ramnit | ea859e9f82209b1f68c99450ed77a18e34ddcf8d5707dc2508223b84b338e761

Analysis

max time kernel
138s
max time network
139s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96b1e111ab416da38335eafdb487cd4a_JaffaCakes118.html
Size

389KB
MD5

96b1e111ab416da38335eafdb487cd4a
SHA1

0eb7388685e48684e5979f5c057ab4fb1ecff3f9
SHA256

ea859e9f82209b1f68c99450ed77a18e34ddcf8d5707dc2508223b84b338e761
SHA512

7374684bb76e980f49cecb9bb6feb47d7c8be9cd82981603ff9f810f242a56b7984cef7f300684dac779a3c97b01794febcf3010b5323768c74d320649284a66
SSDEEP

6144:LdsMYod+X3oI+YmZuuShKAsMYod+X3oI+YmZuuShKS:d5d+X3gJ+5d+X3gJC

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
2456	svchost.exe
2252	svchost.exe
2976	svchost.exe
2984	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2952	IEXPLORE.EXE
1600	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001937b-2.dat	upx
behavioral1/memory/2456-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2456-13-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2456-11-0x0000000000280000-0x000000000028F000-memory.dmp	upx
behavioral1/memory/2252-449-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px6ECA.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px14A9.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBBFF.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBBFF.tmp	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{93368771-AA98-11EF-8BF0-428107983482} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438637644"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2456	svchost.exe
1500	iexplore.exe
2252	svchost.exe
2976	svchost.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	svchost.exe
Token: SeDebugPrivilege	2252	svchost.exe
Token: SeDebugPrivilege	2976	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1500	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1500	iexplore.exe
1500	iexplore.exe
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2952	1500	iexplore.exe	30
PID 1500 wrote to memory of 2952	1500	iexplore.exe	30
PID 1500 wrote to memory of 2952	1500	iexplore.exe	30
PID 1500 wrote to memory of 2952	1500	iexplore.exe	30
PID 2952 wrote to memory of 2456	2952	IEXPLORE.EXE	33
PID 2952 wrote to memory of 2456	2952	IEXPLORE.EXE	33
PID 2952 wrote to memory of 2456	2952	IEXPLORE.EXE	33
PID 2952 wrote to memory of 2456	2952	IEXPLORE.EXE	33
PID 2456 wrote to memory of 384	2456	svchost.exe	3
PID 2456 wrote to memory of 384	2456	svchost.exe	3
PID 2456 wrote to memory of 384	2456	svchost.exe	3
PID 2456 wrote to memory of 384	2456	svchost.exe	3
PID 2456 wrote to memory of 384	2456	svchost.exe	3
PID 2456 wrote to memory of 384	2456	svchost.exe	3
PID 2456 wrote to memory of 384	2456	svchost.exe	3
PID 2456 wrote to memory of 392	2456	svchost.exe	4
PID 2456 wrote to memory of 392	2456	svchost.exe	4
PID 2456 wrote to memory of 392	2456	svchost.exe	4
PID 2456 wrote to memory of 392	2456	svchost.exe	4
PID 2456 wrote to memory of 392	2456	svchost.exe	4
PID 2456 wrote to memory of 392	2456	svchost.exe	4
PID 2456 wrote to memory of 392	2456	svchost.exe	4
PID 2456 wrote to memory of 432	2456	svchost.exe	5
PID 2456 wrote to memory of 432	2456	svchost.exe	5
PID 2456 wrote to memory of 432	2456	svchost.exe	5
PID 2456 wrote to memory of 432	2456	svchost.exe	5
PID 2456 wrote to memory of 432	2456	svchost.exe	5
PID 2456 wrote to memory of 432	2456	svchost.exe	5
PID 2456 wrote to memory of 432	2456	svchost.exe	5
PID 2456 wrote to memory of 476	2456	svchost.exe	6
PID 2456 wrote to memory of 476	2456	svchost.exe	6
PID 2456 wrote to memory of 476	2456	svchost.exe	6
PID 2456 wrote to memory of 476	2456	svchost.exe	6
PID 2456 wrote to memory of 476	2456	svchost.exe	6
PID 2456 wrote to memory of 476	2456	svchost.exe	6
PID 2456 wrote to memory of 476	2456	svchost.exe	6
PID 2456 wrote to memory of 492	2456	svchost.exe	7
PID 2456 wrote to memory of 492	2456	svchost.exe	7
PID 2456 wrote to memory of 492	2456	svchost.exe	7
PID 2456 wrote to memory of 492	2456	svchost.exe	7
PID 2456 wrote to memory of 492	2456	svchost.exe	7
PID 2456 wrote to memory of 492	2456	svchost.exe	7
PID 2456 wrote to memory of 492	2456	svchost.exe	7
PID 2456 wrote to memory of 500	2456	svchost.exe	8
PID 2456 wrote to memory of 500	2456	svchost.exe	8
PID 2456 wrote to memory of 500	2456	svchost.exe	8
PID 2456 wrote to memory of 500	2456	svchost.exe	8
PID 2456 wrote to memory of 500	2456	svchost.exe	8
PID 2456 wrote to memory of 500	2456	svchost.exe	8
PID 2456 wrote to memory of 500	2456	svchost.exe	8
PID 2456 wrote to memory of 612	2456	svchost.exe	9
PID 2456 wrote to memory of 612	2456	svchost.exe	9
PID 2456 wrote to memory of 612	2456	svchost.exe	9
PID 2456 wrote to memory of 612	2456	svchost.exe	9
PID 2456 wrote to memory of 612	2456	svchost.exe	9
PID 2456 wrote to memory of 612	2456	svchost.exe	9
PID 2456 wrote to memory of 612	2456	svchost.exe	9
PID 2456 wrote to memory of 688	2456	svchost.exe	10
PID 2456 wrote to memory of 688	2456	svchost.exe	10
PID 2456 wrote to memory of 688	2456	svchost.exe	10
PID 2456 wrote to memory of 688	2456	svchost.exe	10
PID 2456 wrote to memory of 688	2456	svchost.exe	10
PID 2456 wrote to memory of 688	2456	svchost.exe	10
PID 2456 wrote to memory of 688	2456	svchost.exe	10

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:612
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1756
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1932
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:760
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1140
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:284
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1052
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1072
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1184
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1856
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:484
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:320
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1168
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\96b1e111ab416da38335eafdb487cd4a_JaffaCakes118.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:340994 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2252
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275467 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1080
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:406543 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be006dea658107c407c205f6f3eb552a

SHA1
4f8beb6abeade6a7eb4f32aa50f5aea48a2972fe

SHA256
c781c5d85b05a42f387ead20cc6c55733867e5f4f7331453bf2d7a03a5dbd30f

SHA512
3516d15a7db9730b31081a4e0052c75768e54b23b75d3d594ef7acf54262818f18da25baac42197ce84c9b1296419357e8b992be12bb2c60a34aaca90c1cccaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c7203e1b2b7936c896f1949433a56f4

SHA1
6eda8f5f988563deef346b89000995229576a5b5

SHA256
d0b433e26ab2094144f80ea30ae835e57c82075da62ecc4e8ee0003554c03583

SHA512
fb51668ec3d538d2e789f97b8bcd2baae612e4fcb920097a9fe331c2f27cb29354e6b0663cc9ae7d899be76ae549532f0f5a2e10f09f60464202afa225fa2824

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b7433a9de15fdc90c565d84c9114987

SHA1
54da8779aba2fab43f50082f7bed4d184dd1d9c4

SHA256
bac9e5cef9092c0d50e145a03ce018b1ec1994520a5955da62c1be9cef323722

SHA512
596f443ba8caa69a8f23a353ff0ae49f6df61596563ca51d1dbb5976b6abd3c66f89526eeae9eaef86ca07b4959f5990d4438495cf10fef492ecb0a8fb988cc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd4a4c6a2adb3f9978242317aa15af55

SHA1
54f7d8a9b339ac87476050c02f8c036615d59877

SHA256
54600f971a3d8582027f480f3f6d5c944ce488cb0b1634d2be1dc0d6bfaf2d7d

SHA512
3b8f20a1b77373350da168071d0651c24143b1ac17ffdfa2285f421f104dcc48cadf81069a5c8bbc114969cdc493fe223a239e6816c25218c94e15f5d15352ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0858cc5feb8bbeae7c1d45b545a7cb34

SHA1
844ceff369b6931acb9d46a7205b4b384b362637

SHA256
e97330aa67ec08e8608e36d3fb6925ea5098c0cdbe793487006d460cdb9ef565

SHA512
8118e63c86eca554d4e42866c43caf14d4911ea4df94cbd3c162a257dc70b2b205e104c67331b1b271c9616eab2ca9c8d6ace5db45e8578b55f385e89b3d01e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6eb4bbd71924b8117c2eec1d4722c34

SHA1
60ce4d40c133b40a141a1462de274a870279811f

SHA256
8a37b912701506b6c256c2375b3e9124603c23507ff50716fe5042db22d27a91

SHA512
94b9a3832e4c9a3cbd1320867d1285c68c6b8f7a3d7bdf82a1ba0d7cd940ef03a84507e74c5202de899244c6de184d47448167e261dbe524f47fe0d72a250828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eeedd4486cc57327e3ef1a27bdfcd51

SHA1
3007266c90beb536bb3f2c1a783ab172e8c460cd

SHA256
ded4db363c7bcb5495bd29e4ebd50db37a4fb438ddc85908c12f552e7edcf23e

SHA512
0ef8b364c8fd759b4bf9492c5e29435fe0d7348cb0edb15dea95d575e47c743e77089b1ddd556b6827983b72c2dfc2cbdc884b5beceef7fcee73332749d84a73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0d95a613b1e51756df63dbc894477fc

SHA1
e1aedc480c2ab8afecfb56546e2ed9acf4c3cd1a

SHA256
2ca0c613a33c8b9bb51997f662d70b523b467daeaff9c71a41c47a123db1d08d

SHA512
99a5b0c6432fdae15bf917742051f4407604191ff7d0a30eb043013a0977c91f7546762ef6fc809568adf5ef0661d70c036d268614957684716a218894949152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f89fc4f4055d0ba52991fec3de6cf3ae

SHA1
f607c89f97a7c740db5630f1dc698defa1821560

SHA256
bb2e48efaf083c401a15e15725ab0c434d2f86e219566e86338bdbb5fea2e5af

SHA512
d049dcf753ef2feaef96c97b5ea0acd231ff4f4c510335eb258bfdcf87c9304b0bdb58997b0f15f0a2af22336e94f7950cacc3c8e080c94567a93041024baf42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6506ba50af31728e1ccef80c756df920

SHA1
b08f33c8fffaf57203491edbec4e2f31ac3f82be

SHA256
0ba2d0b9d834e020dee29bb6ad547f5f91c6e1f5908cec4016354762dee6931c

SHA512
75fdf3c4f860f619e30e6d08d085f6bb4598836906b4e5ce91fdee6f16befb9c37f404729b22e78014faf6d3bb000b05c3371193c21ba9a89b4326e5d9f32cfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be162897af9d04a43a9a803776914d7c

SHA1
a1636fac5ce948ec7b55c559082dcbb6f4a3105f

SHA256
d92c5450d14ed646361d0bd434e2af6411c7e0235c80aaf4fc96322e74ccfae4

SHA512
95556476cc7f544da48dfa68a650b7a289b1672d5e68142afa90e68b9e1b58f856a48710b16b3e1ee3a76dd82704edb015811d27cfcdcae055d2f1e75196c1ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d2e280bd23942f228151b98216cf401

SHA1
7eb9d8d4b643fba62490d47c9803262287f643a6

SHA256
6de0fbc0e268a8b8c197db94ed3f060ea497e15de1571ed70d01695622399060

SHA512
d5ecdeff987afcfd4ec3a29ab355fb1b9b29db6afa008b3a8e11cad2330aef63c5b8fbbc5dac9a1e79e61293075c2cb2b6f95f6d7a4f42a492c78c851c5f9ba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
538370c937e1b36e1f7f2333f44283fd

SHA1
b13c6eb2e29fa9d78d4f790078d4300c10bada01

SHA256
fdd9031e750f0914a0ac3804d6664e773f7dec05339ac202ace3672c499cd7fe

SHA512
80a6971363372d9dd2c8622be3a66034c68243b75f09eca112fe0021baba672731ec277ac97f8f2a3ddac8a528927ba2f4ebd208dbef6cc34984dc5b0187cf8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b375c72bdc963f5591244feb79ea63b1

SHA1
d4dba1f2a42afbec6b770852ab76577823b74b9b

SHA256
cba99fe0310ab985cb85e521e7ccbd49c3abcb0ff0ac81e7e7ebbaf58e91aad8

SHA512
9429f96d9895bf6cc8b598659a8c4445f0ac83f12079653a1b06e3a1396b42f51a6197f6af3759728aa5c423801b3810b4a55237e5515ea33c1a73bc205aaa67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a94b347df437df96d0adaedaab831a39

SHA1
5b878ab9838ea6c9925e0b494243a3a3b5a2b2f8

SHA256
7df005704d60936eb50fd0e3e9b55da8004d66a29f49d398959cbe920e784cc3

SHA512
4935ee9f145cfe11c8352e3bf8674ece375efcddda53f709626902fb82478eda5b25b7441c607abe69d90bec78b616ab7822882ec1afc3dbe8e4d04128f075f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c7fbcd5458e20bab762544e13c7265c

SHA1
7b1316bd317d6910b969cfd00cb0a7d95567b0cf

SHA256
6d8379fdf633766703bc8dcee8d0c28496a3040fa7ca1a0c1f47f903fefe36cc

SHA512
77b43452dcb0c82278438086d5ca58d0ce2028e10ff5c41d8b891c5302fe4ce568064f832b1b4f7ce083fa75e96fb289cb0a5b96170d355e1949cf07cecbbe0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adbeba46aeea36110ed62b42d2e838a6

SHA1
456811234f920e6a5b8699d4ac9ddaf742b0db82

SHA256
1892e64d9d3d5721c55cb18c1344350e3a80f21933dbaef09be46bd916e24b24

SHA512
3ad961d2c44ff32c0c4b08843b29d1395b263d1559dee9d2785037aa463e4c0166b918c7e68034455cfac99309b7c56c543e12801d09b71dbe29ea57d70db521

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
525180b95e56408db716c31ecfc55951

SHA1
e8704155e0d9b4696eae90753b04373e15bfbe58

SHA256
d5c5e2e02ffeda4393c3dcc1f6ea94bb8b260bceb25c5e2cd5cee2920b00d05d

SHA512
d8c7fca942fbd8808f5b63741e92452b6d5d1dd6d3c472c127370adbb430f7a3c8fed23e61c801e653b4455061db7fb9627592bd8be7ee9511d4e51291575de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f28279feca2b61d04e117b2c22465e04

SHA1
510f8572fa800e6d6b270c5d5631e8462600b07d

SHA256
2d2049056206575e6b658928be96260a929376067e59a968f1d4114bcd2a3780

SHA512
9dbc8e20554dd6d2dc18358c23797e820b36561a45719485b045ef46dfdf8936215e1c0e3ed8da91712a2c8b74e952a256561f5e44c52fb755fe4df2a76c2c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBC4E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD3D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
84KB

MD5
4285c2096de2389c54694f2bb2f75240

SHA1
f8f41a33c556837abef98c0805502e0a24edf3aa

SHA256
7427b5a5d0a2768268607c10860fe56729572685813fb33df8c9f08a02509867

SHA512
a678f099dfebada9db01f759bfc5e3e06646628e7c4fc237db85a0b29f6924a25d18831d72b871e1c32279731bea12e5021017ce6174765289aa2a52311e21aa

Download Submit
memory/2252-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-9-0x0000000077760000-0x0000000077761000-memory.dmp

Filesize
4KB

Download
memory/2456-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-11-0x0000000000280000-0x000000000028F000-memory.dmp

Filesize
60KB

Download
memory/2456-8-0x000000007775F000-0x0000000077760000-memory.dmp

Filesize
4KB

Download