Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-05-2021 12:20
General
-
Target
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe
-
Size
1.2MB
-
MD5
11367c0c2fa926fafd1b72ae2cdb5c6c
-
SHA1
23a9dc526e54a5b88470aa0b228e6b58b916fe47
-
SHA256
ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915
-
SHA512
034abd8024b66bd504e6f2771cc5c29c8fc45ff2a19678777bb9e1b267cecdb5652119475bd5a3ea97259406cf59c84347012919121a248dc9aa4aa7fe71a12e
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 40 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 61 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k rpcss1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe"C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915.exe"2⤵
- Modifies firewall policy service
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exeC:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:82945 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c41⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
e7efb2a2b36ab241b6c9b770abf95000
SHA1d4c253cbf80dc65a04747aea4afc91de6a4a4c5d
SHA2564c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8
SHA512958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
e7efb2a2b36ab241b6c9b770abf95000
SHA1d4c253cbf80dc65a04747aea4afc91de6a4a4c5d
SHA2564c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8
SHA512958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
a0a5a4d72ad62fd610b043c84033deaf
SHA1aa5c3deaba3b479e004880b369f63f2b59b23b9a
SHA25635d20d28885d84fef2a2e06125bf9626fbab13b99d1238a435a444a8db1cb9c6
SHA51220dd0d4276e854bca2767bd4cf7f04068a23742ff33926a7ba5296d2b0a453d456f37662e443c4df2fc3027bbead658a8ca6f8be40a61c82e3d6085cf85b9243
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
b5a4750cb327172f28c7ca1aafc854e6
SHA1fb6976206e506150d385740465dffb34196dd391
SHA25686da543ddba3127d4fa3d0b78e633c1d13ba9864f85c5d1c3d5c9f87b68bf52b
SHA512ea30191f6efface51cbd2d72964623e86c102c1dd22d076bc5dc68c29efb30653aac433501795c81de20e207c0aaf9397d44bcab330c572b2d79b9e3786f3877
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\B4Y2JWK3.cookieMD5
093402755f6cf64dd71ab4c6f6214b9b
SHA16f2c469e5422777f491dad39c9e78b5310b2f0a3
SHA25600372c325e0d408f2cc9d7dc405d03e01893f545b474191548d7837ca3d9186f
SHA512c4fd95a14213687327e101a28c334862a52b453f313e64837b3aabde9a0a9e6bed72c82dd7cf8c2be9bed27f1155c28a879fdb59255fb5fc6dd317af63fefaa6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Z900S8S7.cookieMD5
81d4a56fec0e2d346d4b4a6aea09fc90
SHA114ece75c2bb279d0116939374727401b3e465cc4
SHA25657b62cb9cf3b1e0c91dfe03f2ed66b10e9d0606d1434817ac39f7bfca96f024b
SHA5127e05eb2f88a5535d960b2f5379fb2b40d9386b9e776fb176f39995ba9b1129104b1059850616ab7a098bbd65db44b0ad5877173156a146303f0eb2a38662c102
-
C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exeMD5
e7efb2a2b36ab241b6c9b770abf95000
SHA1d4c253cbf80dc65a04747aea4afc91de6a4a4c5d
SHA2564c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8
SHA512958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3
-
C:\Users\Admin\AppData\Local\Temp\ce771bdce099e63c37155069b119c63c7ae2f9125945e6584e690e1edbaa5915Srv.exeMD5
e7efb2a2b36ab241b6c9b770abf95000
SHA1d4c253cbf80dc65a04747aea4afc91de6a4a4c5d
SHA2564c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8
SHA512958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3
-
memory/1536-121-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/1536-123-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1536-114-0x0000000000000000-mapping.dmp
-
memory/1796-120-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1796-117-0x0000000000000000-mapping.dmp
-
memory/2812-122-0x0000000000000000-mapping.dmp
-
memory/2812-126-0x00007FFA58150000-0x00007FFA581BB000-memory.dmpFilesize
428KB
-
memory/3724-128-0x0000000002660000-0x0000000002661000-memory.dmpFilesize
4KB
-
memory/3944-127-0x0000000000000000-mapping.dmp