ramnit | e8d44032579f968cbed97a3d7371cbc45e6fa9f4e0e8b1f235ac738cb643b6c6

Analysis

max time kernel
136s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff11c58f4dea68c51e048e9b97b10ac4_JaffaCakes118.html
Size

343KB
MD5

ff11c58f4dea68c51e048e9b97b10ac4
SHA1

d43b535ace494bd7cdda99ed424e94bd2da3d3ce
SHA256

e8d44032579f968cbed97a3d7371cbc45e6fa9f4e0e8b1f235ac738cb643b6c6
SHA512

eb97268897d36539c137eb1cc9479b120534aa73c5b6403175b86e86755e30d62db03a9f148fb77545135a4ec02481885ec0cd7615d2c20107c68b18230cc85b
SSDEEP

6144:SDsMYod+X3oI+YasMYod+X3oI+YBsMYod+X3oI+YQ:G5d+X3K5d+X3X5d+X3+

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 5 IoCs

pid	Process
2940	svchost.exe
2760	svchost.exe
2912	DesktopLayer.exe
1660	svchost.exe
2824	DesktopLayer.exe

Loads dropped DLL 4 IoCs

pid	Process
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2940	svchost.exe
2836	IEXPLORE.EXE

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016d69-2.dat	upx
behavioral1/memory/2940-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2940-13-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2912-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2912-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2912-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2912-30-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2760-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1660-33-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2824-39-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2824-41-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFBDC.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFDFE.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFBBD.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{399FE6C1-BDDF-11EF-BA45-72BC2935A1B8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000d6acf7d6343f32b909a4f03da1c7ae1b8e888a0b1eb5b40d06424a40d7bd803e000000000e8000000002000020000000eb60bde5dddbf4f169ac27ba9b6030d79ace63f6ee6541c5c4dc7a0d73c4ad7a90000000bc4aacbc98e3f8edd3dc730e2e2d5bf2d26c37b95af88817ab79b2924722644632c9dbc32843c42cc659f52af2be525592447bc947425f8b68a11cddfa329f3b497db43d6f162107e96ad6b3a9080f60f20cb64eaf2e5baede12018eca5799a60a2758b0aa68d99733ba553f0b310212da5f3373b74ebf215b302c8856d5ee60947949d340fbbdfc11443820b7c8745f40000000a378dd8b02900381b939f9531805fcab9055338ae3f4c87d6d3e5fda21a345915f5b43673f72e1b8de9a18ba35441c48c86eedc8a0e55e661c1b8301821b695a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3055730fec51db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440757061"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000007d879d3e21a72f8f63486df90fee9e4a6965239701f1883a7dd7d417cb795b38000000000e80000000020000200000004270f954e49221263dcb85a9dbe7997c43d58fbc693b59edb0899bc6729fded5200000001d88922cdf0c68187f048e7fb8aabf064c9052ed37b54a8b756b67bd35e24e9f4000000007d70ec317ad5deecef1ddf0df1ea15a190346c58fd8faef928221add7cd769feee0323014ecef17f932308e06cdde4bb17ae0c9119c1efe1e2f90121beeb455	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2912	DesktopLayer.exe
2912	DesktopLayer.exe
2912	DesktopLayer.exe
2912	DesktopLayer.exe
2824	DesktopLayer.exe
2824	DesktopLayer.exe
2824	DesktopLayer.exe
2824	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3004	iexplore.exe
3004	iexplore.exe
3004	iexplore.exe
3004	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3004	iexplore.exe
3004	iexplore.exe
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
3004	iexplore.exe
3004	iexplore.exe
3004	iexplore.exe
3004	iexplore.exe
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
3004	iexplore.exe
3004	iexplore.exe
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2836	3004	iexplore.exe	29
PID 3004 wrote to memory of 2836	3004	iexplore.exe	29
PID 3004 wrote to memory of 2836	3004	iexplore.exe	29
PID 3004 wrote to memory of 2836	3004	iexplore.exe	29
PID 2836 wrote to memory of 2940	2836	IEXPLORE.EXE	30
PID 2836 wrote to memory of 2940	2836	IEXPLORE.EXE	30
PID 2836 wrote to memory of 2940	2836	IEXPLORE.EXE	30
PID 2836 wrote to memory of 2940	2836	IEXPLORE.EXE	30
PID 2836 wrote to memory of 2760	2836	IEXPLORE.EXE	31
PID 2836 wrote to memory of 2760	2836	IEXPLORE.EXE	31
PID 2836 wrote to memory of 2760	2836	IEXPLORE.EXE	31
PID 2836 wrote to memory of 2760	2836	IEXPLORE.EXE	31
PID 2760 wrote to memory of 2772	2760	svchost.exe	33
PID 2760 wrote to memory of 2772	2760	svchost.exe	33
PID 2760 wrote to memory of 2772	2760	svchost.exe	33
PID 2760 wrote to memory of 2772	2760	svchost.exe	33
PID 2940 wrote to memory of 2912	2940	svchost.exe	32
PID 2940 wrote to memory of 2912	2940	svchost.exe	32
PID 2940 wrote to memory of 2912	2940	svchost.exe	32
PID 2940 wrote to memory of 2912	2940	svchost.exe	32
PID 2912 wrote to memory of 2744	2912	DesktopLayer.exe	34
PID 2912 wrote to memory of 2744	2912	DesktopLayer.exe	34
PID 2912 wrote to memory of 2744	2912	DesktopLayer.exe	34
PID 2912 wrote to memory of 2744	2912	DesktopLayer.exe	34
PID 3004 wrote to memory of 2608	3004	iexplore.exe	35
PID 3004 wrote to memory of 2608	3004	iexplore.exe	35
PID 3004 wrote to memory of 2608	3004	iexplore.exe	35
PID 3004 wrote to memory of 2608	3004	iexplore.exe	35
PID 3004 wrote to memory of 2560	3004	iexplore.exe	36
PID 3004 wrote to memory of 2560	3004	iexplore.exe	36
PID 3004 wrote to memory of 2560	3004	iexplore.exe	36
PID 3004 wrote to memory of 2560	3004	iexplore.exe	36
PID 2836 wrote to memory of 1660	2836	IEXPLORE.EXE	37
PID 2836 wrote to memory of 1660	2836	IEXPLORE.EXE	37
PID 2836 wrote to memory of 1660	2836	IEXPLORE.EXE	37
PID 2836 wrote to memory of 1660	2836	IEXPLORE.EXE	37
PID 1660 wrote to memory of 2824	1660	svchost.exe	38
PID 1660 wrote to memory of 2824	1660	svchost.exe	38
PID 1660 wrote to memory of 2824	1660	svchost.exe	38
PID 1660 wrote to memory of 2824	1660	svchost.exe	38
PID 2824 wrote to memory of 1760	2824	DesktopLayer.exe	39
PID 2824 wrote to memory of 1760	2824	DesktopLayer.exe	39
PID 2824 wrote to memory of 1760	2824	DesktopLayer.exe	39
PID 2824 wrote to memory of 1760	2824	DesktopLayer.exe	39
PID 3004 wrote to memory of 2600	3004	iexplore.exe	40
PID 3004 wrote to memory of 2600	3004	iexplore.exe	40
PID 3004 wrote to memory of 2600	3004	iexplore.exe	40
PID 3004 wrote to memory of 2600	3004	iexplore.exe	40

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ff11c58f4dea68c51e048e9b97b10ac4_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2744
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2772
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:668676 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:734211 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2560
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:6829058 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f7e0f0c7e4d762679df29fb063b6941

SHA1
1841b811255041a3570fad9d4439544a98ffcf24

SHA256
831665f3e4792078d8fcf53b383829f55e08e2a94ebda41e552cea2e0c0e8508

SHA512
9a58f9af9941a0fc80fed9e46e335d6aa6b45f1eb79a38a2945c2bbceb096fbf20c4b32769c1b889db13e61a1ba09281787aff1a843d760a11b2701373ba43ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c73c0d41f67ac48dcea0a9a86950d4e

SHA1
3b2079d4bd79efd26eb138071791499359d4f7a6

SHA256
93dd5f68d2a6ac6114d19937dc4d72477710b33d6aa1f07185a1c94e55892f89

SHA512
ee456c3d0ec270f10e7ca8f5ab8c2abfa106471a9ceccc6f8750820076020e90ecef1490244611ad2ad3eab57a8b0704a69e4852afdd81b034d5d3f494fb17a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89fc36623e278d29b5957e5fe3dc26b9

SHA1
ea478c6209d04522491139409b00e733f55bef3d

SHA256
e1899dea0caaf39e31a9238b1df85e7fb40053836521bb396da3cda9acce15b5

SHA512
3871291faaacc36e3e0123737b5f0d69b21b52080eedba8e366445ec5514e7dcc4ae7af01f875a165a034dc0361a04b91f0882e318a4d29c979b93260fbb1efc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98d53b60d29111333bc1c70d1f881410

SHA1
be6d53daca12b97af5614f42a82516fecdcd1739

SHA256
d196c89ee0a61086610a7593c42b1acc6a55557fdf5f331b5d5ed018c361d511

SHA512
be47bf1a5a10dec7367b3d39dc97e5b916fb03f9e97c9f47efb579f140aa4a41e4e9920b76b35e162b7281ec12301f9e63b7dbb65461fe50407532bf11c19a08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10d0113fdc9270d796c4aa993fee6d21

SHA1
3e9314e89d57034cded56fdda6882fc6dc6adca3

SHA256
50ca7127e873e35bcd4caecea6b4c3334d9cf526b4865018123df6ba4e59198d

SHA512
aa2c0554949515aa3bfabefc8014a356005bd9463d4a39395074650c352376c997583d5989ac60afa32c333c92ffacb38727c5837adffb447c3074a7faa7dfbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
738be48e895686ec4363b66e654cb8be

SHA1
d8fe5a2c356888b8f239c06efb851aa287d8b9fe

SHA256
db672b8ac378ba1ff3347a688be90ab56268c5b2d1500078ca9b55bf124f457b

SHA512
7b84cd5ef1fcf68fa6318897c3d2596f805c0dfdf448ad79d2e73d857e23679252774702e882b3932121a11bc3f32786f16a4860b65f3ea52ada0f7a7a416a6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0d54d8de0b44a20b088598245181659

SHA1
0c8444d570c74af9933b678a268d78df9530c7cd

SHA256
ade1bed605e913abd80cd6b05dfe92f0d809b6660717e9dbb75f329f5f4dc9ee

SHA512
2be71e2cc9ca40fa3030f5e46202f563df26a203ac2fbccbf10229d895c71bc70bb091aa5be1102262ce834e13aa9eef30df0bfba433277767dca1f249f3be56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
333229eec28dbdb055af5e04c2751610

SHA1
8769314bb34bc3c2b6a0d11003c219c52de0880e

SHA256
c78b8495667103a36b28c943963a22f9455c72eea5204da6577b24cf0566c5b3

SHA512
2e5ec32001f04b0434791b790aafeea0a082f2ca88b8f0b236153cf6c22204529e931146cba9a8e2c94aeeb00017534ca79ebd4db0192617df5fba5ec52ef0e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee009accdd9d28e46c87eba49d7f11ad

SHA1
de1ce9fcc56c629f29b0e2f86b0d7a9af877f7fb

SHA256
08f47ef3c6b1ecda2042becc9f4bb42191e9f843f48fa3ed785b31bd912a98b0

SHA512
ee0601d09d61509c8cdeaa8b817bef071013e13e5dd7871e7c92dbe652376b86e38e09b3f11483336e1d308a76fcd9d433d99d2ce5dbdd6ee122b35caffad9ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d15d9fac9bc8ee25c0a077c6a2b0254

SHA1
4c14f9e2cf59ec07236c85e32a02f6030e9270a3

SHA256
29de3cc83a9882bcbfb34b7a8fb3717f8f5943b93899c523c823a615552463c1

SHA512
40ff10b15637d17d92e085c49039ce2e126ea47dd74806092d1acbcb676f7b140e202b5e232ddbb082c0efd8faea11aa878430fc0d5dcb97eaebc95d95415ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
581317036ec400a3907fc63d8cee2e1b

SHA1
4081af12292900a5e82e31fa76b87478878ddceb

SHA256
9aaf48eb3549bdb7438be47446d71840c8a3720009702c7721eb01da3156b0af

SHA512
066209f4f516ff739b9498875a76341a2d3cd7c578f949cf6d7230e660ad7b9e4e7a43d06d73b0e9671a5d11d67c4c66ffa56a830559164dff02a4f9ff0d735c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa4bab818d7affd587379dda60284c86

SHA1
82c64692e05c34a446d2ddfa92c1315d1626fee7

SHA256
d972f779aa2ef8090bdfed3697c193bd6e8237d6b7e3965ce665aa5b1f75ad30

SHA512
3b94afb6ba54955969835c5d621a67b562f68f27b9f5fc18b52b3dda8c873ce84c3b9d1758e80949a994d695ef502a6e1477d3acd2e79471d617a2d1c9ecc1a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2f3e689c2037224454e1cf48ae0a86a

SHA1
92d5c93eafecf4c7900de7b8c9ea2437c7f65dea

SHA256
654aa36f9b37b5598d82ef6878f68e56003ac930d74970d12686e0182561d47f

SHA512
d5adaa2b67bb13900d9ff856b0cbacb64e19447ddb8669109ddc4a5d0e3164e6d5fa6ff137eedd88efc91a0c02b33de96131ae0a9a3fdb6d88295977e1410112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29f46be27a076a0a7fb53dfeabfa9cd3

SHA1
e629ffcd67b1ba14d0baa1a664d62eec10e11b30

SHA256
7e3510a53eb02f63b694f2b3eb9725438079b7479a03c30e04f476c427e45994

SHA512
b7e4a6ce9dd8e51078ef173ddf3103f1b88b5b842fab1014fbc4b27a54b0f819ae0632c2aba852ea1d1ddfed4d423bf68a901a18af38196f6b583d7f322cb31a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d78d9f1f29c2821b84f97b9346823067

SHA1
f1d345bbab1f763f9170bb4fb5d4560e016882d4

SHA256
75a99b71da0c66457146fcdaccfcc4d82e5dc890d92244370c3e42c812b198a9

SHA512
f146602c915e32e0fc4058f634a04e865459ae88936f46db994d5c85e953b0a6dd6063e81adca5101076f0a988a0033e06361a73415b604ee116a1b6067bbd3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3114b26943bffeb6f1c5de765b62ba27

SHA1
871c1d58440fbc2558935f92438211a474d7bdb9

SHA256
b7f9bf572ced9aa6fbcd5bc6ba8af95ca2f64040e7476a69d4569fd3e85ee387

SHA512
e4c62149897eb84366d0167554cf16956927565b0cefc0d68d681c77cb6a7fbfd6195a51dd7af8089068a2f0250a2b99080275f89ed9a0276451440cde0eadc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c46d01dcc5a27567f27fff7491b75eb6

SHA1
ecbdf79b0b7715ab1f88d97b1e60a2107daec70d

SHA256
4e0ef9a1cc30f0632958861fbeb5fde39e50cfdfcbdae2511875326f24050121

SHA512
4432b2a42fda09edf90987132d36c969936d50ed463b6290a855b69e99f0aa8dd63f659c6e4976fabd69c4d706e0867bf669abfed777a6998794d9093c496280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e187747938c08f955d885619587d128

SHA1
0047fd6b77ae01dd68c5ca4cbec87fc5f93e8878

SHA256
cf50a09291607e5413e568c620b9c878e27b544ad94b5614b31c057fb823e68a

SHA512
067fe4fe69a7842018db8c9f8882a958a9681d937b33ce9e5750824375c9d2a88c46641b83950204c1549547a0d00512c54b5d2ad29ed39d39158b18af6f5533

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61e7dacb3d37db02f221ad36dc7a48d2

SHA1
11791d9d5ff7a64c46eeff38cb412b58449c22f0

SHA256
88cf54a55a29142a922a5e774de61303ad6099d5d1acf3f339ac830fff6f57a3

SHA512
14b637742ba1f7bb7cbc89412ef957c3039bb89f508e836f6314c7e928b42ae00e04cbb616cd6885c2591293811885bf3360ac47b9fa9fd36120019847bab659

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab141E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar150D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1660-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2760-17-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2760-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2824-40-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2824-39-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2824-41-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2912-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2912-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2912-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2912-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2940-12-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/2940-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2940-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download