca128b54586941860203d021cb6f495c5cb812b0088271ff404170522d54086e37edadfacc7a60d5e99cf60539694ca5e5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B30.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BFE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/108-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/108-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2080-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2080-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2080-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2748-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2748-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2748-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download