ramnit | abcbd9fad16fea09159c654f31d1527d25760ed170b36a4f36c3e0dd8d596a7c

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
Size

206KB
MD5

e320ed42adfef901466b464fbdc07f07
SHA1

8e090bb433f2cda5b901af21c45758b524c3f10d
SHA256

abcbd9fad16fea09159c654f31d1527d25760ed170b36a4f36c3e0dd8d596a7c
SHA512

260f006969ed73e1b66b05761689a73084be661a881de805df80e472ef9a4987b2c1ca832c2a7d7dd93c24d02c72c849ce9a08815ac5587804cdf3dbca8eb771
SSDEEP

6144:KeKUjCBc65/+77FLpyemR52Fy1+jmVsnR/kRbcG/I:KhU5g/+77m5YXjmVsnRMRbcG/

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Deletes itself 1 IoCs

pid	Process
1220	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2152	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe
2904	DesktopLayer.exe
2672	egofi.exe
3036	egofiSrv.exe
1776	DesktopLayer.exe

Loads dropped DLL 10 IoCs

pid	Process
2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
2152	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe
2152	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe
2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
2672	egofi.exe
2672	egofi.exe
3036	egofiSrv.exe
3036	egofiSrv.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4A68CA9C-9D14-65C9-C7C3-F4BB0A3D8524} = "C:\\Users\\Admin\\AppData\\Roaming\\Vody\\egofi.exe"	egofi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 1220	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe	38

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2432-0-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/files/0x000700000001211a-2.dat	upx
behavioral1/memory/2432-3-0x0000000000220000-0x000000000024F000-memory.dmp	upx
behavioral1/memory/2152-12-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2152-15-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2152-17-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2904-34-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2904-32-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2904-31-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000700000001903b-38.dat	upx
behavioral1/memory/2672-48-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2432-44-0x0000000000330000-0x0000000000397000-memory.dmp	upx
behavioral1/memory/3036-60-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2672-56-0x00000000003C0000-0x00000000003EF000-memory.dmp	upx
behavioral1/memory/3036-228-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD430.tmp	egofiSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	egofiSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCEA5.tmp	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	egofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	egofiSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{25662FD1-B87F-11EF-833B-EE9D5ADBD8E3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440166037"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2904	DesktopLayer.exe
2904	DesktopLayer.exe
2904	DesktopLayer.exe
2904	DesktopLayer.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
1776	DesktopLayer.exe
1776	DesktopLayer.exe
1776	DesktopLayer.exe
1776	DesktopLayer.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe
2672	egofi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
Token: SeSecurityPrivilege	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
Token: SeSecurityPrivilege	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2820	iexplore.exe
2820	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2820	iexplore.exe
2820	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2820	iexplore.exe
2820	iexplore.exe
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2152	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2152	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2152	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2152	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe	30
PID 2152 wrote to memory of 2904	2152	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe	32
PID 2152 wrote to memory of 2904	2152	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe	32
PID 2152 wrote to memory of 2904	2152	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe	32
PID 2152 wrote to memory of 2904	2152	e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe	32
PID 2904 wrote to memory of 2820	2904	DesktopLayer.exe	33
PID 2904 wrote to memory of 2820	2904	DesktopLayer.exe	33
PID 2904 wrote to memory of 2820	2904	DesktopLayer.exe	33
PID 2904 wrote to memory of 2820	2904	DesktopLayer.exe	33
PID 2820 wrote to memory of 2748	2820	iexplore.exe	34
PID 2820 wrote to memory of 2748	2820	iexplore.exe	34
PID 2820 wrote to memory of 2748	2820	iexplore.exe	34
PID 2820 wrote to memory of 2748	2820	iexplore.exe	34
PID 2432 wrote to memory of 2672	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe	35
PID 2432 wrote to memory of 2672	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe	35
PID 2432 wrote to memory of 2672	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe	35
PID 2432 wrote to memory of 2672	2432	e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe	35
PID 2672 wrote to memory of 3036	2672	egofi.exe	36
PID 2672 wrote to memory of 3036	2672	egofi.exe	36
PID 2672 wrote to memory of 3036	2672	egofi.exe	36
PID 2672 wrote to memory of 3036	2672	egofi.exe	36
PID 2672 wrote to memory of 1112	2672	egofi.exe	19
PID 2672 wrote to memory of 1112	2672	egofi.exe	19
PID 2672 wrote to memory of 1112	2672	egofi.exe	19
PID 2672 wrote to memory of 1112	2672	egofi.exe	19
PID 2672 wrote to memory of 1112	2672	egofi.exe	19
PID 2672 wrote to memory of 1180	2672	egofi.exe	20
PID 2672 wrote to memory of 1180	2672	egofi.exe	20
PID 2672 wrote to memory of 1180	2672	egofi.exe	20
PID 2672 wrote to memory of 1180	2672	egofi.exe	20
PID 2672 wrote to memory of 1180	2672	egofi.exe	20
PID 2672 wrote to memory of 1236	2672	egofi.exe	21
PID 2672 wrote to memory of 1236	2672	egofi.exe	21
PID 2672 wrote to memory of 1236	2672	egofi.exe	21
PID 2672 wrote to memory of 1236	2672	egofi.exe	21
PID 2672 wrote to memory of 1236	2672	egofi.exe	21
PID 2672 wrote to memory of 1060	2672	egofi.exe	23
PID 2672 wrote to memory of 1060	2672	egofi.exe	23
PID 2672 wrote to memory of 1060	2672	egofi.exe	23
PID 2672 wrote to memory of 1060	2672	egofi.exe	23
PID 2672 wrote to memory of 1060	2672	egofi.exe	23
PID 2672 wrote to memory of 2432	2672	egofi.exe	29
PID 2672 wrote to memory of 2432	2672	egofi.exe	29
PID 2672 wrote to memory of 2432	2672	egofi.exe	29
PID 2672 wrote to memory of 2432	2672	egofi.exe	29
PID 2672 wrote to memory of 2432	2672	egofi.exe	29
PID 3036 wrote to memory of 1776	3036	egofiSrv.exe	37
PID 3036 wrote to memory of 1776	3036	egofiSrv.exe	37
PID 3036 wrote to memory of 1776	3036	egofiSrv.exe	37
PID 3036 wrote to memory of 1776	3036	egofiSrv.exe	37
PID 2672 wrote to memory of 2820	2672	egofi.exe	33
PID 2672 wrote to memory of 2820	2672	egofi.exe	33
PID 2672 wrote to memory of 2820	2672	egofi.exe	33
PID 2672 wrote to memory of 2820	2672	egofi.exe	33
PID 2672 wrote to memory of 2820	2672	egofi.exe	33
PID 2672 wrote to memory of 2748	2672	egofi.exe	34
PID 2672 wrote to memory of 2748	2672	egofi.exe	34
PID 2672 wrote to memory of 2748	2672	egofi.exe	34
PID 2672 wrote to memory of 2748	2672	egofi.exe	34
PID 2672 wrote to memory of 2748	2672	egofi.exe	34
PID 2672 wrote to memory of 1776	2672	egofi.exe	37

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e320ed42adfef901466b464fbdc07f07_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe
    C:\Users\Admin\AppData\Local\Temp\e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2748
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:209930 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1860
- - C:\Users\Admin\AppData\Roaming\Vody\egofi.exe
    "C:\Users\Admin\AppData\Roaming\Vody\egofi.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Roaming\Vody\egofiSrv.exe
      C:\Users\Admin\AppData\Roaming\Vody\egofiSrv.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd9dfee3a.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1220

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdce36d8a0169898c3f9079672b31125

SHA1
ef7e6a6f9d486cfcc672b7355c2a9cfb2f16f043

SHA256
3eebde3dce743449b3ad545b469d43aa4d44ae5846c2fa1f78f15e373e666626

SHA512
c3d768153ba186ff49c673e11a39f0fff93314c8ce1ef40bcc3011455ff4380a834d1b3e327f29ffe7bb85bed59aaa5acd9bf0440558a7b21ddc973cc7cae7ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcaab230353f29a89000c8a5736f1607

SHA1
9e6ff247c7c46ce57b26f3f444b4178f9d3edea3

SHA256
d24439faad19ce7432aca7e786783a13b8de89c51c0eb5caa0d5e383b1fc09f6

SHA512
df05786e08f5f6391c90c07dca4309b15b90f0bb604bd8e7c260309e91bdf29c5af4be2312688752e86f6c9df6483944f06117ed57fcb80b1169c593c2452ba5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abbf13bfaf7bfbfea335f9ad2a59eba7

SHA1
9ae349ba438e16949664c0ed62cd6aa296348c6b

SHA256
8c9b2426043013adbacc14c9a6edb5511146de36c483512464923f664d00b8b6

SHA512
d2ae4ae39384f3efbe4bf0c1843f4b33f705e2477f926666217acec013fc9621a7177cdfe8f8e5e327612dee2d9cb9096f72acc8927a4031d66b708ca418702e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
837bd42bd464f5df9bf3ab2706f07ec9

SHA1
c1252c6bca907c7eee3cb35eeecd0a4585eea6e1

SHA256
5675323ad4aebc5dac4ec6de6a5a07211d545e6fa4c08c72560aeddbd231473d

SHA512
3353f53b8a7e7a7cb0a4c449fff8059435d281d393c21b8468afe6789fc61bbfdfb7ee1a0835041c0d629be021a1fb63e37f738dc9247f7ec8074c584fbaf76e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c502b421358dbc220cd29e5a5f107fde

SHA1
822af1239604ce6593a05622b39bcef7b60d9eee

SHA256
c4bb6e734ae204f41c268ee092f4e8ad483c42fd36bea5d34b2dfa58a64f8f37

SHA512
816ae53d52a87007cde0adad4b7014f7e046fd089aaeb124a2e5fb11a132faa370da1699d802cbecd23f8d554bdbaa470ddc359362c262a87fa842b8a681e6dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5b2a4a401fc324c6f93b10108690234

SHA1
c862937925360891fea54d79bfe80d372aca233f

SHA256
452006fbe33bba3299936911c1b125c1a6b559532cf21d3ddeea531b76ad5f50

SHA512
3dcd897e9f720ec4934cc3b380768ba780a08b5c388406a3b3cde7830c0cb42cadcecf15e545a1dd0569b6d8cb2c0dab26cb4018e1c424287008134d481874b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be4a9d6748ddb43f5bd866421876b1a0

SHA1
622f7c664bbb3d724100b54c184b3b0f340420f1

SHA256
0d6cecfc3a3f0a4022d9131afc1f247ff6c559740585124e53f1e5cb7faf43de

SHA512
64db299493f55784c382143c69e3d2c84e1699f1691d2ca4543c4ba8237616f3c104489664c08640fc3b5b12c250c960f78123778a01b72c44550a2950530325

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aa5f5b6e2c54eb21fba3394a8112cb1

SHA1
43caa85a804e43ffe31f70e11e6927dc2a5fade1

SHA256
d75171dd8de6a341d9e896bcbffc2a75d57d9bfb9575aa0beefee8cf89dfa29f

SHA512
ee51661ce5bb0058b1d25268efcbdf5b0ab575f27af74ae8d24b73881af89abf68841363cdd10aae88a913295535d7d5b41eff405aa46c3392a42884940bb2e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f62865ed9a1c6ddc5c2aba0d6a8d33ff

SHA1
26c0ba375ea44249a7052cdefb42e240af59eb4e

SHA256
7c0381025c4d5d8b10d7139c0a559dc70dfa8923d83b44c026521881fd2681d4

SHA512
801045d4dc58904d350692ead20623f423eff338b497989b0d46a2da1c2ca50d336ff1872ca1a9967d9b7e3e041fe6bca99ab4f2c8f97a02d9c6e0a3f577cb86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d46b121ba79e4feade2406bed5c9662b

SHA1
12f8d1ed425c95bf4c7e20fcc03c1558ffee488d

SHA256
197761878bee9f5e2611a4fbab780af15e35f2dcab561294f9b7578b4ca2439b

SHA512
d7178c1720c76ada9fca2596169f4bf8f70f9381d505ef7214e6a53b32e6f2080deacd8b1f213f68b22a5d62561db318476979b4cefaacf426a18ab5da9923d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c15a98cea889d2f07c167634d5bd16f

SHA1
e00eb6d85cc662f0e92a1d070f7d8313fb3c55b7

SHA256
1fa268357b99052d18f74ba59c594d46bc77941c281038edc7f494fbaff9d3c7

SHA512
1fa3603b3b70842471c6515f3d6ec6cb7104347eb44a7730326a1ffd20449839f88eeb9377da7b490904b08320cba9840690963fc5ba82578fb54e990d61af27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
210c474c70c267ee4f78d5e4eae4a309

SHA1
8602515c697e577c7a1c3e741678fb806dd5bdf2

SHA256
5a699a871f755813b44332537b8460f7ba4aacac4f212a76069b9980cabe9a89

SHA512
78691c8a580dc071dc90b59cab29ad1e7b305d4923aa6ca552329a7aa591fcb8d6c68ce6e381c952feb3eea6cb9177b2f96045ae22913787421c70a8512d4151

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87a5f76f0e48cb4b38ea33cbe6fbb746

SHA1
b53f627f4eee4b96bdf48a70c88db36ce8ca3ff9

SHA256
725f8616fbf4ac9404131db7cfa8b0276bd40bad1aa47edb64c79edf2192c31a

SHA512
aa7b400bb9335ff4986bc1553f041145ee54441e332506a2cbc38cfbde6749e0055a49ca19e59c3772154dc5138e83d072feb3fc3c7ddee8c833ba887442fb94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9375d0feafea5ad8a201676c22e9d04

SHA1
59ba7ba0d531f42e90063534b3eb45f110440e6a

SHA256
b7c12ac7635a494a1e8a749d50d8b631c443d8a74dbbc214276c6d6d4fa846a2

SHA512
ec7216f4182d6697f4481a47c3c90380cc10447deb58623488df17a00658903bdfc346ad1d775bac0e4d781ddaff4c76f8d6c94edb625f0a90c51bab305fb1f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8951adad9d4fc0ceb0d24bd8a3b2589f

SHA1
96dc48325102ff5b4e355d0bdd07067e147311fc

SHA256
2daf4bae5e1474f4f90482017039279f3a5037f9501d4d2dfeddeecb9c339abf

SHA512
7800cfc3f6e3f344461b3af393d7ed17248b6e4485043dc1b041e3f489d4861de23f25fdbf6d36fd28c2594b0ead36a01966e33a308e884cb6fd50f96e73b9df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b4dceb8025e277a51a898c5b9814fa9

SHA1
e07f1fe03352e3d8b08e36928be70fa3facb6ded

SHA256
76fdde4275cb02b3c86ae40d5d7cabcff16cd125847fca6e001afa88a5c4fc77

SHA512
38e5a9cc07c88086f17176dd9b9e7aa4ff8840a51c031f18d1e393fcdac3b0b2be541ed27b0dd6a7c37f1c59290be5b754bb8bf6fc94b2e5ad2b22f0a9abe837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ce530f5c6495b3f21d3ed8a5ce76aaf

SHA1
17be36cfc082ab7c7da549a72fcf1ff99f959df5

SHA256
10af3d308153c09168615c004671b1055d410f421f6414ed70cbcfa24529e871

SHA512
eea66516e9146988d44e5f3a37ba556e1d2e5e016b9d64aaa7238ac171d075aa1be4eea308755ff15345a2e6ec9e6de04cb88a3800a2b70967bb8eb34ac82c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1e7ebb8d1e27a58bac44bcf8a93820e

SHA1
838b0ad96503b4dedf3d740b08019d871c5ab4b2

SHA256
85c06eb8bd2d2f22ac6b447006e8b00a999d39ab5bb5970b1c1a50d19fe3aedf

SHA512
4181b2029796560aa5f6bfb8839a923b7c82453d26fc4da32a7f8b128dc332340b59c148b82ccbadbc7c6a83ab0824860b4ba78275d244cc9a54ef1c529770b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE591.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE602.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpd9dfee3a.bat

Filesize
271B

MD5
76a000c3669fd9184cba26638b4ad111

SHA1
c77d6712658e14c58fe068dd3baeb723360d37cd

SHA256
6f3d375f230e2ab75c91050ad49f5681ff3a95f14babfd79c82ed78c1ab31dc4

SHA512
f5cd85e20a352944071e2d405ec0a921288e1570b4431b3c5c25de23fc834bac86da2fdf0cfd32f6c24048b29d13d226b84c55f057d6de6824537e6f401a35de

Download Submit
C:\Users\Admin\AppData\Roaming\Soqu\nuib.dys

Filesize
380B

MD5
1a8a69dbb9a8ebbc814cf5df0c338b2c

SHA1
9446bf62dee4ca428bd0858ce5e6bfeef8b4cabe

SHA256
879253f6aa041e33cd43442b83252e9016c8add81fe6247fa9026a9a77ec17d7

SHA512
b58dcdd7d25f4abd8a1675de94b2ceab65f3fcc1b6b7e12eea127e5b3a6fcde4bddfcf85bb76f83d0f0dff0f21f19fbde739e18d566a89d816aecd9ec8a0072b

Download Submit
\Users\Admin\AppData\Local\Temp\e320ed42adfef901466b464fbdc07f07_JaffaCakes118Srv.exe

Filesize
61KB

MD5
1e28b93df4dc13ba183d7cac665bc45e

SHA1
9f91ec079b5033516398e65970431602ba51647c

SHA256
e6db1aa577d981ff37dffc63cf7496a94db52e27c035f59983236cf1117becaf

SHA512
f133fd3ce7ddc48f090f3f94c98ea8b3b6ad017fc774c43d691176fe3f18a499de890be3aaaadd36299df41ea0f705a7375a6772409efccd11991bc49e4d7331

Download Submit
\Users\Admin\AppData\Roaming\Vody\egofi.exe

Filesize
206KB

MD5
f78f0aeef80e94cbdbba139bfdf5a40f

SHA1
c4cf8e744ed53dfc63adbd05afd879774ca4ba10

SHA256
eefde8af92c9d99a58e654f89785c7ec1d0606d7e4c23cf999a0893945dc61a9

SHA512
9455f9748b1ea43a74df0bb1066e1aabff358b23144fbcaf100fda95c83f76ecbc45f00de975be883368c640208648b320b871fafd14e09d8f225ba50827a642

Download Submit
memory/1060-101-0x0000000001F80000-0x0000000001FA5000-memory.dmp

Filesize
148KB

Download
memory/1060-99-0x0000000001F80000-0x0000000001FA5000-memory.dmp

Filesize
148KB

Download
memory/1060-97-0x0000000001F80000-0x0000000001FA5000-memory.dmp

Filesize
148KB

Download
memory/1060-95-0x0000000001F80000-0x0000000001FA5000-memory.dmp

Filesize
148KB

Download
memory/1112-69-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/1112-67-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/1112-71-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/1112-63-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/1112-65-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/1180-75-0x0000000002140000-0x0000000002165000-memory.dmp

Filesize
148KB

Download
memory/1180-77-0x0000000002140000-0x0000000002165000-memory.dmp

Filesize
148KB

Download
memory/1180-79-0x0000000002140000-0x0000000002165000-memory.dmp

Filesize
148KB

Download
memory/1180-81-0x0000000002140000-0x0000000002165000-memory.dmp

Filesize
148KB

Download
memory/1236-91-0x0000000002E70000-0x0000000002E95000-memory.dmp

Filesize
148KB

Download
memory/1236-85-0x0000000002E70000-0x0000000002E95000-memory.dmp

Filesize
148KB

Download
memory/1236-87-0x0000000002E70000-0x0000000002E95000-memory.dmp

Filesize
148KB

Download
memory/1236-89-0x0000000002E70000-0x0000000002E95000-memory.dmp

Filesize
148KB

Download
memory/2152-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-122-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2432-109-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2432-10-0x0000000000220000-0x000000000023D000-memory.dmp

Filesize
116KB

Download
memory/2432-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2432-107-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2432-105-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2432-114-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2432-116-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2432-118-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2432-120-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2432-113-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2432-229-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2432-9-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2432-363-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2432-362-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2432-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2432-111-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2432-28-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2432-3-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2432-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2432-27-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2432-29-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2432-44-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2432-45-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2432-46-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2672-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2672-57-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2672-59-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2672-56-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2672-61-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2672-473-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2672-472-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2904-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-33-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2904-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download