ramnit | e2590e5ceafe57b1cc2b8fc31498f1eab109f5b3b1f157fb23564cb7aa4b3de1

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_421328376b4dc78d474c93aa8333a110.dll
Size

280KB
MD5

421328376b4dc78d474c93aa8333a110
SHA1

718a78297389cb5ef74f23037ed5501c02acceb0
SHA256

e2590e5ceafe57b1cc2b8fc31498f1eab109f5b3b1f157fb23564cb7aa4b3de1
SHA512

7b50352e98b6606519719d10d0e7cbe2275d751f54c477d6cf8d4b87048f33d32f949dbc8d3619dddc151abe21a2a5772eaa8b8bf2d2d690d55cee2611f5820f
SSDEEP

6144:w4cBIsIikn+3HUYzZ2HWrXzXdgASLB2X4X+9OaisR:w4cBI5X+kkkqjXdpX5Aais

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2800	regsvr32Srv.exe
2936	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2676	regsvr32.exe
2800	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000122cf-2.dat	upx
behavioral1/memory/2800-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2800-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2936-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2936-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2936-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px559F.tmp	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB893FC1-C7DE-11EF-A4A7-66E045FF78A1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441856360"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ = "ISetupScriptController"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ = "ISetupScriptController"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\VersionIndependentProgID\ = "Setup.ScriptEngine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_421328376b4dc78d474c93aa8333a110.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptEngine.1\CLSID\ = "{E7D06080-238B-11D3-80D7-00104B1F6CEA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\ = "InstallShield Script 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ = "ISetupScriptEngine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ = "ISetupScriptEngine2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptEngine.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ = "ISetupScriptError"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\ = "InstallShield Script Engine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ = "ISetupScriptEngine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptEngine	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptEngine\ = "InstallShield Script Engine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ = "ISetupScriptEngine2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_421328376b4dc78d474c93aa8333a110.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ = "ISetupScriptError"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptEngine.1\ = "InstallShield Script Engine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2936	DesktopLayer.exe
2936	DesktopLayer.exe
2936	DesktopLayer.exe
2936	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2688	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2688	iexplore.exe
2688	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2676	2188	regsvr32.exe	30
PID 2188 wrote to memory of 2676	2188	regsvr32.exe	30
PID 2188 wrote to memory of 2676	2188	regsvr32.exe	30
PID 2188 wrote to memory of 2676	2188	regsvr32.exe	30
PID 2188 wrote to memory of 2676	2188	regsvr32.exe	30
PID 2188 wrote to memory of 2676	2188	regsvr32.exe	30
PID 2188 wrote to memory of 2676	2188	regsvr32.exe	30
PID 2676 wrote to memory of 2800	2676	regsvr32.exe	31
PID 2676 wrote to memory of 2800	2676	regsvr32.exe	31
PID 2676 wrote to memory of 2800	2676	regsvr32.exe	31
PID 2676 wrote to memory of 2800	2676	regsvr32.exe	31
PID 2800 wrote to memory of 2936	2800	regsvr32Srv.exe	32
PID 2800 wrote to memory of 2936	2800	regsvr32Srv.exe	32
PID 2800 wrote to memory of 2936	2800	regsvr32Srv.exe	32
PID 2800 wrote to memory of 2936	2800	regsvr32Srv.exe	32
PID 2936 wrote to memory of 2688	2936	DesktopLayer.exe	33
PID 2936 wrote to memory of 2688	2936	DesktopLayer.exe	33
PID 2936 wrote to memory of 2688	2936	DesktopLayer.exe	33
PID 2936 wrote to memory of 2688	2936	DesktopLayer.exe	33
PID 2688 wrote to memory of 2696	2688	iexplore.exe	34
PID 2688 wrote to memory of 2696	2688	iexplore.exe	34
PID 2688 wrote to memory of 2696	2688	iexplore.exe	34
PID 2688 wrote to memory of 2696	2688	iexplore.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_421328376b4dc78d474c93aa8333a110.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_421328376b4dc78d474c93aa8333a110.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73dea8f8f79eba5ed146a8018ecbffb1

SHA1
da7426dd4c1b547b80cd96add7b8196e82400154

SHA256
5f881c68d396b5776319fdd2100e0c5802fc49115abb1381e37e66e9b7754368

SHA512
81ed875fa23630202cc303eda4292a943ab31283fc41b92b55db0d13a7079418df976b69b11930e1a3f233838338beb375340b55c8bfc3b867f8cfcee589622b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
873f93e9250f793fdb55d4e1707166f9

SHA1
0ace3bfb4c636f489cf5b9cc847c9bbc40b5980e

SHA256
7870871c3d92ea03de381befce58624fcc29bde959a359f45326b1082e7b6219

SHA512
c4b64d530ec89b8df3f2aeefecb2638714819568b7d161b956c3d9ed49d14681cb9bc7f11df0e70c7918804d41dab06476d58d28f48479a5808c857646ae2cd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9caa487ecca76255b478b9db502a21f

SHA1
97fc9158fc008419d6a2ac2ffbef8d7baeb45b26

SHA256
4a9fc859d0857b4d21fdb5450360507856e23cd704273c03998f699971b1aa79

SHA512
7683ae869e77ba2fd20a9490b61818c03fb4be037043a3a8d3acf070df228c235f3a9c9abe8b07b88aab48aa0cb7083f1897b9eac56f0e71258bf5bb2c6b6505

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfb334a5ad9be618bfb823cce9c32708

SHA1
1db95806e0e0404c64b3eca05754f62a43fb0c63

SHA256
3785985e74ceba0e4466efdbc180f2a02378922886d613eef7d17145efe772aa

SHA512
f6340f40f1de49a17c50e7fda5ce403cc9f7d02754b88dcaaccd6974ea7aca6f7865947270df981cb68dbd73c2990c275ceb420f6c179a86e1b10f408ebd08f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8606bcd93ac827a3748a5bb51971ea2c

SHA1
1c281ef3e59791061d54b40dfe83a989022aa8e1

SHA256
02af8c3210765ff4bf869b92b3d98e609ae720cc36429a01ef6553f92ab72da4

SHA512
ca53661aacd5cff9ce71aaafa6f3caf1d0a12c42e610c92debf9fce10250f681a71a93c23e77a0c6fb056ca0694ce6ebe3f6d9ace8aee47876d37d727d26c873

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
044ef1cde70d212d8085c0e6a2511bc1

SHA1
92fbfa6a0808d244accdf55ef093f8e78ae70bfa

SHA256
eb061f9a727d47f031b11ce6fd42eb8a8b189beefacf9a9266eb8bc80e6e5aa2

SHA512
328b8d3c49857d29f20bdac5955867f38b50ec4394a65f990f5086a0a194127483a052e0cfc6b986c7e011991c6b082d62e42b0676e7a4501a873ea6cccba3cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7247e1d7cc786e4976d0d86134d40da9

SHA1
abc8bab1733eb7b6a1a72607efa5e4532a64983f

SHA256
529c5d786c32b4825088a2b7e90f064c989485171df261c68a6913aa4815138e

SHA512
d3eed13ed466a9c6cb68e75ac3e32ccbb484961f368a2d3e15ff318182d22c74358d06b178b872740023ffd3fe2ff5c49e795679af6e4a224e660461acea454e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b94aedb267757885d0bfd889f679a9de

SHA1
45e92accda7061ef0230fa3af148595a9ffbb920

SHA256
9f2dfefd1c66e7b15d62bb4d5fa7ccfd4ef6b30b2fcb623830615a5a1ac37807

SHA512
8257a2bc59115c3e21a371f02ab4b3e86cc1f15f1ea6bf157bb26c9128536f620d5f931b519bd39dd9004fd7af139cc9ff6dd6186c297ff0c075c3c3a2553f35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c1d95773d6170ed8745318b3c7fcfa3

SHA1
1122a6ae3d2d2d9031a89b5b13f9265d6953a79f

SHA256
bf76316065d8df61fc85f813464d5c27cf41c498f6cca4c7cc10e94a21e3e138

SHA512
4e19e72a05e3fa32a1a7e027ceedc687a1942205fcb0f983336b1a14cc605a85f92f3de2fcb0ea8394be1a32a9c9718105eb945dd9541fdc544143f335fc4d1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6eb0adb74360f5d70970a4d9140cf598

SHA1
330b1f340554232a3bdd98dce5574910c4df5184

SHA256
0769037652e001bd4c8ff9cff0ba8431c444e6179dc1e2c90c1656022756a386

SHA512
ecc4a83e03fde747bb0aeaf9d7ae396a5e93ba685d2ba9c0b2025f636bd84d18e93c90f7de81204beb4114805968ea9811a5d6325d36a1fb51f36d45c7719ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bd3ba199f4b3f4c76251c5025d902f8

SHA1
dd793e80e1d2a3c5bb0bfe4c2c8f558626e10ac4

SHA256
a08f6dc78f187f09063350c708eae4fc305b7ac8d135e831a09f57bb4a145ed2

SHA512
669af92cbe0bb5aeeb5b724678ab27b54638089a1b817b1fbcf8ecb5898bcdbeff0caf3bb908cb52a19aac96fbb8731b7f1b737a50e1b7037a35ad5d59411ab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db085bde7c7bfa561297204f88693f7b

SHA1
44725e16956c5bdaedf05242606730d669ca475d

SHA256
a297131f715feabea85e6bb7044c829d2e2731a680280d90816dea917290f7b1

SHA512
e2eb6421f22bc2210f477606c78d1f89fdc0dc888d4696844f667f175536e020c1866e59afb54a8d13793cb0cb988a001f8c34ed93cca60295de335fedcc40b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
247e59392ff03f8e7e9d8d6f57edb51f

SHA1
dd4cccf064dfae0e15cffa3aadab8774475a44bd

SHA256
a94047c7ed5c4388fba4c2fd955c45069a21ab32133a53b0981552bc79649cbc

SHA512
f6f94c9aeea7739a10d54ac4478e75b296cbe7b561d06cbc4fc4ba2979c4992ed603ca0bce7b94113dd2b3930e131217eb6abd9f16a13ee00bc82aaae8e7ec0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d7ee26196758541bb6351888a710dd6

SHA1
e041ac4f32b0dba08efc1c522551b8a61ef5ac85

SHA256
f69bfdaff9a8343d2e74bc9a908e34a57179e49f42e16021329ded10257ac800

SHA512
aaf430efffbc6cbe6103d60f826f3b54010ffeb973b2bb5dcac7793096e63e2b6bc2e8fdab403df2cf6386422a8c7fa5eab10af528f59eaa84cef8cf703a8930

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e46921a3d53702f9543b84634eefb5b

SHA1
4d3953f3a8688baccc3029b696c5c3baab4096ff

SHA256
24c38cb154691d23417c50e31a958d6a1498af87d73c70ba0afc4922f3f86a96

SHA512
ebb72f5852439c6e6bb5371a5d88311bfbc17da22a02cb89e505997d66656859c330106b06b42febaa80d06c580ef31f9ac5f7f1f933c46cc8a40795816fd5e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cbd4e79771fdfe227f3d669b9576851

SHA1
8f9c3190bc23c965192acd319e4f674a429b5baa

SHA256
60cf6f384352919b19a42c4b87f3702c353e788c1ff0f39fdc224321d0e7f5bb

SHA512
53d372ada7d0badb819fc9809d13a4e2a77a93528e06b7e5e4271faa9bbf844316b51ca79e636477ad36195c2635a5a0326c0e0b54d2c9b8614b839973f14371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba02df6f218b78c403689a07cc41f5b7

SHA1
506adb6e04b72163843af7ff30ac486b6967fd01

SHA256
33be34da817611b1e703e97ae8c2764f1d6c70925b10a315cc7f675659bb02d1

SHA512
1579358e78c50b8f8d9b4389c8b3e0d3288eb409f32c5a92d880904337ccb05a20ce1bc22c99dfe62eba6d2a032f582e44b13a689a4d73aa1c249f11e128b65d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7be60189512028b6e19117970c40f0c

SHA1
9ff123f8084c598fc108a4cff397acd6467cae6d

SHA256
8f9ae206eea6b9dde677f6df0986f55e4bda6a209d38768db5deb69a4d5b195d

SHA512
eb87dd277f9730c4aafbd2f5d18d9990bf7c0800cb9ee182000ed35d92efa64aa665ea5f6b1e9296891854eb471eae48296a87a23cec62591edbfa5dfb1d1cd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe9cbf3e908cff21654f6d7198fa785d

SHA1
580350f400be1639aab8742a7b3fd2c013c0073e

SHA256
25350317977e34424921f7d0b3de5d98e42df4ac43a5efd9d5eb675ec40cf215

SHA512
c1872310e2619db79b9024ff0c953d98050c4af562f1739942857597eea7acf9fafb5849d17e16ca48791db2dab2a0d890284b397738913d4acac4cd7b983aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6AF6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6B66.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\regsvr32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2676-1-0x0000000010000000-0x0000000010047000-memory.dmp

Filesize
284KB

Download
memory/2676-5-0x0000000000180000-0x00000000001AE000-memory.dmp

Filesize
184KB

Download
memory/2800-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2800-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2800-9-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/2936-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2936-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2936-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2936-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download