ramnit | d8ffca04f8d310be3acf735e9d03b1980d93a37b366ea72743211898f0bf6d6a

Analysis

max time kernel
140s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc8a96b4876cd191c5f4e0fbfd3b7006_JaffaCakes118.html
Size

572KB
MD5

dc8a96b4876cd191c5f4e0fbfd3b7006
SHA1

4e90557e8104bae293ecfef01a74ff9dca4270b1
SHA256

d8ffca04f8d310be3acf735e9d03b1980d93a37b366ea72743211898f0bf6d6a
SHA512

a4d318eb5d98543baa8297f4ad09ecaa7c4363ee1e18fdfaf0b292f992d6aa5e1bc7175456188e23ca7a7b022dfe71d5ac2d708a8b1fde4e8a977ca2b34f6afc
SSDEEP

6144:SKsMYod+X3oI+YXsMYod+X3oI+Y+sMYod+X3oI+YHsMYod+X3oI+YTsMYod+X3oJ:75d+X3l5d+X3K5d+X3h5d+X3V5d+X3A

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 7 IoCs

pid	Process
1996	svchost.exe
1992	DesktopLayer.exe
1748	svchost.exe
2944	svchost.exe
2852	svchost.exe
2404	svchost.exe
1360	DesktopLayer.exe

Loads dropped DLL 6 IoCs

pid	Process
2308	IEXPLORE.EXE
1996	svchost.exe
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016f45-5.dat	upx
behavioral1/memory/1996-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1992-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1748-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1992-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1992-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1748-29-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1748-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2944-35-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2852-41-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2852-39-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2852-38-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2944-33-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2944-32-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB6C1.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB71F.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB73E.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB74E.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5EC3.tmp	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B82C471-711E-11EF-9452-E2BC28E7E786} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432317881"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000000292478a5f3c7bbfcdca74c54a790eb9551cdc44b67dcc68deaa6a22575be021000000000e8000000002000020000000d9b351465e314a28a2a49df4d6458aa595e4f67c485daffe35ed7c5fa86e0b4b9000000033ec65a613b973b4c031d8f6006424add0e89086707547bc16f08ef5dadc257c26b1538eb38c790dfc53de7b2c69f4cdbaa7af19dc2c1c05c6deaa592c54086bb488271989d2ea7d3fbbcd181a81547f26c97cffdc3a19993aa5370200d2d532fb381598a0fea813e814d28727639d39a1a30e54d1c01190801c45ded58ccd9843f0ecd0ac0cfe8230f74fa32840211140000000673253a3404831fa348680a5e4c6c24d5cad3b63537edfcd9ba8ac46dec1dad3c518ff9d95bbe6c3801496a9b51c526a6ccc668f51e7d78b217210baa1a637d2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000001aca49700520ed35db2d273c1a02dcd30849c2d9a152840af40558bbf02e2341000000000e80000000020000200000003cf171e2ae1ef5d6e0c67bff1aacde5b658401ebb38c1e48afbd566933c7b7cf20000000afc530d020812bd9b7631ec3a46d141ffd4e107272c95404b015c1daa5a287e44000000070cc7642197c6a22b17bc414cc3df2679db871eef303e35ec9ae12aea3a28dc1bedcb349fbd6c226a4d4f3475f1fc83fb85ff01a88d73fa8e4cfba68275c1bcb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0508d512b05db01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1992	DesktopLayer.exe
1992	DesktopLayer.exe
1992	DesktopLayer.exe
1992	DesktopLayer.exe
1748	svchost.exe
1748	svchost.exe
1748	svchost.exe
1748	svchost.exe
2944	svchost.exe
2944	svchost.exe
2944	svchost.exe
2944	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
1360	DesktopLayer.exe
1360	DesktopLayer.exe
1360	DesktopLayer.exe
1360	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2480	iexplore.exe
2480	iexplore.exe
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe
2480	iexplore.exe
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2480	iexplore.exe
2480	iexplore.exe
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2308	2480	iexplore.exe	30
PID 2480 wrote to memory of 2308	2480	iexplore.exe	30
PID 2480 wrote to memory of 2308	2480	iexplore.exe	30
PID 2480 wrote to memory of 2308	2480	iexplore.exe	30
PID 2308 wrote to memory of 1996	2308	IEXPLORE.EXE	31
PID 2308 wrote to memory of 1996	2308	IEXPLORE.EXE	31
PID 2308 wrote to memory of 1996	2308	IEXPLORE.EXE	31
PID 2308 wrote to memory of 1996	2308	IEXPLORE.EXE	31
PID 1996 wrote to memory of 1992	1996	svchost.exe	32
PID 1996 wrote to memory of 1992	1996	svchost.exe	32
PID 1996 wrote to memory of 1992	1996	svchost.exe	32
PID 1996 wrote to memory of 1992	1996	svchost.exe	32
PID 2308 wrote to memory of 1748	2308	IEXPLORE.EXE	33
PID 2308 wrote to memory of 1748	2308	IEXPLORE.EXE	33
PID 2308 wrote to memory of 1748	2308	IEXPLORE.EXE	33
PID 2308 wrote to memory of 1748	2308	IEXPLORE.EXE	33
PID 1992 wrote to memory of 2808	1992	DesktopLayer.exe	34
PID 1992 wrote to memory of 2808	1992	DesktopLayer.exe	34
PID 1992 wrote to memory of 2808	1992	DesktopLayer.exe	34
PID 1992 wrote to memory of 2808	1992	DesktopLayer.exe	34
PID 2308 wrote to memory of 2944	2308	IEXPLORE.EXE	35
PID 2308 wrote to memory of 2944	2308	IEXPLORE.EXE	35
PID 2308 wrote to memory of 2944	2308	IEXPLORE.EXE	35
PID 2308 wrote to memory of 2944	2308	IEXPLORE.EXE	35
PID 1748 wrote to memory of 2568	1748	svchost.exe	36
PID 1748 wrote to memory of 2568	1748	svchost.exe	36
PID 1748 wrote to memory of 2568	1748	svchost.exe	36
PID 1748 wrote to memory of 2568	1748	svchost.exe	36
PID 2308 wrote to memory of 2852	2308	IEXPLORE.EXE	37
PID 2308 wrote to memory of 2852	2308	IEXPLORE.EXE	37
PID 2308 wrote to memory of 2852	2308	IEXPLORE.EXE	37
PID 2308 wrote to memory of 2852	2308	IEXPLORE.EXE	37
PID 2944 wrote to memory of 2776	2944	svchost.exe	38
PID 2944 wrote to memory of 2776	2944	svchost.exe	38
PID 2944 wrote to memory of 2776	2944	svchost.exe	38
PID 2944 wrote to memory of 2776	2944	svchost.exe	38
PID 2852 wrote to memory of 2256	2852	svchost.exe	39
PID 2852 wrote to memory of 2256	2852	svchost.exe	39
PID 2852 wrote to memory of 2256	2852	svchost.exe	39
PID 2852 wrote to memory of 2256	2852	svchost.exe	39
PID 2480 wrote to memory of 2576	2480	iexplore.exe	40
PID 2480 wrote to memory of 2576	2480	iexplore.exe	40
PID 2480 wrote to memory of 2576	2480	iexplore.exe	40
PID 2480 wrote to memory of 2576	2480	iexplore.exe	40
PID 2480 wrote to memory of 2592	2480	iexplore.exe	41
PID 2480 wrote to memory of 2592	2480	iexplore.exe	41
PID 2480 wrote to memory of 2592	2480	iexplore.exe	41
PID 2480 wrote to memory of 2592	2480	iexplore.exe	41
PID 2480 wrote to memory of 2632	2480	iexplore.exe	42
PID 2480 wrote to memory of 2632	2480	iexplore.exe	42
PID 2480 wrote to memory of 2632	2480	iexplore.exe	42
PID 2480 wrote to memory of 2632	2480	iexplore.exe	42
PID 2480 wrote to memory of 3028	2480	iexplore.exe	43
PID 2480 wrote to memory of 3028	2480	iexplore.exe	43
PID 2480 wrote to memory of 3028	2480	iexplore.exe	43
PID 2480 wrote to memory of 3028	2480	iexplore.exe	43
PID 2308 wrote to memory of 2404	2308	IEXPLORE.EXE	46
PID 2308 wrote to memory of 2404	2308	IEXPLORE.EXE	46
PID 2308 wrote to memory of 2404	2308	IEXPLORE.EXE	46
PID 2308 wrote to memory of 2404	2308	IEXPLORE.EXE	46
PID 2404 wrote to memory of 1360	2404	svchost.exe	47
PID 2404 wrote to memory of 1360	2404	svchost.exe	47
PID 2404 wrote to memory of 1360	2404	svchost.exe	47
PID 2404 wrote to memory of 1360	2404	svchost.exe	47

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\dc8a96b4876cd191c5f4e0fbfd3b7006_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2808
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2568
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2776
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1360
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2088
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:537607 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:734211 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:996355 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:1192964 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b78f9a1e87883b6917b8990ed9cf75dd

SHA1
df8deecbb3593a1edf5fe58fcef5c94683a3a626

SHA256
9bbec77ee42f7996c51e1279fe96221a33e82152c0cee730e1f592dbcf1f9189

SHA512
bf924ded828b1cf45d1afd8e5e1c6c4cfb3873d9f50dc2ab15b0f5fe105015c3e50462fde006cd5134aa9e902ff356e9e44121fcba70466e5fda89ae8774addf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4fa51bded79ab6a55a6fe3ccebe6d28

SHA1
ba459610f0cbae14ee57bff5b59a557983ae4720

SHA256
17084a860c7d08f00f021a647427a6e5ccc3b4fa6a68c6f35c6fd9289ca65c5d

SHA512
dff1aa61609ea2c2ca5d5a00945bf3ab6dab31c6dde498f0534db5ab70d3bad31cb6911270f1fb0fda0eda6cfda32c681533eb579e5e5ccf5b9ab542b30b541a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cc7f8cd523ef3a9545bd2f22b3cd435

SHA1
ad9e3efb9637e42773f0e497e5ec1b88bdbb4b37

SHA256
f17fc033738d0bfccadb8d4bb430e96d48c5895f69b06352bbb5fb5be04b42ea

SHA512
d3a3da80076481d136a0e2adedbf0050abb4f71dfc37d671c1d6886dc1504aa39cea5bf23aeb6918e678ab00fef7ca6342a639e08e4dabe23bb39c1794b01b80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73dc0328cbb7d37f3b91f2738d3c426f

SHA1
b3b9e8aa8c09e65cf14590b5ed90784e16c92d1e

SHA256
b1e8b6f84c9763a45c474e1e2893e5788e0323eb4828cfbafa827284824dec79

SHA512
a1cf0240ab1a57c8e9caaf3b2c3ae0312b4cd4bc1a8eea4ba693457e73bda901acc46f4540dec3b28e4b604c43f652c4b9cf251f4739a5dedafd0f7f8b17105e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c046f8938f4043c7011cf3bbf8cf429

SHA1
21de1d1c61911799f1bcf5244422ce933547d545

SHA256
ffd97f07707d7eab11c89f634c50c8319c9458dd7cbf5ad8cd2a857b013bdaf8

SHA512
88d7904da709549a59e68759289aa59a57edf2a4d77a9275d5c03ee729b1d0c10adcc8fbecddbe7ab438eec59581f0140227f41ff11dfba058b9d09ee443f418

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3af4e3404c24bc5be218c5d8d4e94c2

SHA1
ca63863c25fae6b12c4428877a54ef2317bb6420

SHA256
68e099c2741ed1b8ef26d08ea7a0d9042ef93197a3c498671ba243e218be99bb

SHA512
e1d842c5dbeb58f24906d64e97b30d93a55134b87fb8df229748a6b7380e7d80484f5cb28bc6934e05acbb07f946040927ce4e5a42d66614e20564d56442816d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed0e640e11b790c9f1aebec51d434add

SHA1
92f6c207ed4db1bdb39a53753aa7ed67b277019e

SHA256
a3408ff7afc1e013983edeeb5149aa38840144b2b20efbf69d69924759862363

SHA512
2f16d1a9bb92a678c9f9fda582708f4ba6942ff18137b08117969bc7e84758f27497bbdd202424c1f7f4d2f729c042af0966dba8d911a053054f49951e374365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1ee376b30d2a33e4b7547fd7113db91

SHA1
52d76b9cb6a917c0721dc2c358fe19228ddc5290

SHA256
078eb6c9c3f4e1dbf17a74d560059b20113d711b2d65c907e22846259dbcba91

SHA512
9117346687efc611eaf60f2ad035d249c19e95c21d07756dc76df050f8a2c71016e05f59540b9283ac2e941d47dbf34dde66551e951c411367b27f7a6057c332

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a9b7aa0bbe32d11a08fa955e5fe7587

SHA1
4025c6d4c028dd47ffe2ccb9b5dd89c99974d7f7

SHA256
58d266fbafd527e6754049b7d6cee8e82dae593a6b5d8b600184487d27504a3f

SHA512
b55844bcddd7847f7ad1a2fcd2c8ad4d3abb20c0007ce716ef617a4653b5ca8de5cf361741372fe4c8e667c6794437031076ce8402e38dee7b446d1fedbf70a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
821aa70e8cfb369cde6f7b6f552eee2b

SHA1
44d72cd1b7cd586b07e7f4f8517fa3f26e468134

SHA256
dd245d872f3d4b8ed4af335e2229e3868b3a60bec20efb35f72a69b1bd3bb832

SHA512
a4b7a82a4ac7401b5c97a36965ae27e52c061b0723088f4048223964eb547a2018f8ac231f6e503d1d975ef3aa41246f129ca23a58dd2f2dad52fc04ea4f34f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB3D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB485.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1360-478-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1748-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1748-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1748-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1748-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1992-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1992-19-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1992-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1992-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1996-15-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/1996-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1996-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2852-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2852-39-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2852-41-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-34-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2944-35-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download