ramnit | 93bd6f9353dc15abb7345de493404091418e5cc16eb4176ebd6ac1627cca589b

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd8ebcf948abb735bc7cfa3ef12ea596_JaffaCakes118.html
Size

730KB
MD5

dd8ebcf948abb735bc7cfa3ef12ea596
SHA1

9919173d5a8b145d938303d707a0e8137ce4300a
SHA256

93bd6f9353dc15abb7345de493404091418e5cc16eb4176ebd6ac1627cca589b
SHA512

6aa484ec7b7fb2ea6f41d9b909f9de02ec63455732aa2e7ff76f10e70fe57061f3cfc73a9dc706e11ece7c75baffb41d71e0467813c5db6cb6e589c9bac277fc
SSDEEP

12288:v5d+X3r5d+X3u5d+X3y5d+X315d+X315d+X3+:f+j+s+o+5+5+e

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
1704	svchost.exe
1012	DesktopLayer.exe
2824	svchost.exe
3020	svchost.exe
2056	svchost.exe
2632	svchost.exe
2596	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2288	IEXPLORE.EXE
1704	svchost.exe
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019377-39.dat	upx
behavioral1/memory/3020-30-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2824-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2824-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2824-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1012-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1704-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCFBD.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD098.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD0E6.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD069.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD098.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD0C7.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E598A471-B6C4-11EF-810C-FA6F7B731809} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000008f2617d340dddd53f2c9dfcad1ec3dd6edcdd9c70147c58e865fe5e48f9ed79b000000000e800000000200002000000011a66b8ee56fb1c2e6aa18be33f1df50fdeb4997fd3d3c8bdfb277da0d3f6b8190000000f629b326f9eec88ddf19797eca9a4f474303b9d405aa581ca274e5d7b53269098192b49d34752748f21f86ded6be4ad25a18f9e117c31bdf5e19fc0c4096063917c51b4af733dab2fc8e2f04deebebc8f0b6d172e011523e2ce299339779558996a84c0d01448d9e0939a8d0adf0ed80ab4ef9d2e90661e584dc3be08f94472223a7bbb757fe0fc442e77225518b122940000000fec5be0606f014dc6ef7cd5ee2bd3e332f86cf237ae3f073b8b23a1995ec422cf65a3022f4a5f5e24c02d0f040be6d7651cb178c39286127d7a68f88c013044e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f25bbad14adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000003e78ba85d9244a57262e8aa80b62288aeeb4f6996122bd50278223eb2ec91e54000000000e8000000002000020000000bc69f94583bbc9ee6be80d098168d91ae811bcbfb3bfd120a4423d2b2508025b200000001c35624e8903e0e1beadf4733ef9565ec1cc4a038233437f39af88b9ead3c1b1400000006ecfea3e51b75660ab6b106581036e2c999a1703aba83ca368cb42fb0547ea3cef250843994932fb382932acba9923e1270d02e5a4a03cc819aed7835f702d1d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439976092"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1012	DesktopLayer.exe
1012	DesktopLayer.exe
1012	DesktopLayer.exe
1012	DesktopLayer.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
3020	svchost.exe
2056	svchost.exe
3020	svchost.exe
2056	svchost.exe
3020	svchost.exe
3020	svchost.exe
2056	svchost.exe
2056	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
3016	iexplore.exe
3016	iexplore.exe
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
3016	iexplore.exe
3016	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE
548	IEXPLORE.EXE
548	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2288	3016	iexplore.exe	30
PID 3016 wrote to memory of 2288	3016	iexplore.exe	30
PID 3016 wrote to memory of 2288	3016	iexplore.exe	30
PID 3016 wrote to memory of 2288	3016	iexplore.exe	30
PID 2288 wrote to memory of 1704	2288	IEXPLORE.EXE	31
PID 2288 wrote to memory of 1704	2288	IEXPLORE.EXE	31
PID 2288 wrote to memory of 1704	2288	IEXPLORE.EXE	31
PID 2288 wrote to memory of 1704	2288	IEXPLORE.EXE	31
PID 1704 wrote to memory of 1012	1704	svchost.exe	32
PID 1704 wrote to memory of 1012	1704	svchost.exe	32
PID 1704 wrote to memory of 1012	1704	svchost.exe	32
PID 1704 wrote to memory of 1012	1704	svchost.exe	32
PID 1012 wrote to memory of 1308	1012	DesktopLayer.exe	33
PID 1012 wrote to memory of 1308	1012	DesktopLayer.exe	33
PID 1012 wrote to memory of 1308	1012	DesktopLayer.exe	33
PID 1012 wrote to memory of 1308	1012	DesktopLayer.exe	33
PID 3016 wrote to memory of 2728	3016	iexplore.exe	34
PID 3016 wrote to memory of 2728	3016	iexplore.exe	34
PID 3016 wrote to memory of 2728	3016	iexplore.exe	34
PID 3016 wrote to memory of 2728	3016	iexplore.exe	34
PID 2288 wrote to memory of 2824	2288	IEXPLORE.EXE	35
PID 2288 wrote to memory of 2824	2288	IEXPLORE.EXE	35
PID 2288 wrote to memory of 2824	2288	IEXPLORE.EXE	35
PID 2288 wrote to memory of 2824	2288	IEXPLORE.EXE	35
PID 2824 wrote to memory of 2712	2824	svchost.exe	36
PID 2824 wrote to memory of 2712	2824	svchost.exe	36
PID 2824 wrote to memory of 2712	2824	svchost.exe	36
PID 2824 wrote to memory of 2712	2824	svchost.exe	36
PID 2288 wrote to memory of 3020	2288	IEXPLORE.EXE	37
PID 2288 wrote to memory of 3020	2288	IEXPLORE.EXE	37
PID 2288 wrote to memory of 3020	2288	IEXPLORE.EXE	37
PID 2288 wrote to memory of 3020	2288	IEXPLORE.EXE	37
PID 2288 wrote to memory of 2056	2288	IEXPLORE.EXE	38
PID 2288 wrote to memory of 2056	2288	IEXPLORE.EXE	38
PID 2288 wrote to memory of 2056	2288	IEXPLORE.EXE	38
PID 2288 wrote to memory of 2056	2288	IEXPLORE.EXE	38
PID 3020 wrote to memory of 2604	3020	svchost.exe	39
PID 3020 wrote to memory of 2604	3020	svchost.exe	39
PID 3020 wrote to memory of 2604	3020	svchost.exe	39
PID 3020 wrote to memory of 2604	3020	svchost.exe	39
PID 2056 wrote to memory of 2804	2056	svchost.exe	40
PID 2056 wrote to memory of 2804	2056	svchost.exe	40
PID 2056 wrote to memory of 2804	2056	svchost.exe	40
PID 2056 wrote to memory of 2804	2056	svchost.exe	40
PID 2288 wrote to memory of 2632	2288	IEXPLORE.EXE	41
PID 2288 wrote to memory of 2632	2288	IEXPLORE.EXE	41
PID 2288 wrote to memory of 2632	2288	IEXPLORE.EXE	41
PID 2288 wrote to memory of 2632	2288	IEXPLORE.EXE	41
PID 2632 wrote to memory of 2640	2632	svchost.exe	43
PID 2632 wrote to memory of 2640	2632	svchost.exe	43
PID 2632 wrote to memory of 2640	2632	svchost.exe	43
PID 2632 wrote to memory of 2640	2632	svchost.exe	43
PID 2288 wrote to memory of 2596	2288	IEXPLORE.EXE	42
PID 2288 wrote to memory of 2596	2288	IEXPLORE.EXE	42
PID 2288 wrote to memory of 2596	2288	IEXPLORE.EXE	42
PID 2288 wrote to memory of 2596	2288	IEXPLORE.EXE	42
PID 3016 wrote to memory of 2508	3016	iexplore.exe	44
PID 3016 wrote to memory of 2508	3016	iexplore.exe	44
PID 3016 wrote to memory of 2508	3016	iexplore.exe	44
PID 3016 wrote to memory of 2508	3016	iexplore.exe	44
PID 3016 wrote to memory of 2860	3016	iexplore.exe	45
PID 3016 wrote to memory of 2860	3016	iexplore.exe	45
PID 3016 wrote to memory of 2860	3016	iexplore.exe	45
PID 3016 wrote to memory of 2860	3016	iexplore.exe	45

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\dd8ebcf948abb735bc7cfa3ef12ea596_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1308
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2712
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2604
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2804
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2640
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2596
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2628
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:209930 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:5714947 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2508
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:5583874 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2860
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:5387269 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1044
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:6435841 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4dec268c334f34fe02beb5d1da2a2dd

SHA1
02698e2bf4e05d6c9114da4e933ecf1f4c2d3971

SHA256
4e176ffc0ca0b5d0f2d3302870be986d1ab5db23e72b7abef07137204ebcedb7

SHA512
9ddaeb27fb3ebb6639e738debb60cf3b453310616d6d8cdde6997361bddb38e1f76785de6cbd68a1d3efcf157ff1a4c5ee9cea21944d084f1c6107452fe621fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aafc55d52a2adb63c462920adacf401f

SHA1
25aa3fe1980efa148bf31fc3cdc38eeeb9f36fd8

SHA256
02cb45f029a9dbf14aae736fde919ee47d8f4ea1ded0e2bec605f7e678596d8c

SHA512
74aa434a3128f58ff2d8ba0a224738336c3c7476ac924970e89a18d30a8dbce8a92ab73cdc2e634353e025a3c0f606cea17479e26b41c9bf2113dfd7f89eb0eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f096f5f4b482c660ffa5a39b31032641

SHA1
5373244d3af6edcec0eaa8680dd0455647aa997c

SHA256
6e9d2c0cedc31d15c58aacdd289dd1d44cae46ec31abef4e871af22d67ceeb1b

SHA512
2faf12ed938d9dca1a638184561eea8f2347596a1f6d460aab602417f3627cf5fc8f1830811c2974af26c9a9bf3e6e163639a1e1026dabb742557c891474e20e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ac522df3a71cbe4857582858b76e4aa

SHA1
877cde5c42f145295ab31ae8274214fa9cc8ee0c

SHA256
380c40e721d99a47cd89f6c7e8d1c54fbabc484e6a6ee1d4abff51ab98050e5e

SHA512
edcfa269c076f6bff53ff38695dd6b235dfae71cbe70bb6bc03577bc8c3658e78a2b1200d4318b5c76ab8f9ad474a658af7fc66749650c185fa3be461bec6657

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66db63bccea9f6d7e2160f64df1a9303

SHA1
e9e8f883e79111a31831883a1f6ffff52c6108b1

SHA256
cc788cba0e2b91b9f70e8bc2d4d51743dc8539029958dc0066f106c1fdb9d898

SHA512
4e142cdd050ea33c960c55b0ac11d3fd9a2dfb04dd9f513cbbbc48bf1143e1c2360b9f31795467d6cb53d7d7c67fb333294c213f9f82e4726fd2f1e127a04f53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29fcdbaf4ce3cb509f1d89554760d5b6

SHA1
eaec0438efbfe364e24138ebc7718a95d8c80312

SHA256
b3fce6a9bc529ed8e0d6cb7aa3f55841bf8c93627b7f796463a6f0248e9d0298

SHA512
78566ad39eb50680f85bc7f82d37c7a4a706827417e4365afb46f354b8bbe459b1c9eb3f8adb722844e9b21226769d6c52e1ef0ca3df5fad194adf63fa662242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c6c39dc48fe81810560cd8f8939bb58

SHA1
bca1b41775a7f5b64ddaafe7a2f40678a66b565c

SHA256
b67570ce06b7d7855944efa26e3b8264441c8aa67cbd6ae404f3c969cc942b39

SHA512
373299c1b44f3ad705c1072c7dfef1750d99c822df01635b219e7501f71975a006e0e92f265ddaf11f5b66e954a284cbaab784437cd9e5a1fc918e6ebcd72bd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39f299c5944c2f181744a724eae8512b

SHA1
1422aa87cd7cd9701b569da5128d9a7bb56b81fc

SHA256
904197281d1adb9a1babaa7613ee8a2b776f9b64996b0e6f95f6105c4790f44b

SHA512
54cceeb1a7dea1435811292cf654931e4b38e15f66e4668b1eb801134b654b89f2cac3efdcdb59358c5fe9dd062fa90683a02b0034175ec78172a26bfbfd9eda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79159475424bbf27821ff2bf933eb860

SHA1
67878369e241c96a38141cc83883112d0f073f5b

SHA256
5cfb396cdddc7a1e7225000574c32009e59e48c4b12c8c4b74e1b69f91e53d97

SHA512
a441319d90e0449ca422ff582ad8d1bb52c4c6bc9adbc105402820c4994ff25299d0d4d0e4652d33ee792465cde6523a9162e22e71fda5909187e1ea646a1e1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c23194efed378b1dc86a9f9db2abad94

SHA1
3ecdbdbb9aff0935494b530c85e860ea12d06bee

SHA256
2bed1957800c8cdbf8c4ae677c2c6e1be74a8c49da15d8f83ad789d59660cef0

SHA512
22755a45e33c60811b92fbf5473bf5bfdb180dacb224adb8db80a808989cc1242ce86f7109c91b91049a7c57e27e695a396b60fac8e5b976e6b50b1c3e78fb75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97f76dbeac21dd3feaac8306b68450c7

SHA1
b873f3ac8e32f01046f9bf9b4090c05c9afe8ff1

SHA256
6d310a724f6807d4bb7b042bb51f157baad397d83421cd036e2bfb36a39a02fd

SHA512
71dab49ed08a769c521f537f48f666680107a2bca8f3e893dcb46e2efe5c1600aba8a501477feb31d1ca5d0167395f5022947e889eb80d58c4d67fabfb8d385a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dc11e0d4fbb9e99d7cc1c23f500435e

SHA1
cdfb20e0882abdf7ae65348c9cc9a2bc85668ec2

SHA256
484adeff67e9d9db812e89874a00bb61944dc80bd2ecf92915f5e06a22409041

SHA512
83236eca341cd3653d2616b5e8579dcf866f9750b123e03470d1b1aeba7306359fc8ebfd700a6e444bc770729da2692280001e851cbc961dc6f2d399a6a145d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
add7f7ba23463eceb431e2d53a24434b

SHA1
c7c95429633ea0095fd6f6a65b3a3dc5a39c9107

SHA256
86bed461ef9c1d88b11b41219c2a0a200b6d7299b21648d516bc7276e602626f

SHA512
b42b535a43b79fe89113c9c0647ac7ccd68a4b7cd7d59af98e2b5ff1075923c5c9869053004a0ce41b2af58883588c09521850d38c76ae551fe374076a1d5016

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60242eeaa628d728c22c89429cf4fc94

SHA1
9c19b114b0b20cf5cc5c7bbdddb8adb7ecf68e02

SHA256
04e713d4cc20b2e70e16a81387e53fc60207346741413ef4d3f4cd2c3f6fb7f2

SHA512
b49eccd21a03106f73aaeb97dde7f0355ff2a0655aa82ce527fa9dcbe0968b7c54d9fa07fdaa50dc52c796118796f9d5e777c19d8d76e47cb0fa81d1e5926856

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdee3e26a9788c6fd89686971279e3df

SHA1
9b00c9e3c230f0a64f7fd2a403f5d96ffc4145dc

SHA256
315c7157aa478234bfc62e3b1250cef3ca44900d311f3ffe206810339d285805

SHA512
b44f75189f1b6946a23b0520592ce8e8bde751e11427e3fa150b5423f8d92835f4721c6aea0e1f275ec7d260b487ca9250964d7ed7c7f8c25154f540c81e4121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c812fdab488d5d56d592950f11fdef8

SHA1
77742d5771b6e73694e7bc3daa954e48692e7f28

SHA256
d0006346bbdd137fae08b42b0bd616689579b3bdbf6842f1ece83dbd5c2b5f49

SHA512
5becdb6f44e199719d9179f3ac0952569fd837e33f9cfe1a22602169e13e390aab3bfb9c5d3ac8163bcd25255cc53c843e1e17dc5719071acdf45f111a2a9f31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d688f01d582b46e39acc40fe6ca3cf7

SHA1
6857131ae7c2723c0d9df5fc50a595a399dc28b9

SHA256
ad0eb86de8c772df694e52cb73430181646723b13d977842d85bf2fd5f44b1be

SHA512
150e2b28d5cc2e34310e7d176e2f211347a6f27120357ff4e0d6063c970fceab1b1ac32033fbb83aa44ab94e1817af64c3223e248ca98364c044952001c23053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5adb24c92a856c088480070284e7fccd

SHA1
ba842da60535e1235ad3a1f173545fda9be4a704

SHA256
d2570b7263a8f937477e0b2e45d54fa8a088acb8a93475cac43441dc91c80edb

SHA512
2f1f7e0cdb2d6460d2833a7e338485be278f3006a64f1e4ca0bc9230c41030e167ed614b9d2d931ceaaf3b068e5ded40186b93f2f3114cb3e6bb23463ada018a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
144a37f0521c3155516457d765d185c3

SHA1
033b1e9048566167ae0a3cd37eda4fe8c361bc0c

SHA256
5041e9507680e3b95e7792a279a96cdfcba53da3b1ce4137861386402525f68e

SHA512
726466c7d583a59102f3784f259f6e664243f6496722497e027dcae53c2d3ce738959b74efc29778d0253800ce02c6541d504d38ebdfc34e52f9bbf017a64725

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF068.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF128.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1012-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1012-17-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1704-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/1704-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1704-12-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2596-42-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2824-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2824-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2824-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2824-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3020-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3020-32-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download