ramnit | ed4a6a6f89020be684e8f9d7d5c1cf7f904837c9354aea304c1d8310ef927607

Analysis

max time kernel
133s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaac5fce83a2d73448b467b093d055e8_JaffaCakes118.html
Size

537KB
MD5

eaac5fce83a2d73448b467b093d055e8
SHA1

7b5d97c5d32d62607bcbd9e40e9c9f4a998f5295
SHA256

ed4a6a6f89020be684e8f9d7d5c1cf7f904837c9354aea304c1d8310ef927607
SHA512

c6a3b70b373c6c0329f6eb63e564ca966170df882ef471dc8e049fa8a339524805be8df37667c96c65857191170c6f79c0062c6c6d7fa66ddd3ae19b880b83af
SSDEEP

6144:S5sMYod+X3oI+Y7meFekLsMYod+X3oI+Y7meFeklsMYod+X3oI+Y7meFekw:g5d+X30eT5d+X30el5d+X30eE

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 3 IoCs

pid	Process
2612	svchost.exe
1300	svchost.exe
924	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2728	IEXPLORE.EXE
1244	IEXPLORE.EXE
2184	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00150000000170a0-2.dat	upx
behavioral1/memory/2612-6-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2612-13-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1300-252-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4338.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px41A2.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3C36.tmp	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432885662"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32946E71-7648-11EF-8EF2-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2612	svchost.exe
1300	svchost.exe
2964	iexplore.exe
924	svchost.exe
2964	iexplore.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
1300	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	svchost.exe
Token: SeDebugPrivilege	1300	svchost.exe
Token: SeDebugPrivilege	924	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2964	iexplore.exe
2964	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
1244	IEXPLORE.EXE
1244	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
1244	IEXPLORE.EXE
1244	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2728	2964	iexplore.exe	30
PID 2964 wrote to memory of 2728	2964	iexplore.exe	30
PID 2964 wrote to memory of 2728	2964	iexplore.exe	30
PID 2964 wrote to memory of 2728	2964	iexplore.exe	30
PID 2728 wrote to memory of 2612	2728	IEXPLORE.EXE	31
PID 2728 wrote to memory of 2612	2728	IEXPLORE.EXE	31
PID 2728 wrote to memory of 2612	2728	IEXPLORE.EXE	31
PID 2728 wrote to memory of 2612	2728	IEXPLORE.EXE	31
PID 2612 wrote to memory of 372	2612	svchost.exe	3
PID 2612 wrote to memory of 372	2612	svchost.exe	3
PID 2612 wrote to memory of 372	2612	svchost.exe	3
PID 2612 wrote to memory of 372	2612	svchost.exe	3
PID 2612 wrote to memory of 372	2612	svchost.exe	3
PID 2612 wrote to memory of 372	2612	svchost.exe	3
PID 2612 wrote to memory of 372	2612	svchost.exe	3
PID 2612 wrote to memory of 380	2612	svchost.exe	4
PID 2612 wrote to memory of 380	2612	svchost.exe	4
PID 2612 wrote to memory of 380	2612	svchost.exe	4
PID 2612 wrote to memory of 380	2612	svchost.exe	4
PID 2612 wrote to memory of 380	2612	svchost.exe	4
PID 2612 wrote to memory of 380	2612	svchost.exe	4
PID 2612 wrote to memory of 380	2612	svchost.exe	4
PID 2612 wrote to memory of 408	2612	svchost.exe	5
PID 2612 wrote to memory of 408	2612	svchost.exe	5
PID 2612 wrote to memory of 408	2612	svchost.exe	5
PID 2612 wrote to memory of 408	2612	svchost.exe	5
PID 2612 wrote to memory of 408	2612	svchost.exe	5
PID 2612 wrote to memory of 408	2612	svchost.exe	5
PID 2612 wrote to memory of 408	2612	svchost.exe	5
PID 2612 wrote to memory of 464	2612	svchost.exe	6
PID 2612 wrote to memory of 464	2612	svchost.exe	6
PID 2612 wrote to memory of 464	2612	svchost.exe	6
PID 2612 wrote to memory of 464	2612	svchost.exe	6
PID 2612 wrote to memory of 464	2612	svchost.exe	6
PID 2612 wrote to memory of 464	2612	svchost.exe	6
PID 2612 wrote to memory of 464	2612	svchost.exe	6
PID 2612 wrote to memory of 480	2612	svchost.exe	7
PID 2612 wrote to memory of 480	2612	svchost.exe	7
PID 2612 wrote to memory of 480	2612	svchost.exe	7
PID 2612 wrote to memory of 480	2612	svchost.exe	7
PID 2612 wrote to memory of 480	2612	svchost.exe	7
PID 2612 wrote to memory of 480	2612	svchost.exe	7
PID 2612 wrote to memory of 480	2612	svchost.exe	7
PID 2612 wrote to memory of 488	2612	svchost.exe	8
PID 2612 wrote to memory of 488	2612	svchost.exe	8
PID 2612 wrote to memory of 488	2612	svchost.exe	8
PID 2612 wrote to memory of 488	2612	svchost.exe	8
PID 2612 wrote to memory of 488	2612	svchost.exe	8
PID 2612 wrote to memory of 488	2612	svchost.exe	8
PID 2612 wrote to memory of 488	2612	svchost.exe	8
PID 2612 wrote to memory of 600	2612	svchost.exe	9
PID 2612 wrote to memory of 600	2612	svchost.exe	9
PID 2612 wrote to memory of 600	2612	svchost.exe	9
PID 2612 wrote to memory of 600	2612	svchost.exe	9
PID 2612 wrote to memory of 600	2612	svchost.exe	9
PID 2612 wrote to memory of 600	2612	svchost.exe	9
PID 2612 wrote to memory of 600	2612	svchost.exe	9
PID 2612 wrote to memory of 680	2612	svchost.exe	10
PID 2612 wrote to memory of 680	2612	svchost.exe	10
PID 2612 wrote to memory of 680	2612	svchost.exe	10
PID 2612 wrote to memory of 680	2612	svchost.exe	10
PID 2612 wrote to memory of 680	2612	svchost.exe	10
PID 2612 wrote to memory of 680	2612	svchost.exe	10
PID 2612 wrote to memory of 680	2612	svchost.exe	10

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:372

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1640
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1660
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:884
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:856
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:992
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:292
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:536
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1108
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:456
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2880
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2324
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:408

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\eaac5fce83a2d73448b467b093d055e8_JaffaCakes118.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:340994 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1300
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275465 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2948
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:406542 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:924
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:209933 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
544d413af49c528147cdffad2a7a19fe

SHA1
7c7a88c82347cfcc0bfc5162566856830eab2c0b

SHA256
eba989be24e054dc3ecfb9ab16febe2b333b653b321edc15ffb0b61f58093f52

SHA512
4c31f68c8a9bb8845726ced96f842623d91d55a5cbcc75645983cfe0ffaf4f11bf5065e55bd1442cba54d669deedac0892691e6237d6faa27e313882abe46a37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dda3a7d7967a3ca24d73d1540575af4

SHA1
9fc83b0ca6613e0c91a27e97b110f1b10d9e16b9

SHA256
d839ae43d833177823f5e15659f75288812182eeae19a4709a60175635c08654

SHA512
1494fd175d056aefea2a9f1bf372f5404ffb4b63ea0b1d36a67bb4b98561c63a664eb88927ea749282b48ac0309b905a0bb7bd0adb6af971844774a1cf00a18b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbe47398aabdbf9415054e69b6e264fb

SHA1
67c65dee4cca2bcf6ac01589530a632bd2aeed70

SHA256
6274e7ba203b5816a761544ed602db53037f3390831f6b1ee175b89866be0994

SHA512
29e255efb349a63f515516aed1022452781b42ed8cc7df901d8d8dc8238d4d93ffa35001941b7b14bf05a19eede43dc374bb41f50506dd77b7c48d1942796c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fa9d933479d9ab52730b7c3f831ef36

SHA1
f710715271806f7efea741e37a9905f832df3a59

SHA256
52a1c45039a55573311ffe19751de76c19ff1235f70fb1d509a477997c82d353

SHA512
005c58a1af21010eda3959551d650b789af807ac939d1eded86906c4693009f41b00faee887d5e5c16027c5b1bb4baf26d9a6d411ccb320815ff416c02cc7070

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2993a1a20a4007021d59791b50e59c52

SHA1
1d2215b3d1bd9fbbafe457d60f06de0a95b114d5

SHA256
eb330b9a6cc35e5158e11d560615a13714470353cd185dcffa4a5d3947b58e89

SHA512
59bf87dc8a05d5f70f9a0d80794ae0b82cc63a7fd7f5fe74952f2efd6e7e15d610e91e84c5a73b3539591aefe5ff68ba85a5ece0f31fea728704ad5f13e906e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81c0458d02f267d0112d0b33183f0622

SHA1
4831ce5e751ebbb12419ec815b1e280b935ca0a5

SHA256
263488587f5eeb66ef2642d266214f5704bbeaae71a17f14434425756648afdd

SHA512
4a3b15a624cf62e1882f2d20f188939642a9367939149399cecb181fa5988856b935f8244a4f90fc59aff773bf948e5b8830e3db8816e4ac4a1a54fc54ad09ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19e28c7360b1459651928f221cbdfe2a

SHA1
6579fc1d07df81f51a67f9dd0d5af086acf5b985

SHA256
8d4f5099fbb38aa4d9850617967e1a7672b6924901ebde6f0b084646de937315

SHA512
e5e215a4b48dd6166e8ed7c6821a6e5b423f613e9b9ed9c2b72f44be0096bb8704401a0cb948e40d5fecae0c18d2db62074a7a6fdbac218c1b7676235f1678d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a2e80de949f013d537e3b1680ea754b

SHA1
163b696013874253020f79206888027257b0ca97

SHA256
4d94fa8f69bb2380a8db44a444da212c7e043cc0d1d82b431ba4758ef7565d0c

SHA512
2c2bf6841465bee9b70b9219252638d8f32ffb3b9d511138316c9ede85b243ee5ba8c03f0242ec6265b6e23016ecf2b6cea8ab6ad15471b3bc875ed6604d6244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7be6228281f767f139e5e8c33f53d457

SHA1
aa1c4bcccb25c965fbb755d9a55a4cc69a1e7623

SHA256
f3b153d4c343653e8af78fed609c4b7ca159b5e98b5d2fdcf267b945f85dadfe

SHA512
d633016bc98c43348516ec70ddb665a2a0e53ec65f40fb85aea26f99f37ee8035f19e33de35516e782e86b6aa54976dd5d01f312cd48befa203b43394e2d83ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CC3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3DC1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF300EFB5D1D138019.TMP

Filesize
16KB

MD5
fde6e9226bb9e4eb15797a61ba46171b

SHA1
4cf7c4647e39ded77fc1768ee95adebc1ff7946f

SHA256
3b8d064c1787fc9606089a2d80af581d3b6c673220ba620bb285e00177e63902

SHA512
a363f986e84adc9c545c6c783ef6ce6c7a56b36064596641573bdb238a236a7c164ec187549eae7b440a8ac7630e6acde5b51902e28c65988a5a17c8818192bb

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
84KB

MD5
bee6f1f011766a1f40f0318adc585640

SHA1
f9452d74dad86e1dd38108965e40585ff8ef7951

SHA256
c8f1baab39b7c77de4504ce7f758ef46c0659e01f6af6922d1a4518687aa6ec9

SHA512
13714e5ab6d7da1ab4faa85b4c9801866ffa89f5b39aa053a03aeb13d4adbad4d9bc518f5586a18bb0bc7723f0e6168940ed70d7d6cf71d82120135fe0d51bd3

Download Submit
memory/1300-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-8-0x000000007722F000-0x0000000077230000-memory.dmp

Filesize
4KB

Download
memory/2612-9-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2612-11-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/2612-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download