ramnit | d7e15380a03611dda649d61586ab1e6a7f8d472cd0c33eb9c8404a69df2f5c9d

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0d8eba881952710d26a8793a94b3d694.html
Size

449KB
MD5

0d8eba881952710d26a8793a94b3d694
SHA1

76339960e41fa5fdcf351da1a0be5b5ca647d8ba
SHA256

d7e15380a03611dda649d61586ab1e6a7f8d472cd0c33eb9c8404a69df2f5c9d
SHA512

b38ca61511572dd62b354cc4a535e42e370350f5902e4d71bc541080ab2689ccd350c2dccf96dd242cfd1a055c5ef2122bac37e193cbcacef68ea55d369ce33d
SSDEEP

6144:SU1sMYod+X3oI+YkmsMYod+X3oI+YLsMYod+X3oI+YLsMYod+X3oI+YN:x5d+X3CE5d+X3d5d+X3x5d+X3/

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 5 IoCs

pid	Process
2820	svchost.exe
2424	DesktopLayer.exe
2592	svchost.exe
2568	svchost.exe
1968	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
1472	IEXPLORE.EXE
2820	svchost.exe
1472	IEXPLORE.EXE
1472	IEXPLORE.EXE
1472	IEXPLORE.EXE

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015d88-2.dat	upx
behavioral1/memory/2820-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2820-8-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/2820-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2424-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2424-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2424-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2592-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2592-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1968-34-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1968-36-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxDB42.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxDBBF.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxDBBF.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxDBED.tmp	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5FB14B1-C74F-11EF-8B3A-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a3f77a5c5bdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e43b5958ebd604784de9f5ce2c72a5b00000000020000000000106600000001000020000000f107b8e792f66a9752c2b3966331c530fe9e23455837cbd124f7638a4715132b000000000e800000000200002000000086ce295f9abca2df74f94719676902d0597c12220fe744c434f406be1af307bf90000000b7a3a5227fed46102aad65b0cfef0b1047f72930e8802a66ec5a850a55296b700be3492b44b7bed23ed30b650efde8db202dde758e8ec38c5dfe8c26e49ea1e58d9481f699f455c3dd2761b63a82a9d9ef3267e897c0500e55c207c45f3eea1f804dd502ebefea579f55913037ce1031f102162486d37d87d5305ccfb690db31f54b9a5d150a28a60efccd8b3a979c8b40000000a3d6822c49ebb33e32fa71c57cafe5afe732cc617a00f1624046930e791ea3f369b78cfd775dd5ba47eee944e02464f2f801d3604ab3789803bb84e2937e42c8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441794905"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e43b5958ebd604784de9f5ce2c72a5b00000000020000000000106600000001000020000000f60242af4e150a3c76af580722b69bc5de3f53a3c3ff1ef71a8780b2fca1dba4000000000e80000000020000200000002869bc7ebcb05a0a31dfa2c14e2c467df70ef07459ef183fca9d45e55616aa0a20000000b6c18b964ecfeeb6354555d4f333ed6ba68829aaf27fd4d67f07b8275d25baf04000000082de82040d0a96acdab1fca136397642e178609a267aebdb518f983a5ab60a524edbed449f66ac2e47024893897f9ba6d2b392173ecc0b982c776768a17dce89	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2424	DesktopLayer.exe
2424	DesktopLayer.exe
2424	DesktopLayer.exe
2424	DesktopLayer.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2568	svchost.exe
2592	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2328	iexplore.exe
2328	iexplore.exe
2328	iexplore.exe
2328	iexplore.exe
2328	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2328	iexplore.exe
2328	iexplore.exe
1472	IEXPLORE.EXE
1472	IEXPLORE.EXE
2328	iexplore.exe
2328	iexplore.exe
2328	iexplore.exe
2328	iexplore.exe
2328	iexplore.exe
2328	iexplore.exe
2328	iexplore.exe
2328	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
1472	IEXPLORE.EXE
1472	IEXPLORE.EXE
1472	IEXPLORE.EXE
1472	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1472	2328	iexplore.exe	31
PID 2328 wrote to memory of 1472	2328	iexplore.exe	31
PID 2328 wrote to memory of 1472	2328	iexplore.exe	31
PID 2328 wrote to memory of 1472	2328	iexplore.exe	31
PID 1472 wrote to memory of 2820	1472	IEXPLORE.EXE	32
PID 1472 wrote to memory of 2820	1472	IEXPLORE.EXE	32
PID 1472 wrote to memory of 2820	1472	IEXPLORE.EXE	32
PID 1472 wrote to memory of 2820	1472	IEXPLORE.EXE	32
PID 2820 wrote to memory of 2424	2820	svchost.exe	33
PID 2820 wrote to memory of 2424	2820	svchost.exe	33
PID 2820 wrote to memory of 2424	2820	svchost.exe	33
PID 2820 wrote to memory of 2424	2820	svchost.exe	33
PID 2424 wrote to memory of 2812	2424	DesktopLayer.exe	34
PID 2424 wrote to memory of 2812	2424	DesktopLayer.exe	34
PID 2424 wrote to memory of 2812	2424	DesktopLayer.exe	34
PID 2424 wrote to memory of 2812	2424	DesktopLayer.exe	34
PID 2328 wrote to memory of 2740	2328	iexplore.exe	35
PID 2328 wrote to memory of 2740	2328	iexplore.exe	35
PID 2328 wrote to memory of 2740	2328	iexplore.exe	35
PID 2328 wrote to memory of 2740	2328	iexplore.exe	35
PID 1472 wrote to memory of 2592	1472	IEXPLORE.EXE	36
PID 1472 wrote to memory of 2592	1472	IEXPLORE.EXE	36
PID 1472 wrote to memory of 2592	1472	IEXPLORE.EXE	36
PID 1472 wrote to memory of 2592	1472	IEXPLORE.EXE	36
PID 1472 wrote to memory of 2568	1472	IEXPLORE.EXE	37
PID 1472 wrote to memory of 2568	1472	IEXPLORE.EXE	37
PID 1472 wrote to memory of 2568	1472	IEXPLORE.EXE	37
PID 1472 wrote to memory of 2568	1472	IEXPLORE.EXE	37
PID 2592 wrote to memory of 1636	2592	svchost.exe	38
PID 2592 wrote to memory of 1636	2592	svchost.exe	38
PID 2592 wrote to memory of 1636	2592	svchost.exe	38
PID 2592 wrote to memory of 1636	2592	svchost.exe	38
PID 2568 wrote to memory of 2588	2568	svchost.exe	39
PID 2568 wrote to memory of 2588	2568	svchost.exe	39
PID 2568 wrote to memory of 2588	2568	svchost.exe	39
PID 2568 wrote to memory of 2588	2568	svchost.exe	39
PID 1472 wrote to memory of 1968	1472	IEXPLORE.EXE	40
PID 1472 wrote to memory of 1968	1472	IEXPLORE.EXE	40
PID 1472 wrote to memory of 1968	1472	IEXPLORE.EXE	40
PID 1472 wrote to memory of 1968	1472	IEXPLORE.EXE	40
PID 1968 wrote to memory of 1000	1968	svchost.exe	41
PID 1968 wrote to memory of 1000	1968	svchost.exe	41
PID 1968 wrote to memory of 1000	1968	svchost.exe	41
PID 1968 wrote to memory of 1000	1968	svchost.exe	41
PID 2328 wrote to memory of 1944	2328	iexplore.exe	42
PID 2328 wrote to memory of 1944	2328	iexplore.exe	42
PID 2328 wrote to memory of 1944	2328	iexplore.exe	42
PID 2328 wrote to memory of 1944	2328	iexplore.exe	42
PID 2328 wrote to memory of 2084	2328	iexplore.exe	43
PID 2328 wrote to memory of 2084	2328	iexplore.exe	43
PID 2328 wrote to memory of 2084	2328	iexplore.exe	43
PID 2328 wrote to memory of 2084	2328	iexplore.exe	43

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d8eba881952710d26a8793a94b3d694.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2812
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2588
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1000
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275467 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2740
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:406542 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1944
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:537606 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2134b02daeaf36a21fcec4b29904b6e

SHA1
224b44f5c8f8167cbd3c17b5abc34f3eb7810e27

SHA256
cb1a0b11326b7c0e474abf12369ec8087797ea54db6335870d6a78947cb2e3cf

SHA512
bd9a221ca1ef76e0fbd530b315b140c99d859ff093de69914147728615e7d61e74c8463d60c7a1865cccfcea11a1eb2e0603fbe01e13de87ec18586597f1f7b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7a88da0af192585f4310c360f425de1

SHA1
852b35b49f54abdc171cd49913f7ebb223cc5373

SHA256
04018642b1153781147d2fb903fe3cdc0a08bbc0a11588e313140a24ed7fa438

SHA512
931120130c51241e1adb91aca372d4948c27dc00781f2ea1de5bf26a86f1c1bd5e009306a8f1ab94a205046e18d2cbc8131bd5f0ce608fe77f3ef72114067556

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7da8b38002e37f7e9a2e916914950ed6

SHA1
9542039f79c655b4cf637fefbe65bee9f7246f40

SHA256
3ea4b5a153cd679a6c07bb59f797524e2e288f2135bcadc562f2dedc3c0635f5

SHA512
32f168e9ed98d547d9026cea683e4cbc84976a342e74528d7020d3329e7c02c236ac2d50c6fe9cfc54308be50b0238b6ef8be0087f425e0a0f0004f610150c2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
314086a14307798c62c3d414e2ae5cdf

SHA1
f6c0a69d517f6dd7460ea0d7635ae3f90b62cf18

SHA256
3e5d3d915714051719c24eb8322337294182bb7e60e756df49096274840cb98a

SHA512
cf0fd1d345237b7951af4f4cd7c1a3685004934bcda4b4db0e624ab009a924301c22ee9fe75219dab1cc2494edcd21ca26c6a43e06ce3fa4d14fd46adfc21ca1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fedc33434f3f93c3b072f3dd6b41386b

SHA1
e4d4450742b6b6ccccd7adc6de11fbed071d0d13

SHA256
241a9a72e939e788e64346b7615a78c5069488df799c8cb18ec353fe444838e8

SHA512
5ddadbff3b0d5b772802ab8bd7e9f13e7a2917777f7e251ff8a7b5681bfcef2a6fce16aedb6e0125a0187aaec49d5cd29fcbd16fccbd8d706e72ff7ddd57952c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc92f8f7f06838643f2f4b1645e7c7b5

SHA1
02b4821f1f8ded96fe13dc8eba480f4137180b70

SHA256
84f23145d34549c7009cbc7afc2f2dfc5b7fcd815a020f1f2ff09238d8b2b4ad

SHA512
73e64326f318801e9c2190f2521be225e62cd28271a7b25dc5b7a8bea7b1c3d4f55258fe8df02c2d8871fceafd4aad3d40177bf0ba105b6ad8aab64bb01c3aca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50bd8efd28a1313e81f3be09005a5707

SHA1
d61e4cc030f9fc22892333b705c8943360c50ef7

SHA256
c38f2e1a2ca648e56c98cbc917a70d665a15d8c430eb11cef4be79310f2abfb8

SHA512
beb514b38fe5730d0dc8f1a2fbeebed4091ba1ee3db6e03d415288494b34bc9e3f60deda12f2158aa765dd6330d6f102ae62b1f6ef56b3a97a5ea02c6de2be56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d727cf7e54fb8b2c061de5e8c7be6483

SHA1
2f8dbda647bd2b99f80851b4b6f2e4bf889328f5

SHA256
f1113b0cf9428b73fac09f1a4e1bea35c9f7ff817d89a8211652b55bda584956

SHA512
40c56e7c05be801af6b1b7cc447ac8755cc8e5ce94957314247d646c4b5c041e76f69cf7ed23113174dd64c6078f95b2b63d251039cfb198773b0bd103b73ca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67923c6b9d7600a8f08c6abd48a516d5

SHA1
4c026106968f72ca25520b538319a1ba5da29493

SHA256
cb192663f860df41a4b632c9a7fb4874fca3ef91998d819a21a56224f89bc7c3

SHA512
746c0426bbea9990b4899d16781ea5e91c6ec7818351eaa05a9c8a90398c0c70ada2ec46005ea31c09fb6611577b7f1402f1b55395fb9dd3f9e92135d37b4a18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9814bc4f24ca6ddd913fc2df6cee1bae

SHA1
4daa36cad8e57340f719fbc9308179c44373aabf

SHA256
ca02697abf47a6526b2276c00b527846e6bfcb29fe5b3381c4ed13ae959007fd

SHA512
f6b20d1b2bb4828b60d05dcc48b885bb1b71d211f1547ec65c2b364e95881f8b0c70d8ad6ba9decd00ad3e3be471a492d01301624053fef44b99aad3c0de307f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5dceed239e035784bdffc7cf6b26625

SHA1
049b0b903a04c2d33687d03c3dabfa6241d225ca

SHA256
dc5c6cd12dba1af42a336dfa371811647b3b81097e9cdb2605f076a3b02e6799

SHA512
9b01a14e95d906905e6cc60338e1b9c2bc18bf23cb717e63b709ae96592026a33288464797030e5a4153491c2cc4131501115ec2b152eeb6e9ac49c48f8505e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7520afaa96270e816220a08abd6e7b3d

SHA1
a355560e3b731eaf4d68a0de65f2e736a7958ed7

SHA256
4d57f7c28fa1356a8025b40a0137ffd9e339fc9c547e4da8b555c426182c0310

SHA512
22ea4c835b64660db12d18454b9d1b33def85651cba392871abf8c6f6324b76e38d51b9ea6d4a4df28b3beb26e245bba2a17b86b170236e3d9575180e73c44c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43e0333d2ba10e4a12943dc13ac91ed4

SHA1
20ae41edd50b3257a4d9de9a43279fcc83f7c237

SHA256
5551867a1e61cebe8bc9971858a89fddbe5dd33af88ed69cbdf92e32c9c1ae3a

SHA512
6497f3f2c428168ff9ef67d899ad6cf1f13cb8c148c51f9bd926c3b523e92c84700b4acd89ab97efaad6ac129e97b27f8b9bc737c5216ec845a3b9a356840822

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5e4f3c40bd4c73c33e1c8c60020a78a

SHA1
0a38123447117ba216d4ec3e4e3f18759320d0e3

SHA256
56feb70ae00ee91a2cf9084c1828a97c4d31eeb9c8c6cbe4de5f7b37c68748b0

SHA512
0934981e65db6ae31d611f9c98f381b3c8b181d21fd66663393de743df415ceb6237acdd572736a7b008626bc37c056f0857843e0e35ae7e2e3d6e3f117242e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b42106225b908059f14f1a54c71ab3f7

SHA1
48aeb304d8f3621f06d42d7ec457e79c861f3ef2

SHA256
eaaa36e6907efc945538b3ea5650cde4bc650f7e3476f6efe55fae2e8584c007

SHA512
31fe82b585962eb4dd96d625df8659fd519ba19eb071c0b0ff0214a642e907afe28fbf35f23354f8736630888c8524a6fa4c9445900cbe3ce90f9e8a883f68ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e93ec60d512a16d183f9ec00f145f620

SHA1
5d83f36ee1dd1739e12378582e828a1ac0cdff73

SHA256
0f02b23184cdf8c8d5557d9d306b37b6be5f73321cf3fefef4091e81d63a95c4

SHA512
5d7047a96fde2197d5eaf3e6c4f84b30b27c01825bfdc3f1d0592d94722ce07a3b78836a75e999718ebfafd9594194ee33d38b8a46505807692271797972079d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e44f95ac539f9a173e2339c41296a77

SHA1
21976483a732190a0fd14550368cb8e129b88d73

SHA256
1847e7994864a3c9d972ac8e582e03a5ea94e979a6c3e3a9df08140186dfac3e

SHA512
fc77810ceca3a0b1d4c7178a38e6a77cffe69dc58b10b11adf3472ea6700587a09ba2319de3149eaecf2466073f321b1db0a24fc5bf83f3d04a75f1fe30a21e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcd1eabef4fb09252f1387c17215d37a

SHA1
ce47f8afc6a469cc3eb12fddc4ca77e62979e7b2

SHA256
ee8e6cb4852a9f6228581b7be731369f0b3b8ef009d0284543ce0bc0e74545ee

SHA512
923cc4e340953ae604ee67f1fbc80358c314a59b1eed6a199ad05882201fe58e467bbf529e3d6fe4dd83e33fd8e636769e1b0e6b7de287f119169de78b6f7fde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0e3190b148e54b645bdbb5138b401be

SHA1
47e6eca50fdd0774cef92696908f4862a898869e

SHA256
c36145c45f0ceb77e88ce99d28715c31b9b9cb8ff835014628015860d94a1b65

SHA512
032b12ef89f6859e69a8e2567752b1fde991c02690f4ab4268af8a09d3a0bab97674e9fa782bc33e3d9e3d4712aa3b4be37e3568708b4842a02408af4a00e194

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB8F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFC01.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1968-36-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1968-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2424-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2424-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2424-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2424-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2568-29-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2592-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2592-27-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2592-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2820-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2820-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2820-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download