ramnit | 824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3

Analysis

max time kernel
94s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
Size

1.2MB
MD5

cf2e9e3d69e910eac2599413e783ceaa
SHA1

3dcc6f377dbb477c868476476e02721b0ba9c6e1
SHA256

824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3
SHA512

b71419248a30110d9c085ded3f3c17a110cb5a89de384fe4380431f3d934c1df1ff34d681f51259116d57a9aaea9f404564ae9538f075ade3982b4693f3ccb87
SSDEEP

12288:mqOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+N5f:mnajQEPnvg6PhWDC750L

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
4404	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
4528	WaterMark.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4404-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4404-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4404-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4528-33-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4528-29-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4528-31-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4404-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4404-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4404-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4404-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4528-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4528-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4528-44-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8C13.tmp	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2108	1136	WerFault.exe	85
3644	3692	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152312"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2487961557"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2486711620"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2486867771"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BFBDF923-C4AB-11EF-AF2A-EE8B2F3CE00B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2486711620"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152312"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2487961557"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BFBB96D8-C4AB-11EF-AF2A-EE8B2F3CE00B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2486867771"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152312"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442107716"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152312"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152312"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152312"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe
4528	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1700	iexplore.exe
2136	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3692	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
3692	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
3692	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
3692	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
1700	iexplore.exe
1700	iexplore.exe
2136	iexplore.exe
2136	iexplore.exe
2224	IEXPLORE.EXE
2224	IEXPLORE.EXE
4392	IEXPLORE.EXE
4392	IEXPLORE.EXE
2224	IEXPLORE.EXE
2224	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4404	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
4528	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 4404	3692	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe	83
PID 3692 wrote to memory of 4404	3692	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe	83
PID 3692 wrote to memory of 4404	3692	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe	83
PID 4404 wrote to memory of 4528	4404	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe	84
PID 4404 wrote to memory of 4528	4404	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe	84
PID 4404 wrote to memory of 4528	4404	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe	84
PID 4528 wrote to memory of 1136	4528	WaterMark.exe	85
PID 4528 wrote to memory of 1136	4528	WaterMark.exe	85
PID 4528 wrote to memory of 1136	4528	WaterMark.exe	85
PID 4528 wrote to memory of 1136	4528	WaterMark.exe	85
PID 4528 wrote to memory of 1136	4528	WaterMark.exe	85
PID 4528 wrote to memory of 1136	4528	WaterMark.exe	85
PID 4528 wrote to memory of 1136	4528	WaterMark.exe	85
PID 4528 wrote to memory of 1136	4528	WaterMark.exe	85
PID 4528 wrote to memory of 1136	4528	WaterMark.exe	85
PID 4528 wrote to memory of 1700	4528	WaterMark.exe	91
PID 4528 wrote to memory of 1700	4528	WaterMark.exe	91
PID 4528 wrote to memory of 2136	4528	WaterMark.exe	92
PID 4528 wrote to memory of 2136	4528	WaterMark.exe	92
PID 1700 wrote to memory of 2224	1700	iexplore.exe	94
PID 1700 wrote to memory of 2224	1700	iexplore.exe	94
PID 1700 wrote to memory of 2224	1700	iexplore.exe	94
PID 2136 wrote to memory of 4392	2136	iexplore.exe	95
PID 2136 wrote to memory of 4392	2136	iexplore.exe	95
PID 2136 wrote to memory of 4392	2136	iexplore.exe	95

C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
"C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
  C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:1136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 204
        5⤵
        Program crash
        
        PID:2108
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2224
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1920
  2⤵
  - Program crash
  PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1136 -ip 1136
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3692 -ip 3692
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
54a1b1095226978313782771a5b10c00

SHA1
48b16839c462c31035262fb8a1b27500afa08d76

SHA256
1ea0e620fb67db2a70d652123f8eb51845806c023fb99cd584b2b063a30fd790

SHA512
b6b8f8a053395bb63477d66d8bfab4f773b2f2b64e3509e127256534a24ee108f7d259d6e934131d511ff3926fc139ecf0579967520e220985efb0607392118b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
559aef0c2f9f348fd512f172096e6d1b

SHA1
92c0e6a85fe424e0ad17e42216b5116a2dbff00a

SHA256
32cd9fff664b6cc96b5989ee6e9ed853dee329fa30246d77a9ec57dcafc5309c

SHA512
65785b1dbe8867f43bd3a204f9ec5c3e21834ed3de76fbb4f59cd4b3716eb867574965d416a084fb98188f53a6c8f6b4bf080592868a908be87d38eeb4bb4cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
364d52246ecec20eb780552e7f06056f

SHA1
3d7f1feac727c0cb0d45df32df9f5f6598803a41

SHA256
ceaf899cadd30b8175615873cb940779df0fe46dd422b2879ab85696f115316a

SHA512
fd00325eba886c73294620749dc4b45714d2e6a55132cc34f85d5c4b25b8c8fb3f1f3e75cdece62440fee6b750a92b4af1eaf4925255146c27fa3bc2a06d820f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BFBB96D8-C4AB-11EF-AF2A-EE8B2F3CE00B}.dat

Filesize
5KB

MD5
b8ad6b1b2b9dc561a9f81bbd4310466d

SHA1
034cde9d057543cbc84f4904c0449db3d6a8f0db

SHA256
ffb470bbf8b44295a137ea6c1210b3f2afdb438e8544a2570ddfba144d30d0c3

SHA512
2f06682e06c2f10cc388bb3835a2b7d48ed251ee9121c8f5e6602d32f87b76b16678545c7df822c8b4f24ce991f221b9671f13a04e7401123e6ee4f0b9deebb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BFBDF923-C4AB-11EF-AF2A-EE8B2F3CE00B}.dat

Filesize
3KB

MD5
11453cd0a85c80bf636c4c51f8cfe32d

SHA1
bf414087be9cea41d4b11e75770d2c7805aa5423

SHA256
948a3f72bc1ebd5c4ea26a13ed39ad1f8a59e3055d5b6ad58d60c91a66d84227

SHA512
3bf6edb730572098dac681c04ed5760c0e04e8d05b7eb4ae15e97abfc01eff4c3361ff35fa955eb69df26707748d4dd75c709f012c104b3ee14eaf1fd6332dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF7C.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe

Filesize
124KB

MD5
421e3905d6d9af7edf2611872961a5ee

SHA1
b1000eecdc813d8619199206683dabfbcde32fed

SHA256
21aac2e25963becc17df175c09a705b01c82880e352e9001740a1cd77330e994

SHA512
8362c946440a8be521a89053711a1b70c10ff957946f83caa4aeb5637c5981dd478caad3047b1e9849e99afab4453af522800dae9acc1325ec95cecdc54fa752

Download Submit
memory/1136-36-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1136-35-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3692-37-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3692-0-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4404-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4404-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4404-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4404-12-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4404-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4404-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4404-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4404-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4404-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-6-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4528-34-0x0000000077062000-0x0000000077063000-memory.dmp

Filesize
4KB

Download
memory/4528-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4528-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4528-39-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4528-38-0x0000000077062000-0x0000000077063000-memory.dmp

Filesize
4KB

Download
memory/4528-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4528-30-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4528-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4528-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4528-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4528-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download