ramnit | e1a082783bc0dad2877d7e9788322bf29d2d86be9e3bbdac88fd924e95971a26

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f02dd59c5dab1e5801912141b4647684_JaffaCakes118.html
Size

863KB
MD5

f02dd59c5dab1e5801912141b4647684
SHA1

8dfb36a438ff4efdd190bd725f59520767584660
SHA256

e1a082783bc0dad2877d7e9788322bf29d2d86be9e3bbdac88fd924e95971a26
SHA512

8d8621bd63c5126288f28cd6b4f5bdad6d8fa9ec5fa07cc5e7be0eb3c85582728cffd99c6f4b6c72cae9a48874771290f4f53af2150fd49c263e1037a9737c99
SSDEEP

12288:oh5d+X3zjVc5d+X3zjV05d+X3zjVJ5d+X3zjVS5d+X3zjVJ:o9+TjE+Tj4+Tj3+TjK+TjT

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 6 IoCs

pid	Process
2676	svchost.exe
2688	DesktopLayer.exe
2824	svchost.exe
1872	svchost.exe
2628	svchost.exe
616	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2668	IEXPLORE.EXE
2676	svchost.exe
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019485-5.dat	upx
behavioral1/memory/2676-7-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2688-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2824-22-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2824-26-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2824-24-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCE76.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCCF0.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCDCA.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCE85.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCEB4.tmp	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008e9fdbcb9fc01a49b34e17916e77d0d2000000000200000000001066000000010000200000004963603e74247a5564d9345bbf9ade0e544f9f9b4b74e7d0da96e2e0d953f60a000000000e8000000002000020000000e7e6ec4e30d987947b5cb8dc06a1f1727f467e9319f0bfcda012e178284e9db190000000d08cacd715565c824283efc42d9934e59468ba2b7f38af38d3059d32767d56326cf8fb1f70cf001c3977d3696a3016e7ad448b6f5f96a3221dd9575742e9cdbfb4d2c6c80ae749cac13f97d45416738d42fe68efeab3c674be9308e10f664390b055ba7a4bd01dfd81929cc09c33d71ed79f6e82e626f7320f46c9eecb720ec3b60a6429f59bffeac5495137b519b95e40000000d683753932bd6841e70d845c90120be74f850b3e1f53075eb4d39aeceee9a931991a6480eea0fbed9f30c9ac3aad53087dc21a82c9c0c2d04f9a3b63dbf33486	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F68A77B1-BA4B-11EF-B462-D60C98DC526F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008e9fdbcb9fc01a49b34e17916e77d0d2000000000200000000001066000000010000200000007b11834499311e8df480212de051e21222a93f539d42b8a0369599135de3f312000000000e80000000020000200000000b6b1f39aa61308072e8fdce7332b9e0c571eb8b42f0a2a2834fb659ecce9d3320000000592e9ce6b34e0123248fd612dd17a8b3bba361463027b3d35d2fd6095b487b2540000000a5c6096067acd27252ffab8f02e9ab745079c4e63b856c5c7d1f44df3388dead524da55da9d99daef47b81bb355a4117aa4810a98332a134235de6cbd111c65d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440363956"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00506fcb584edb01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2688	DesktopLayer.exe
2688	DesktopLayer.exe
2688	DesktopLayer.exe
2688	DesktopLayer.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
1872	svchost.exe
1872	svchost.exe
1872	svchost.exe
1872	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe
616	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2500	iexplore.exe
2500	iexplore.exe
2500	iexplore.exe
2500	iexplore.exe
2500	iexplore.exe
2500	iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2500	iexplore.exe
2500	iexplore.exe
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2500	iexplore.exe
2500	iexplore.exe
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
2500	iexplore.exe
2500	iexplore.exe
2500	iexplore.exe
2500	iexplore.exe
2500	iexplore.exe
2500	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2500	iexplore.exe
2500	iexplore.exe
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2668	2500	iexplore.exe	30
PID 2500 wrote to memory of 2668	2500	iexplore.exe	30
PID 2500 wrote to memory of 2668	2500	iexplore.exe	30
PID 2500 wrote to memory of 2668	2500	iexplore.exe	30
PID 2668 wrote to memory of 2676	2668	IEXPLORE.EXE	31
PID 2668 wrote to memory of 2676	2668	IEXPLORE.EXE	31
PID 2668 wrote to memory of 2676	2668	IEXPLORE.EXE	31
PID 2668 wrote to memory of 2676	2668	IEXPLORE.EXE	31
PID 2676 wrote to memory of 2688	2676	svchost.exe	32
PID 2676 wrote to memory of 2688	2676	svchost.exe	32
PID 2676 wrote to memory of 2688	2676	svchost.exe	32
PID 2676 wrote to memory of 2688	2676	svchost.exe	32
PID 2688 wrote to memory of 3064	2688	DesktopLayer.exe	33
PID 2688 wrote to memory of 3064	2688	DesktopLayer.exe	33
PID 2688 wrote to memory of 3064	2688	DesktopLayer.exe	33
PID 2688 wrote to memory of 3064	2688	DesktopLayer.exe	33
PID 2500 wrote to memory of 2932	2500	iexplore.exe	34
PID 2500 wrote to memory of 2932	2500	iexplore.exe	34
PID 2500 wrote to memory of 2932	2500	iexplore.exe	34
PID 2500 wrote to memory of 2932	2500	iexplore.exe	34
PID 2668 wrote to memory of 2824	2668	IEXPLORE.EXE	35
PID 2668 wrote to memory of 2824	2668	IEXPLORE.EXE	35
PID 2668 wrote to memory of 2824	2668	IEXPLORE.EXE	35
PID 2668 wrote to memory of 2824	2668	IEXPLORE.EXE	35
PID 2824 wrote to memory of 2180	2824	svchost.exe	36
PID 2824 wrote to memory of 2180	2824	svchost.exe	36
PID 2824 wrote to memory of 2180	2824	svchost.exe	36
PID 2824 wrote to memory of 2180	2824	svchost.exe	36
PID 2500 wrote to memory of 2696	2500	iexplore.exe	37
PID 2500 wrote to memory of 2696	2500	iexplore.exe	37
PID 2500 wrote to memory of 2696	2500	iexplore.exe	37
PID 2500 wrote to memory of 2696	2500	iexplore.exe	37
PID 2668 wrote to memory of 2628	2668	IEXPLORE.EXE	38
PID 2668 wrote to memory of 2628	2668	IEXPLORE.EXE	38
PID 2668 wrote to memory of 2628	2668	IEXPLORE.EXE	38
PID 2668 wrote to memory of 2628	2668	IEXPLORE.EXE	38
PID 2668 wrote to memory of 1872	2668	IEXPLORE.EXE	39
PID 2668 wrote to memory of 1872	2668	IEXPLORE.EXE	39
PID 2668 wrote to memory of 1872	2668	IEXPLORE.EXE	39
PID 2668 wrote to memory of 1872	2668	IEXPLORE.EXE	39
PID 1872 wrote to memory of 2432	1872	svchost.exe	40
PID 1872 wrote to memory of 2432	1872	svchost.exe	40
PID 1872 wrote to memory of 2432	1872	svchost.exe	40
PID 1872 wrote to memory of 2432	1872	svchost.exe	40
PID 2628 wrote to memory of 2328	2628	svchost.exe	41
PID 2628 wrote to memory of 2328	2628	svchost.exe	41
PID 2628 wrote to memory of 2328	2628	svchost.exe	41
PID 2628 wrote to memory of 2328	2628	svchost.exe	41
PID 2668 wrote to memory of 616	2668	IEXPLORE.EXE	42
PID 2668 wrote to memory of 616	2668	IEXPLORE.EXE	42
PID 2668 wrote to memory of 616	2668	IEXPLORE.EXE	42
PID 2668 wrote to memory of 616	2668	IEXPLORE.EXE	42
PID 616 wrote to memory of 2136	616	svchost.exe	43
PID 616 wrote to memory of 2136	616	svchost.exe	43
PID 616 wrote to memory of 2136	616	svchost.exe	43
PID 616 wrote to memory of 2136	616	svchost.exe	43
PID 2500 wrote to memory of 1336	2500	iexplore.exe	44
PID 2500 wrote to memory of 1336	2500	iexplore.exe	44
PID 2500 wrote to memory of 1336	2500	iexplore.exe	44
PID 2500 wrote to memory of 1336	2500	iexplore.exe	44
PID 2500 wrote to memory of 1156	2500	iexplore.exe	45
PID 2500 wrote to memory of 1156	2500	iexplore.exe	45
PID 2500 wrote to memory of 1156	2500	iexplore.exe	45
PID 2500 wrote to memory of 1156	2500	iexplore.exe	45

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f02dd59c5dab1e5801912141b4647684_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3064
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2180
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2328
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2432
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2136
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:537604 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2932
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:799749 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:5583877 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1336
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:3814408 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33d24a875fe4f790cc74318dbce4599b

SHA1
4f1c51613f522e1bbb0cf3d71f5daec63b61df02

SHA256
26fbe266f54c8bfff61dd79efa585a9793fc12f249a1386d5fb424c9ad87ad72

SHA512
a5d0b11e7f4ccb94129831a448e83ecd18a2cfd372346bab5d24bc4de8f3d95616006e179d81dde7253bf2a2df04bf328d44e520fb5f7dced5d543b958d8698a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a36ca9c1a4dc0df49e5f397c0969b16d

SHA1
240c755f9c7f9e644d3fbda9310a564402ebd073

SHA256
8d33a7c04d39a5c5ead3bd1d77408871079aa7ca26ab21c25665ec944fb9e56f

SHA512
21733289d14fe9fd81ad67a1bb7a4c2c5eab4cb8ba0445ec536fd602be854a9befa146054477bcb1d44527d7aa23c2fd25abe200c1f8d697bef1e7e7d4f4a5ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4475541d6008ba39724e0fef19cafc7

SHA1
6767407411dbc9ac2a21229f2d69c2c5f9d22c9b

SHA256
117a35b3ee6957074eb46c6dccd225ff065d2750b3cbad53f21f3e7ea4c74795

SHA512
3358cda0584bb9d38e500080cd2da3522330bf5d9ed49ad28eb9f026feb9a4c3c0c18f648a79cc4dadafd73ad136b68458c2dd06b03c0dfedd1e8f92dbb6d98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2bd8f525941b81a7657c2941d2e2e7d

SHA1
d970490fb6a770ab3faa348c9556c5d034f62dbe

SHA256
a22d3a3b41afb7a8bd732704ecc1eaadd4c4236b51c19b46bfabb7319bc28148

SHA512
971773772b3a0ac6a2c5313bbb3263788eae56903333467c0d45a1d2d9a3bd4dd1db4b40ff2f96155c8f2debaa2c8c05192c2242b9f452aa4a85935e2d255bfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9137649df1aa09dc9a64f55fe482b03

SHA1
3a4577f55dfa4c640b32bae9254a92e6f5fb02aa

SHA256
99cd6f128ebc58fc6bfb29a48f1376843f33c4092f405ddf86e90787ba72bbe8

SHA512
3810931c43745e27dfb6e0617cacc3d9e6b5b9d544f9198779c16feacac53dd354529a480a528df12a975bbfe54f8839d35f06e7cd8af6d20780f110b3d016fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
351a7162644ccb89252b81cbae157b22

SHA1
611eeca8d30031d6672bef56ac0360ea34af5659

SHA256
3e4981127618a7b9aff628a890c4c70242370bccfd8a4848eff8ee814369057c

SHA512
fb02617e31faba33c347cc0320317fe860f8889b2f380ff999721e433f70a81d64714a0dcbfb992a63166d455ff7a2a9bb368b06f0015e23d0cd112de0f0e3e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d4b3d6c2a9f77ce0f70dad65e108111

SHA1
c6155568e17380b204caa9e24b210f5e38c044db

SHA256
d4d4aa204c9fa278f0795f2031f1d273b7ab4956347d63abd7e33f0727ba6cd0

SHA512
9cd8878fbbda5d2435d95ba6dd2447353b7f06d8f19193219a386dd30b0100d93ea9fdbb516e9afeb3b5afa5028214fa5d1adb90b988055a8557c115fa3f40d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f97774852f61c3c67dbd41a91dfe7be4

SHA1
b9e193a429a992ac1341bec7dc58950dc3ded70c

SHA256
94a3a99792f848cc19b29d3fbcf6893c5e14da4bbb7698940d0e0499f5e1cb11

SHA512
bee9c54894f00bbf3fc9c0ac0a9a9dec17b8f31a0e994895275f580cd35eb9aaf70d0dd382b55972873a10dfba8becab4a1b99dbdda382c38cbd298e707234fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8de6c517728fa0e53aeba6cbfb906e24

SHA1
84d9b329becf5c7551abfed0de65dcda7cb753e7

SHA256
fdf1f8d4c08abb23b4965e74a5ad2c9c5b0bf3d4d06c2a08be23df9d4f0c7496

SHA512
cbd4658c37f180f1f1f5c16b7890babcde6194ad081757799bec5d1af3b9823bc93471d15c0e54ef297738e5155d0406b3159e12083175b0154c5ef7b2dab0a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
591ad86552f74bd55ab842f36125633a

SHA1
cca8bbc065e9c4e0cf5452fe839dd0cbd6fcd18a

SHA256
6f616893bd62c34d92f48d9a8cb8ce504d3be5407c379e2c88899976c194fa4d

SHA512
9d8d78c1eb05e488c0971b217d7bdad06ed5282757065f4d197a2a3c984bef876dca0cef8c3eb73cfce20d5a7895ac8e74748f3427a40633cafd239a52703568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c37c3ca53610a72d24cc58694047036

SHA1
a14ab3ff7e4d849b86d2f77c4176613ab1a1fbb4

SHA256
e12bc1cef6946f92405a13cd5f1a5dbae49234d4a7207a5528474a259ae927da

SHA512
fe42733d7014138275ccd6fd9a8b3b8aa416cebc3f39884d8e636de3ea01d77f85fc92f6e8c14132835e2f7a9773e0e9bf6b37412b4a580a5b16cf61f509666b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5173261de63402706767caa8d8a515b8

SHA1
b677cddbead0fc7c4dfaea529fb51804d5dc42c4

SHA256
4b1628725aef4745f026983ba6e17c39483f264371db7cc2c3f12a07db0a78c4

SHA512
7eca5a680dc4ec6c5a78383e806f8f5440b18c4c9f1c19da25a3017cd0ca90e760858275435a9bc4bb2954988ae5ff5f507695089395483b2ed1de6bfd5a587c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc4e024fb3b05564a2bfd5cfb594ce4b

SHA1
8271ecde62be7eca2fb484446f2a89ac89a2df6d

SHA256
ee6cb5e8d9288ea9c1f8530cdb0114e319778d692d7c3ab23aad1a6a584f130b

SHA512
4144e1e0bf02c5acab27fd74d2935e0dd8fc976ba2c8d2b92220415390f6d5a71ae7ebc623889277882c72bd29826f375692891c47fc6ca3b2354346f7dd47ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5b3ca5cc6861a57e1bb75b61736784c

SHA1
f5d27690b6c4d9e6885d207a22f1b8e09d350948

SHA256
19ac936bc013eeee0b303b4ece42b4d762257f3dc7e9a8e3a0aed3e2dbf0240f

SHA512
da06b33658ed5751018c7cb9c69ba1ad0e0742727fc51e3cc3984f8caf460414d4651e9383057571271882bf04428687c6b22c8ea199f661626f7927059942fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
619cbb998a78a195912b6c22cbf1a49d

SHA1
6d02ec133c897cfef0a57df44489850364caa114

SHA256
10fa4e7fdef7170352e846268b54e9ee2fe52126cc3c9ebf19822d4b8f244743

SHA512
05f1c82484a42bccd31ac6b182801f9ecb73ea5d95740c74ffe5daa94fce9438c49b462a7dd9cd17e029be35153c275c7d9b3a6876691e8eb7cd361191349d6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd7ab72105f81ea968064f0646ce40a9

SHA1
f7e6b2df659099c8653ee36dc34ee8a2b7952b77

SHA256
0083ba08a571e733ff6e5a41c3694a4641a66e48c911bf54f5212a66965f7941

SHA512
5a2dfc72f4c3e036dbf0b77da59c16948e524d33029bb40ab22a50801fd65069a75a243311777e27588749dc09b2738e2330afe85bbc291cc1b0552803f41511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1824bd41a1bda11816693caeab0de121

SHA1
7ff2807a70c9bebefa32205a3b90d0539eeef85a

SHA256
40bd52264ecd1592bde67f563e0f2feac5617ccab6c9354fd06a604c7db8b61f

SHA512
4ccc4ccb847727076ecb307db2002ace904b315c2b6d06519439b5d537336c750ff930a2b35b71746fe2f195fbcb63fc6941c657d2f8caae613431b51500b0df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2b99974f068bd7e8aeb818e29435fc3

SHA1
ffd878d8dafdec1044ff4eb2c01baba7fd20ef23

SHA256
88db3197bf8b661e92411fc2e097c7bb78ff2a38bc6580455c788a01dde768d3

SHA512
085a01397e21e72c311f1709e233d483cf381d7190719403a77dcd6134d9d02065b7581c735aa6556183e5ba90b6ab8544e440a91205801829f43ef38ef0b24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19d8e2ad0aebfef9d195416da56438da

SHA1
fa8765163ba4ff92a0d6a6c74edf5da0e0b5e363

SHA256
247ba232b53344ce56ec12f3ae8fbfaa0376182567e0022b219650dd2b3b0ecf

SHA512
93c4195401834b74e99ecc0e944a7f00ccf11d06c4bffeb04e81cd7f94052445cdf4bc9c172890a78e267ffb82e75af28df94a7ef6c87a24cf05a2125c27c315

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEDAA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE4B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
196d69fb3fc4e3b80e9514530ec393f2

SHA1
5b6fbda73de9dedf7668aae6bb43e1c28c45df23

SHA256
dd8665fd37d48571c5359f313675f5ff312c65604296b60d5a3e80ae04a430ce

SHA512
a2deef9bc080a067d496dcc4c979ea9f6a558bd8a78df08abff8d793416416a920c03b7044991a3537bda9027f24e1698845a80af8057de196e03c64376bd107

Download Submit
memory/616-37-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1872-30-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2676-11-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2676-12-0x0000000000240000-0x0000000000275000-memory.dmp

Filesize
212KB

Download
memory/2676-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2824-22-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2824-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download