ramnit | d740e5acc028fe7082cb9a45a758c2f52712c4d17c3b761958e1a1c1dc53655f

Analysis

max time kernel
68s
max time network
134s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff8d0dd23e701ffe1f87f2da1024f251_JaffaCakes118.html
Size

708KB
MD5

ff8d0dd23e701ffe1f87f2da1024f251
SHA1

61e228f710640f720dc661d781c7d605fb67a54c
SHA256

d740e5acc028fe7082cb9a45a758c2f52712c4d17c3b761958e1a1c1dc53655f
SHA512

0ed02ae4129a3e1ff78df6094ea2ea08fae4d0340a8456ca5fe4d5e53d3d295ca386c4cbaa2607c2bb1493787b42ebbfbd1d3ce20ec8184a4b57228ae9a37047
SSDEEP

12288:0V5d+X3zjVp5d+X3zjVXJc5d+X3zjVf5d+X3zjVP:05+Tjr+Tju+Tj9+TjZ

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
3012	svchost.exe
2624	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2956	IEXPLORE.EXE
2912	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019489-5.dat	upx
behavioral1/memory/3012-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3012-12-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2624-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxEC42.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEEF1.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701a3a0e0352db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{376CE2B1-BDF6-11EF-AAD8-6AD5CEAA988B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000089df0ed4571d79a2207ed73e0365c91a3680cf709c8f690022153facfc68d24a000000000e8000000002000020000000e71f76c6e3cc7c82fbb0ab3d1efc75c8cbe4ec58ecfe94eb36aa31379f69aa292000000016a5efba9fa7b87d33b45f4ee199b1181479717abfeede3349ffcbd9c5bcdbbd400000004b44ee67b518600e84c03c4813892a4b163bcaa9da410925cccb79bbbfb1cbd800cce25e6bcf78cfbef14be2cb229dfdd02894bc9880d7e88f237c81a2865dc8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000204658d3d5f3f46fd998ce33478d55ee1e5a6e2fd831b76e973dccb755d2ea77000000000e8000000002000020000000cefbd0aef09f0a0873bbae7411526252c5c14031b50b4f13b4fb0d9f42f375ba900000004fbead892d8f0b20a489f00d836cafb0ca819a5f3672d3784c8339eb143b4c014a06f2d4429a7e7718b1dc5c4a1c09a617a706f6843c4663daacb5a81f7088c5c6e9e7af8da6335c6262792c5c9eb0f1ec24a7bd7d29b93efb26e07b49e2bcc4b9af925f15679a0a48f5388b065fec559e6359d8e15394e55888f54ebe3cdecc782d4f361a8df68581fc235d322ed10d4000000010427cb9a85a47aa13befbadc31ef44fe5bf7f3a15726969438a3a2a53a61b2850a0172f9800f4c81ae040d8a398baaf498047de3f1dad961ef1aa0bbe99a865	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440766934"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3012	svchost.exe
2624	svchost.exe

Suspicious behavior: MapViewOfSection 50 IoCs

pid	Process
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	svchost.exe
Token: SeDebugPrivilege	2624	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2596	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2596	iexplore.exe
2596	iexplore.exe
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2956	2596	iexplore.exe	29
PID 2596 wrote to memory of 2956	2596	iexplore.exe	29
PID 2596 wrote to memory of 2956	2596	iexplore.exe	29
PID 2596 wrote to memory of 2956	2596	iexplore.exe	29
PID 2956 wrote to memory of 3012	2956	IEXPLORE.EXE	30
PID 2956 wrote to memory of 3012	2956	IEXPLORE.EXE	30
PID 2956 wrote to memory of 3012	2956	IEXPLORE.EXE	30
PID 2956 wrote to memory of 3012	2956	IEXPLORE.EXE	30
PID 3012 wrote to memory of 372	3012	svchost.exe	3
PID 3012 wrote to memory of 372	3012	svchost.exe	3
PID 3012 wrote to memory of 372	3012	svchost.exe	3
PID 3012 wrote to memory of 372	3012	svchost.exe	3
PID 3012 wrote to memory of 372	3012	svchost.exe	3
PID 3012 wrote to memory of 372	3012	svchost.exe	3
PID 3012 wrote to memory of 372	3012	svchost.exe	3
PID 3012 wrote to memory of 384	3012	svchost.exe	4
PID 3012 wrote to memory of 384	3012	svchost.exe	4
PID 3012 wrote to memory of 384	3012	svchost.exe	4
PID 3012 wrote to memory of 384	3012	svchost.exe	4
PID 3012 wrote to memory of 384	3012	svchost.exe	4
PID 3012 wrote to memory of 384	3012	svchost.exe	4
PID 3012 wrote to memory of 384	3012	svchost.exe	4
PID 3012 wrote to memory of 420	3012	svchost.exe	5
PID 3012 wrote to memory of 420	3012	svchost.exe	5
PID 3012 wrote to memory of 420	3012	svchost.exe	5
PID 3012 wrote to memory of 420	3012	svchost.exe	5
PID 3012 wrote to memory of 420	3012	svchost.exe	5
PID 3012 wrote to memory of 420	3012	svchost.exe	5
PID 3012 wrote to memory of 420	3012	svchost.exe	5
PID 3012 wrote to memory of 464	3012	svchost.exe	6
PID 3012 wrote to memory of 464	3012	svchost.exe	6
PID 3012 wrote to memory of 464	3012	svchost.exe	6
PID 3012 wrote to memory of 464	3012	svchost.exe	6
PID 3012 wrote to memory of 464	3012	svchost.exe	6
PID 3012 wrote to memory of 464	3012	svchost.exe	6
PID 3012 wrote to memory of 464	3012	svchost.exe	6
PID 3012 wrote to memory of 480	3012	svchost.exe	7
PID 3012 wrote to memory of 480	3012	svchost.exe	7
PID 3012 wrote to memory of 480	3012	svchost.exe	7
PID 3012 wrote to memory of 480	3012	svchost.exe	7
PID 3012 wrote to memory of 480	3012	svchost.exe	7
PID 3012 wrote to memory of 480	3012	svchost.exe	7
PID 3012 wrote to memory of 480	3012	svchost.exe	7
PID 3012 wrote to memory of 488	3012	svchost.exe	8
PID 3012 wrote to memory of 488	3012	svchost.exe	8
PID 3012 wrote to memory of 488	3012	svchost.exe	8
PID 3012 wrote to memory of 488	3012	svchost.exe	8
PID 3012 wrote to memory of 488	3012	svchost.exe	8
PID 3012 wrote to memory of 488	3012	svchost.exe	8
PID 3012 wrote to memory of 488	3012	svchost.exe	8
PID 3012 wrote to memory of 600	3012	svchost.exe	9
PID 3012 wrote to memory of 600	3012	svchost.exe	9
PID 3012 wrote to memory of 600	3012	svchost.exe	9
PID 3012 wrote to memory of 600	3012	svchost.exe	9
PID 3012 wrote to memory of 600	3012	svchost.exe	9
PID 3012 wrote to memory of 600	3012	svchost.exe	9
PID 3012 wrote to memory of 600	3012	svchost.exe	9
PID 3012 wrote to memory of 680	3012	svchost.exe	10
PID 3012 wrote to memory of 680	3012	svchost.exe	10
PID 3012 wrote to memory of 680	3012	svchost.exe	10
PID 3012 wrote to memory of 680	3012	svchost.exe	10
PID 3012 wrote to memory of 680	3012	svchost.exe	10
PID 3012 wrote to memory of 680	3012	svchost.exe	10
PID 3012 wrote to memory of 680	3012	svchost.exe	10

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1264
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:952
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:764
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1348
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1000
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:300
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:456
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1040
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1252
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1712
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1916
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1324
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ff8d0dd23e701ffe1f87f2da1024f251_JaffaCakes118.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:340994 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2624
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:209930 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5d7b256dbe79b472f7928875c7700e1

SHA1
49b81017461c757d5272418968daff380bab16c1

SHA256
70c44b1690edcf6f6afac00a2639f73b4ce5fbbc44628195d2057a613e381c1e

SHA512
ba2320a1cb30c9ab7d8b7f8cbe22710b45118b3fa589de8a2eae9546a7c8e5e4de3304e08019c4fafa3cd81ff4df39d224c6dcbdeb5478fde53d47f29d7a88c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8428adecf19bb4419d86487f149448d

SHA1
ee77ce3f72f118cc6356104248d8690f6a0cbf73

SHA256
f0c55c41bc8589f67235422f67c381b47125e9ccf4d431ae3b6a7d6e75d8bdf2

SHA512
9a135ff0b2e400235350071f7a7522c12539b308b85b67b68cfc700b79c558c3f015f508f50298019448b5999d2dd557eff02630747f2fefdfab8728d1399677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69920c246ec01a18ef5d8740adfa373a

SHA1
a5555edbd5430f56c1115173f74caf3547d99999

SHA256
fc7094a46e7407af18299a2f845b1a988454fabadaae24f2f85a91a2d952371e

SHA512
7532007545410271353d74ece0b3e08302fc5fb4d21320610ce3efaf1eb8b029b613345ca7965204d4ab1576563cda0655e4e912bdb1255e417c9dc194ca08fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e60aaa362d5e957ad5befbdaee2ea2a3

SHA1
85b891f709413537840157639c8d4ae7418ddaae

SHA256
56e3f7aaac8d775f7ea9ab83b414b3c08e03c2b6944a2afdd99c9af5b614a4d7

SHA512
a552db3acb12cd4043b21e44d47e65e1b65a05a8ad40b517f5d444585f859f46d454800b0dbed1f7bd3610293e7f9fca8cc0d4218a76ad9e865939f00eef9825

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54f04dce77e27f03a4e02c0813a567ee

SHA1
25ac688b18e2a3e290baff0fd5f94398d7ba4ba4

SHA256
8ae06e5440dca1f104f7efe8ecb5906e537e2036a46103c4aa815ff969681a25

SHA512
0f788ee3e1dc01fbe4d3c84cfdea0a86c3b2e087d75f3d0a756fa0f9023c77ac37ab6595adfcedbe4db42e924d4545027609fdf61e9081f5c9f577cca5d6c491

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
708d8f0917cd6b8af3a906e5d0215bb7

SHA1
cb8581f35de9af9e46066441e14d364392f6aecc

SHA256
e5e66db4b02c6ab2afb1ba53c1ce2869ae1b8dc76cba6c09be845a8eb209c47d

SHA512
711caf6ae1055653a371ec2290c7e2c60d6a7749b21af4289c76f5083e928521fd2eded6ccd1135d51e5cc6b45425fdb708fb0d3842d37f22079fa873f8c41f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47938ada608f9ed2d27692530ecdf572

SHA1
62b762c352ad10d61f39c1e1614a2a5fdd28a91e

SHA256
f0206da83709ed74aa0bd6660aaa083a15b8d95cdc8e89a6d8e7b0e5e430538f

SHA512
40385b9b844b2cf724ab1257aa9ccb3eef815714098988b66dbe1fd2f2f8ce0e3a3aac0bf204a81075a6e595589344f00cc67e86721295c0b3caf77d8621a41b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83283ed5600b5c9d1051df4b3cb8e3b3

SHA1
5ad8c76e32b3187b68c7c5c7e92388b81cc82124

SHA256
3ba6a77fb554cd290a7ebe19b35316ad7563383845284b8a90f63d1e57facb08

SHA512
c2dd5f12e88ec5e168b4a8c12346dbe3a3dc9b5ebbca4056063ce0d3b91f16b10265742110446bdb989bc8cf77085674f7f4079518bb662bfe5482c2acd2fdf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94fdf3192bad2aa58aa9314f75bc721c

SHA1
0e09c1976a4a779a0d87c52490c94817e7832bd2

SHA256
e81a1d685ae6d5e3b79d34643c3fffeba28b92323a65a628c539a32cc4fb0d9f

SHA512
cc667ceed733d7ea2523ada058a45c981d00843b206fe7362fb2c87864725296ca017354c5455e6182c9dbe057d3a47af586434632bd385259b80cb4615da55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d65f04802ce693a30465f6778ab7fec7

SHA1
60f7601528d5b349aeb481f29e9b274805ccad89

SHA256
ffce8d186ae0bae3aad4f2e4848a2483d06003b928b65760d990041888f34d04

SHA512
f11220d1b34fd6f01d98186e1cbf08bc8d6a4d4ecc6b3d1781b087f9840ce02c265efb79a2f5880dfdbd50c6c22ae360ce12f12269e679fbfb43b1bea33da81d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69a55f1501ee50fb6b90320a693869ad

SHA1
afefe21ec09783a976beb88fcd4652efee9c3c8d

SHA256
a76c7c262f83f246c19434ba782f31b9a72d38e4ef3eac9b82a45749df66ad55

SHA512
6886ba6b8b370e759e39bc045e9f976424c637e540e4c255d0c90bb4ada61b8f659ff71d4f822db10b53607f66bec36ede45f58cfad1f4d90c7682945d8ec159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c52ae573247bba5bf0fe34d95ba9331

SHA1
13e8660a1216535ec9b160dfeb5a490abe64d5dc

SHA256
fa30ada0546646cc179eccfad26d213fe63e63f496aa8c962fa79f9bd7b6f28e

SHA512
765e4fdcc04e531bef4e3a6b05206104d5d102112eb04963d9e43d6954731beb1712b599db9bb6ac7546b3379fc6f9f45f4d80de6309d7e9413308bf8761e000

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3af0086c6899b003c63a5290ebb385d6

SHA1
3f27a0e4330ca50184edd4d4624969d9668aa966

SHA256
7a3656a3c2ecb55c1b9296aae3d6b476cbfd7fa3e780b80b57a557012f4b6061

SHA512
cc4cd245648b906417d85c93902df21d53587fa7b328aa7e0d61c2d4aee8326ca1257e01416dda298710c14243656059211cec1db8bee0e9db1af200df8641cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63ea6298d492552c6b2918ce494af68f

SHA1
714f53b60a1687fbd8980dea23bb53ff54059f02

SHA256
d082ca3e8599e64eeb19d3c0d5c96a16acee1609adfb3511e244253338898598

SHA512
d83afa203ba7a7f2cf779674878674bc53f6bbc9203c6af4e1393e93caec453aeba419faf322fd8d717c7910b57e096fd84b9fff11b566b411eb4dbe71c9fb42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75b5804c479bb9e3c988d3ef7d3efb9e

SHA1
7356c7734d58608175d3138cb0b0933d12bf2556

SHA256
de4f656d2184de53a178b091aefd273ec8b6e314365022b5c1e3f883de15b0fb

SHA512
f6e4a6558cedff38181c4935c0cb453275366280fea3e6b291fec286703c2ffd00c16411cc530aa834e7cd0405ba8e1e8d37716a15f83aced9341a24a42073a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f92ebe8953d01fdd9be7195d81f55dc

SHA1
508204238669bc2b36a650ff2d471dd3dba4835e

SHA256
a46f15ae7632e47f35b56726296c90d74de6d19c6227880b64431dcf8f03dc7d

SHA512
c1c6c2a38a6c028a4a36871958921acb2e4af5ee4b5fee44040e74bf6cd0aba554b3e2326625d7ff61d349e32ee82b24a413ee50ec6e690704cc6497ce9dd727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a95f058538064f9228ced6385fc6d34

SHA1
f4cf1f148df835bccfbaae555d91ac3c985ea5fe

SHA256
28c52a1bf2bfd752e1788ebd93c3f3940ea6303ab318710faab3880b103337b7

SHA512
05c011a1994ba184f049353d47c560ac131549d77646b8b3dad3e800efbff383479c446da5832a23c0aec2ee46237a271640940ab6b7940f6cc07ff0d5545f86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a8480ac67c3c7e8ccf86277d948f816

SHA1
0ec20a967055c6086e54745e418109f96f6fcf07

SHA256
0ef0c2a3fdd984e5ce5d0d3bb3f44391f88c4e7e6238debd71e835e827c08df5

SHA512
25181dd45fba619703b7870e55a26f1335f42a955f22ad84cbb984592627099a96921475c0973732536063d2b9406cdbe4cf5cbb433ed2711420bc1014e1146e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e97d257be1f62219e511350590e7ba2

SHA1
5366cc44556bd2093e43cdba40d6be5d9f18ebdf

SHA256
04730a96104659a1b5865534b05037c48d855c33fc7cb9d82ae0be88b95909e7

SHA512
e720200ba033035255857c863a0dec2618cb47770d6f29b5ddeeba7475fd7325c977f965257ca1cf0ab70a17fc9b7a27f999c6439534a6d899e9c1c551732d92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df03535bcd510d36cfad92b131bbe0e9

SHA1
777f9908e281fec1944c533fba0f28e7dbb68b13

SHA256
fa1bb2d9e2eb6dc86f1c71d79842c99dc65c97a8669c248fa721bc4b108c8ed9

SHA512
bdec4fae28574bb00f678882c4e196791f3a6f831cbccac4b3b079de4aff3ae3d0ea536fe9e28faa33ab2a34259eb529d77d10463eb14a967baf7411ebafd95c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc98eb66f577948ca62ff9b232e7a6a6

SHA1
01a2634c2ec96f00a251055a0139d17ccfbdacda

SHA256
3b845b0de7da9a346e3790926e88cf80d59e3c1f417f65a51f0941daf0353c06

SHA512
43913c28eb9f0fecde9565e810a9af95f6025aade47be436214424bce3115fbf28ddd133f2d71394820f4e1b7ae08bd9696b496052720f3011dea69e9cd40b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB2B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC27.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
84KB

MD5
666faefb80b2c2c4028875ce8cd6f3a0

SHA1
1673f5ea1664c67f539a7c31f7fe7cea5a7ae63b

SHA256
da43233d34e8369e6802cea5dbfa9fa46b07b544bd85edd8f256692a5d34fbd4

SHA512
c375ced9c64a0c33e2af498fcdb81c995cc6254e9f6d9f8d7fbd90571abe4ac00d3a1eae51eee4e45c88aa77ed765d86014c043950ff06c0367957ec6786b41b

Download Submit
memory/2624-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-8-0x00000000774EF000-0x00000000774F0000-memory.dmp

Filesize
4KB

Download
memory/3012-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-9-0x00000000774F0000-0x00000000774F1000-memory.dmp

Filesize
4KB

Download
memory/3012-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-10-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download