ramnit | c26f3cc9f4399c0950f5274abd97df89d3e7dfe70e94c2a668ed373bca42949c

Analysis

max time kernel
107s
max time network
88s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
24-01-2025 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

250124-pr6r5szndk_pw_infected.zip
Size

105KB
MD5

b5f0291d97a3624403287d5d91c9b51f
SHA1

7d257ddebbc9194eaaa836b6a22bf08dca13b5dc
SHA256

c26f3cc9f4399c0950f5274abd97df89d3e7dfe70e94c2a668ed373bca42949c
SHA512

37b516b4d1f8d6aab17f38c48dd112f6dbffa0ea0810d6cc295b03eb8411ddb4d1781edc36570a369dd0b8b44fab0e4d960eb2a531142b85afc83efc309ff291
SSDEEP

3072:j5QqHuoOjW5ZeGTYNMrxkaVKkaC/AhwOn4Rt2s6:jvuoOjUZeeQkYTxs6

Score

10^/10

ramnit banker discovery spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 8 IoCs

pid	Process
2076	re.exe
2396	re.exe
2268	re.exe
3352	re.exe
5044	wibiancyhpjegiav.exe
4988	wibiancyhpjegiav.exe
3060	wibiancyhpjegiav.exe
4716	wibiancyhpjegiav.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3988	128	WerFault.exe	82
1804	4040	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	re.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wibiancyhpjegiav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wibiancyhpjegiav.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31157953"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3614202991"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1788	7zFM.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
696	Process not Found
696	Process not Found
696	Process not Found
696	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeRestorePrivilege	1788	7zFM.exe
Token: 35	1788	7zFM.exe
Token: SeSecurityPrivilege	1788	7zFM.exe
Token: SeSecurityPrivilege	2076	re.exe
Token: SeDebugPrivilege	2076	re.exe
Token: SeDebugPrivilege	3904	taskmgr.exe
Token: SeSystemProfilePrivilege	3904	taskmgr.exe
Token: SeCreateGlobalPrivilege	3904	taskmgr.exe
Token: SeSecurityPrivilege	2396	re.exe
Token: SeSecurityPrivilege	2268	re.exe
Token: SeSecurityPrivilege	3352	re.exe
Token: SeSecurityPrivilege	5044	wibiancyhpjegiav.exe
Token: SeLoadDriverPrivilege	5044	wibiancyhpjegiav.exe
Token: SeSecurityPrivilege	4988	wibiancyhpjegiav.exe
Token: SeLoadDriverPrivilege	4988	wibiancyhpjegiav.exe
Token: SeSecurityPrivilege	3060	wibiancyhpjegiav.exe
Token: SeLoadDriverPrivilege	3060	wibiancyhpjegiav.exe
Token: SeSecurityPrivilege	4716	wibiancyhpjegiav.exe
Token: SeLoadDriverPrivilege	4716	wibiancyhpjegiav.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1788	7zFM.exe
1788	7zFM.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 128	2076	re.exe	82
PID 2076 wrote to memory of 128	2076	re.exe	82
PID 2076 wrote to memory of 128	2076	re.exe	82
PID 2076 wrote to memory of 128	2076	re.exe	82
PID 2076 wrote to memory of 128	2076	re.exe	82
PID 2076 wrote to memory of 128	2076	re.exe	82
PID 2076 wrote to memory of 128	2076	re.exe	82
PID 2076 wrote to memory of 128	2076	re.exe	82
PID 2076 wrote to memory of 128	2076	re.exe	82
PID 2076 wrote to memory of 3464	2076	re.exe	87
PID 2076 wrote to memory of 3464	2076	re.exe	87
PID 2076 wrote to memory of 3464	2076	re.exe	87
PID 3464 wrote to memory of 2356	3464	iexplore.exe	88
PID 3464 wrote to memory of 2356	3464	iexplore.exe	88
PID 2076 wrote to memory of 4040	2076	re.exe	91
PID 2076 wrote to memory of 4040	2076	re.exe	91
PID 2076 wrote to memory of 4040	2076	re.exe	91
PID 2076 wrote to memory of 4040	2076	re.exe	91
PID 2076 wrote to memory of 4040	2076	re.exe	91
PID 2076 wrote to memory of 4040	2076	re.exe	91
PID 2076 wrote to memory of 4040	2076	re.exe	91
PID 2076 wrote to memory of 4040	2076	re.exe	91
PID 2076 wrote to memory of 4040	2076	re.exe	91
PID 2076 wrote to memory of 5036	2076	re.exe	96
PID 2076 wrote to memory of 5036	2076	re.exe	96
PID 2076 wrote to memory of 5036	2076	re.exe	96
PID 5036 wrote to memory of 2520	5036	iexplore.exe	97
PID 5036 wrote to memory of 2520	5036	iexplore.exe	97
PID 2076 wrote to memory of 5044	2076	re.exe	102
PID 2076 wrote to memory of 5044	2076	re.exe	102
PID 2076 wrote to memory of 5044	2076	re.exe	102

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\250124-pr6r5szndk_pw_infected.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1788

C:\Users\Admin\Desktop\re.exe
"C:\Users\Admin\Desktop\re.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 128 -s 236
    3⤵
    - Program crash
    PID:3988
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    PID:2356
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 236
    3⤵
    - Program crash
    PID:1804
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    PID:2520
- C:\Users\Admin\AppData\Local\Temp\wibiancyhpjegiav.exe
  "C:\Users\Admin\AppData\Local\Temp\wibiancyhpjegiav.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 128 -ip 128
1⤵
PID:4828

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3904

C:\Users\Admin\Desktop\re.exe
"C:\Users\Admin\Desktop\re.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4040 -ip 4040
1⤵
PID:3412

C:\Users\Admin\Desktop\re.exe
"C:\Users\Admin\Desktop\re.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Users\Admin\Desktop\re.exe
"C:\Users\Admin\Desktop\re.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\wibiancyhpjegiav.exe
"C:\Users\Admin\AppData\Local\Temp\wibiancyhpjegiav.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\AppData\Local\Temp\wibiancyhpjegiav.exe
"C:\Users\Admin\AppData\Local\Temp\wibiancyhpjegiav.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Users\Admin\AppData\Local\Temp\wibiancyhpjegiav.exe
"C:\Users\Admin\AppData\Local\Temp\wibiancyhpjegiav.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\re.exe

Filesize
148KB

MD5
2176529b30915c8261a84c1bc4b078cb

SHA1
295618139e70fa45697b5d874982522080d3a26d

SHA256
19fc976517e355b7a76a113c699f46c9836d2cf5e4ffcae7f74b9fc3ba8be169

SHA512
a4394a7fbec2d8cedc32d5980e003eae56c51dd75e86bb578c91c6fd798e514e154b2c4b4875c4ea6032d449d497522c6c98b338365eafee304ef767212971c9

Download Submit
memory/128-12-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/128-13-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2076-8-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2076-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-10-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/2076-9-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2076-11-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2076-6-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/2076-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-3-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/2076-15-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/2076-41-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/2076-51-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-50-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/2268-37-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/2396-31-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/3060-65-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/3352-40-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/3904-29-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/3904-24-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/3904-23-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/3904-26-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/3904-27-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/3904-28-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/3904-25-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/3904-18-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/3904-19-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/3904-17-0x000001AF64110000-0x000001AF64111000-memory.dmp

Filesize
4KB

Download
memory/4716-70-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/4988-60-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download
memory/5044-55-0x0000000000400000-0x0000000000439FE4-memory.dmp

Filesize
231KB

Download