ramnit | 13e5eaef2216202b8111f3a394aa47207658466f15463976d7a3c45de9dda584

Analysis

max time kernel
70s
max time network
74s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13e5eaef2216202b8111f3a394aa47207658466f15463976d7a3c45de9dda584.dll
Size

90KB
MD5

d9de1e9ad5ecb98eff480156ed43622d
SHA1

e72e1fa1437dacbbd231ac403c8435bc56aa7c6a
SHA256

13e5eaef2216202b8111f3a394aa47207658466f15463976d7a3c45de9dda584
SHA512

30b90b2a3ce6dc9c1f4ba1610c7b97a67d3273d1f8b2923a5813bda4b44963d6ff683591cf2b0b7956655ac03c4e22e3509f97259afb2a1d3f7658f240a5dfd0
SSDEEP

1536:pszv184cUdfxY0M5uS4H6wiCIREos/5UyMG/42lc/ft06dmo/6Ow:yzN9c2m0M5uSdPCIRHshUjGncd0OzSOw

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2472	regsvr32Srv.exe
2988	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	regsvr32.exe
2472	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000120fc-2.dat	upx
behavioral1/memory/2448-3-0x0000000000680000-0x00000000006AE000-memory.dmp	upx
behavioral1/memory/2472-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2472-9-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/2472-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2988-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2988-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2988-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2988-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2988-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxE041.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5B2C2E1-C6B6-11EF-AAD8-6AD5CEAA988B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441729301"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx.1\CLSID\ = "{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\TypeLib\ = "{8143C9AA-38F8-4729-B935-DF6823C616C6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\ = "Microsoft.Windows.IsolationAutomation Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\13e5eaef2216202b8111f3a394aa47207658466f15463976d7a3c45de9dda584.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ = "IActCtx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx.1\ = "ActCtx Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ = "IActCtx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\ = "ActCtx Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\VersionIndependentProgID\ = "Microsoft.Windows.ActCtx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\ = "ActCtx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\13e5eaef2216202b8111f3a394aa47207658466f15463976d7a3c45de9dda584.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\ProgID\ = "Microsoft.Windows.ActCtx.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\CurVer\ = "Microsoft.Windows.ActCtx.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib\ = "{5E0598D8-34A0-4329-BDBD-9D165C5C1554}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\CLSID\ = "{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib\ = "{5E0598D8-34A0-4329-BDBD-9D165C5C1554}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2988	DesktopLayer.exe
2988	DesktopLayer.exe
2988	DesktopLayer.exe
2988	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2204	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2204	iexplore.exe
2204	iexplore.exe
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2448	2248	regsvr32.exe	30
PID 2248 wrote to memory of 2448	2248	regsvr32.exe	30
PID 2248 wrote to memory of 2448	2248	regsvr32.exe	30
PID 2248 wrote to memory of 2448	2248	regsvr32.exe	30
PID 2248 wrote to memory of 2448	2248	regsvr32.exe	30
PID 2248 wrote to memory of 2448	2248	regsvr32.exe	30
PID 2248 wrote to memory of 2448	2248	regsvr32.exe	30
PID 2448 wrote to memory of 2472	2448	regsvr32.exe	31
PID 2448 wrote to memory of 2472	2448	regsvr32.exe	31
PID 2448 wrote to memory of 2472	2448	regsvr32.exe	31
PID 2448 wrote to memory of 2472	2448	regsvr32.exe	31
PID 2472 wrote to memory of 2988	2472	regsvr32Srv.exe	32
PID 2472 wrote to memory of 2988	2472	regsvr32Srv.exe	32
PID 2472 wrote to memory of 2988	2472	regsvr32Srv.exe	32
PID 2472 wrote to memory of 2988	2472	regsvr32Srv.exe	32
PID 2988 wrote to memory of 2204	2988	DesktopLayer.exe	33
PID 2988 wrote to memory of 2204	2988	DesktopLayer.exe	33
PID 2988 wrote to memory of 2204	2988	DesktopLayer.exe	33
PID 2988 wrote to memory of 2204	2988	DesktopLayer.exe	33
PID 2204 wrote to memory of 2784	2204	iexplore.exe	34
PID 2204 wrote to memory of 2784	2204	iexplore.exe	34
PID 2204 wrote to memory of 2784	2204	iexplore.exe	34
PID 2204 wrote to memory of 2784	2204	iexplore.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\13e5eaef2216202b8111f3a394aa47207658466f15463976d7a3c45de9dda584.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\13e5eaef2216202b8111f3a394aa47207658466f15463976d7a3c45de9dda584.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17c2a053c69a46c50a377d6a7eba6edc

SHA1
2318b6483f394ace28b9964532e1d701a67116ac

SHA256
c22f0bb60fb6a2ebe7f4d00d04b1da73f19b10af8a1caf76390fc05818776c01

SHA512
25180d0fc5357765023941763fbc996943eb6f804060dd37af7e77c17f9bde32c0d3e03d1fc68a499a58f0436c3594ce9b3d3822940b69ce4058e6b9e254be9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c958fb9c5b46ba286962f922d6e0956d

SHA1
e76478400a162c6f9170f1edeb9cfc576a39f9fb

SHA256
81e56149dfd5f55fb2fc0cd6911421ce1738b3f257f0355fecd3293ac2c63049

SHA512
24ebef8dbeba99452c85498fbdeaf03e5771eb4a3b4abd8c68718ce217bef6d3bf7cba00a1de7d052cb6d889460efb7dc66c55ea89b322fb53964fbd432f52d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fe927fd6a179559527a8162ca856cb8

SHA1
79a79cbcdd13d098979f175b0d6637aab8422032

SHA256
8b64bc80400dd7af180db5d1a75bf1d1247301228fd9228ea2a9337b5d9fc5a5

SHA512
3fca0fe66fb34c3577494439f21582f17992c4ea903a2b67658cef88db0f4d35b21a9905a9a10d34cef665beb615e65df8256d665647082577250bdff395a203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4799f2ea8021d81b4cca023bdc6d758a

SHA1
4a24b07a257118205c2050bfd0f3d67884d590d4

SHA256
0e4960470527cd2d209a0ac3499cd1e4375fb8bf1be365a5adfa7652da412546

SHA512
35f8f68849c8519c56cf3e12a5d61a0bacdae12db2aab720f3c4e9aee84d69cf496bb7373652fc284351d3d2feb456bba84b17b6bcd30503885b003e08cd11c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1daf049c0f859cf3263d33576dc356d7

SHA1
d8bba7c4ab2b2e4307bb6fc2fc1255c1e3fa391d

SHA256
9bc167d916627c9ccf87dcec5239d214587667c6e44d83503ea97b05153f7665

SHA512
03645c8c28c99c39186c17ea77c9c45ad4bf099cdc0477277bb5ba92aeb48309a64c91630faa8a9797b6c12935f4e209d524143b0a6f4156f3c7ba30804caa4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a66ef8637866d91c07266e3d837c324

SHA1
8e148ed19f8e285882a41f9bd17a710b957005d6

SHA256
ff1ebdae7975d7c133f3900be0dc01d89a3b42f6f491f114deab98edada49c50

SHA512
8319904d04b73bb6acf922d430b2075e70b2c59eb7ed7739e421c97f3d0d52790541fcc0d69f93b6e5f30de0d14bc7bf9dba3d72253cd8480f9f92a7ff62ad3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e70eddd78fe3c4784faa8a8ef3bfb08

SHA1
321317ccc168b439071b28a0cff37f0e57558701

SHA256
af480ec895190e973e5039015ef9207734323c3459e729a06c32744f321727cf

SHA512
2ed7b2df984c5d3521aee7e1964bc6eb10d5a6cafb455ca97b8e6a47d74b747e365ff8f3022c5c24a964bea395fcb28595d3018e87f170a6aca1bc661724c399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6ccd66a8123180bfc64e67b04a6ccc1

SHA1
67027a317578b46586c4daadda3b4994f573ec3b

SHA256
9f04516222962d692dec4c793b808fb02b36573e7a9e6e19b80e8f12dc0255bd

SHA512
5d3562b0e56d1bfbd399cfd649224da6bfcfeb2a929fd5efed617d2a0a3c11c2eba52c994c5d8cfcf50ff322469833df5afc01d5e8fc553145ec7460c8d61bf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
546d6fe3ee5f0c5d5bbcc773bc9e37b9

SHA1
af95af94d17bc6f9322bac6938da7c7e7d4b0bea

SHA256
422c252e8d735746f8d9f467021ff0fe23ba2c55e741e5be350e8af0978c834c

SHA512
aa6bee845cb9c4ab9d2ff94e1f998827607dd2de966772ea4bc41d75bfd8e7f512dfb46838f92c61f18a4c49017113aa41a45a5c79842ecb7e1f464549488afa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bddfe3e9d5a04478a2f04994cee09462

SHA1
bbe15bdfd4fa962251f14659ef3b45cbc14a0f15

SHA256
5bdaad42d43de087b69ffe08306fdb68e0e6a705137ef487847844b19cf14a4c

SHA512
a04e3dea8373545e5a0b0830d3e4675edfa2965e8e6bf3dbd57f694b30dd81985bdaa8418774bdbc6a4f1a2b772d64fad1bf223a5669b24c53f98091b3e4533a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aa03f15f6eba6e6b0688243c9534ac4

SHA1
dcf5c72c1841351850f02240ef941fbf1eecd49a

SHA256
58038a9d7ee60a24ffd0654d8f4eaab3770f48b9039859448ceeceb9c340150f

SHA512
a945050f8a3519dd11711ea0e43d5e546583c047cfef0b6e14dfea6c8dfcc29f35f13d200be86deb8716dffc13b21c561039f137e4085406f9b0ccc03ff33c04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ff6d3660debe1960cf6d2529ad019a8

SHA1
cd0ca8faf9d8ac383430214cc97e7ddc6550221e

SHA256
0a93aa4aec32c8d97b9d9497f84ca0035b2cb1f6474565951c00955dff7b83b1

SHA512
56557dd3486c4a30340e4b263e3cbbc8fe4f15655bb6684fe273b284f89eafe060ecc21326ca63dc1f6c6fee13896f7933aba8672dff404a3ea9b9d3f5e2f6d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21847141c94dea381388ce9f26a6cac3

SHA1
1f53737ae17a880b2952944fb92c8f1d31c33c60

SHA256
ea7fdbda60643e1ec32bbfe5184a9b1c60523f98ede8c34ae15371fff92a8c8e

SHA512
3512fee31b71accc17b1fc0cc353cc7922a3a61c15c58d4d9a77e265b8e2a20cdb2f8ede77f67a88f1f88e2b832db699f04a73c07bb686a1a83b2e2b01a9d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f40110bb6a2b36b2569c45968a09af1e

SHA1
bd2a24cf6d8728db04a1adb2e5d2fb3174547bf5

SHA256
6ae9fd4503818df8eb68b1c8d76a447b11627f16e19ba56f5626331240d73d62

SHA512
aeb930800fe46c7fa5c9416f3e1084d3d361b2c05d6f37d46f1b031d7fb8c2370c4b0c0d056dc3b6b06b8ea5d65238e70750d84c781b4b18742d02d47b878df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38562e048c977f5d75587d65330d57e6

SHA1
032557732c3cc125ce75d6b708ed91b3a563a898

SHA256
8d5d9f7868f31139cce3f45c25079c7a74ce96f77114a39cfc56de0c2058cf96

SHA512
f014f8ab4d206488b04ae196b8bde629979a4d2eac828668d6b27c9230a675628bbd6b9e046e045ab6165ad6d26ded74de722c5ca57a9f6fef2a14ee1c391485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d9a119d3508d407110193bca1442936

SHA1
e5b793d586861984107d4064b61a53fdefdf024f

SHA256
bc95422d4ea79589db3ffbb308075f021beaf7029ab6130edcc228ea9fa8e230

SHA512
edc94daa5dd1ee24fa9ce222af580b75e1c809690161aad07034600cf70e623fb5591a8da4de146d560cbadc24f0713c269252e1378afe00165d0266ad62095f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7df3e3bafac47224792fd36bb69ca494

SHA1
3d830adbd459ef0abdd74cf73a958064baf7ea19

SHA256
ef3c14897e30b419d2c1b1c39bca8bea27a67548e305c44fa082fcb26b333532

SHA512
8d3303567df83fe093db0ecb31c83cfbf09dd149a5a1deda314b6c42f94219888140b6c5efc35e4e3fe0771a927b0c764cf4f9f0558931de66d25c155a49f514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
251dc3a974d20623e3de15ffce15835b

SHA1
ae073371db8d79a3a4b1c838607361422cb3ad0c

SHA256
d42b06e5b4fcda51e65c4d78ceb4708b9ba5950b94bdc53cfc1aa5d3161bfa66

SHA512
e2c01acedd8bad7e330d7b6d34a5c36ed1bbef5e26efc57fa541db07f893bc577c80923d7285177b8d3b430de7b137443fac98c503c28523c06aae8005005f57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afb6cc0c1fe80412ba43732dc973eb7e

SHA1
e1d1b9a91d1d21ca980ffbcec96e0907cc163a72

SHA256
1c663c93ae33a17a4aca3905e542c60c9ac171e576650d4fd350f5af8fa2e50e

SHA512
85d9c314f6dca523b2c49cbf2acdff3c2ea568a9c0694c471538f5883a4ee0c91fd1e0c0936073b98b919a709547524bf8f61c1d2fa61b13515245770a3c6082

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFAF5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFBD2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\regsvr32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2448-3-0x0000000000680000-0x00000000006AE000-memory.dmp

Filesize
184KB

Download
memory/2448-0-0x0000000074B00000-0x0000000074B1B000-memory.dmp

Filesize
108KB

Download
memory/2472-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2472-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2472-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2988-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2988-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2988-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2988-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2988-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2988-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download