ramnit | 824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3

Analysis

max time kernel
92s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
Size

1.2MB
MD5

cf2e9e3d69e910eac2599413e783ceaa
SHA1

3dcc6f377dbb477c868476476e02721b0ba9c6e1
SHA256

824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3
SHA512

b71419248a30110d9c085ded3f3c17a110cb5a89de384fe4380431f3d934c1df1ff34d681f51259116d57a9aaea9f404564ae9538f075ade3982b4693f3ccb87
SSDEEP

12288:mqOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+N5f:mnajQEPnvg6PhWDC750L

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1644	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
4756	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1644-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1644-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1644-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1644-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4756-27-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/4756-31-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1644-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1644-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1644-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4756-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4756-43-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4756-44-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA6B0.tmp	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3928	4540	WerFault.exe	85
5048	2876	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1123168762"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152313"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152313"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152313"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152313"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152313"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442108009"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6E6743D8-C4AC-11EF-BDBF-FA89EA07D49F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1122386914"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1123324393"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1122543305"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152313"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6E64E20E-C4AC-11EF-BDBF-FA89EA07D49F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1122386914"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1122543305"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152313"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152313"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1123168762"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1123324393"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe
4756	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3476	iexplore.exe
1944	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2876	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
2876	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
2876	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
2876	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
3476	iexplore.exe
3476	iexplore.exe
1944	iexplore.exe
1944	iexplore.exe
5076	IEXPLORE.EXE
5076	IEXPLORE.EXE
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE
5076	IEXPLORE.EXE
5076	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1644	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
4756	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1644	2876	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe	83
PID 2876 wrote to memory of 1644	2876	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe	83
PID 2876 wrote to memory of 1644	2876	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe	83
PID 1644 wrote to memory of 4756	1644	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe	84
PID 1644 wrote to memory of 4756	1644	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe	84
PID 1644 wrote to memory of 4756	1644	824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe	84
PID 4756 wrote to memory of 4540	4756	WaterMark.exe	85
PID 4756 wrote to memory of 4540	4756	WaterMark.exe	85
PID 4756 wrote to memory of 4540	4756	WaterMark.exe	85
PID 4756 wrote to memory of 4540	4756	WaterMark.exe	85
PID 4756 wrote to memory of 4540	4756	WaterMark.exe	85
PID 4756 wrote to memory of 4540	4756	WaterMark.exe	85
PID 4756 wrote to memory of 4540	4756	WaterMark.exe	85
PID 4756 wrote to memory of 4540	4756	WaterMark.exe	85
PID 4756 wrote to memory of 4540	4756	WaterMark.exe	85
PID 4756 wrote to memory of 1944	4756	WaterMark.exe	91
PID 4756 wrote to memory of 1944	4756	WaterMark.exe	91
PID 4756 wrote to memory of 3476	4756	WaterMark.exe	92
PID 4756 wrote to memory of 3476	4756	WaterMark.exe	92
PID 3476 wrote to memory of 5076	3476	iexplore.exe	94
PID 3476 wrote to memory of 5076	3476	iexplore.exe	94
PID 3476 wrote to memory of 5076	3476	iexplore.exe	94
PID 1944 wrote to memory of 4596	1944	iexplore.exe	93
PID 1944 wrote to memory of 4596	1944	iexplore.exe	93
PID 1944 wrote to memory of 4596	1944	iexplore.exe	93

C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe
"C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
  C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:4540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 204
        5⤵
        Program crash
        
        PID:3928
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4596
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3476 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1872
  2⤵
  - Program crash
  PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 4540
1⤵
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2876 -ip 2876
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
54a1b1095226978313782771a5b10c00

SHA1
48b16839c462c31035262fb8a1b27500afa08d76

SHA256
1ea0e620fb67db2a70d652123f8eb51845806c023fb99cd584b2b063a30fd790

SHA512
b6b8f8a053395bb63477d66d8bfab4f773b2f2b64e3509e127256534a24ee108f7d259d6e934131d511ff3926fc139ecf0579967520e220985efb0607392118b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
ffa251de924637c1d1810ead028c5290

SHA1
d05c7f9c8493d5ac28541ec732857ec733a3dc67

SHA256
571b508d6d4d029e9ac290588632216ee7f83286514b15e842e27fab0b122be4

SHA512
6cf274eb3e5878f22c0976f7185a5926c7b2349902d4a3fc0b6b32dcf4d8eb5e6705d4bd8f7a062aa2e1d1acc55e5d151b9380c2c284dcc9861af7621a30497b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
f5c29cf786b3c72521cd231ed31799c9

SHA1
b118e0c97ed825a676b978778cf5aa22009eadf5

SHA256
920d377831b2550a6a4620d4e1c0dbb3c2b251044b343144e7c0021b1d5068d1

SHA512
a2d08ef24620e02c1118b1e64895ddc93eaf7e4a0a706f5713676916cffc70089b8e8492d52a419ce7d45a05cefe94871495866949a8a0f8f5e53245191634c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E64E20E-C4AC-11EF-BDBF-FA89EA07D49F}.dat

Filesize
3KB

MD5
0bb21f4bb9ec97688cd6e6cb7ed1109f

SHA1
bb13796a15ab17d3bd3e27fe7f7db4a41e45c546

SHA256
83844ed6a5e8868adab43c6c384790d69b81cc88203d9730b0e66987e77f15ac

SHA512
96bf4a5d01e6a4872de053dafd48550ecc2ef4bc096b82f55b7303915a9498e9d4b03a53fe54c540f4b367a5b79f9c0d8219c4ba6dfd8d4d821419e4fa349add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E6743D8-C4AC-11EF-BDBF-FA89EA07D49F}.dat

Filesize
5KB

MD5
191ba14984f5df91b6b3d8dae1ac77a1

SHA1
b8e629a4d07624a40c60d57a905e74367045eef1

SHA256
e2f8da6ab38bd6ba9e28c8fc895265a533cd84d0fa527101308b8ba737892a3e

SHA512
fee5b271f983d3e2c99759fd0d76da3fd146a32c15402ab2c3db26b0457e931a20469e684a2228d08a424cc3ddd7ed4dbe9778bbe4c9683d64503d03f590f24b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2A38.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\824148a122e18d847a99f00084d87a3e50e8fc1d0f46033ff24b9f6c20905fe3mgr.exe

Filesize
124KB

MD5
421e3905d6d9af7edf2611872961a5ee

SHA1
b1000eecdc813d8619199206683dabfbcde32fed

SHA256
21aac2e25963becc17df175c09a705b01c82880e352e9001740a1cd77330e994

SHA512
8362c946440a8be521a89053711a1b70c10ff957946f83caa4aeb5637c5981dd478caad3047b1e9849e99afab4453af522800dae9acc1325ec95cecdc54fa752

Download Submit
memory/1644-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1644-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1644-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1644-6-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1644-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1644-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1644-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1644-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1644-12-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/1644-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1644-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2876-0-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2876-37-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4540-36-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4540-35-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4756-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4756-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4756-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4756-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4756-40-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download
memory/4756-38-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4756-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4756-32-0x0000000076F02000-0x0000000076F03000-memory.dmp

Filesize
4KB

Download
memory/4756-30-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download