Analysis
-
max time kernel
140s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-08-2021 06:23
General
-
Target
DesktopLayer - 副本.exe
-
Size
82KB
-
MD5
44e92c4b5f440b756f8fb0c9eeb460b2
-
SHA1
ed5bf6e6e4f2b71ba1e0f73381ee64155f9722c2
-
SHA256
876c5cea11bbbcbe4089a3d0e8f95244cf855d3668e9bf06a97d8e20c1ff237c
-
SHA512
378f3fa6f013437491f8c9b1c6bf0bc9641c9bc3e37f8f6c2fabc7402e8c0050d006bd84e251bd801cd37c0be9ded9277d52bc73b64f68aa14b8a6c3ff3f4566
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 23 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DesktopLayer - 副本.exe"C:\Users\Admin\AppData\Local\Temp\DesktopLayer - 副本.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
2c3effc2f8e3e445faa8e5a67c644775
SHA189655670d4bbd2b6329491d3df7c8c338baa83ff
SHA256b924047d5249febf6604b637e6cc3b3c994adda15688beeaded265f24fe6d8cb
SHA512cd1c907df2828a09287027f19c8f9b6823dd2ff53a24ce11a521ed770b54e7c3044470b263932fbf6574b47965fddf43fb08f0025d9126268ee57a2a0b8fabff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
a835c4e6f099008af0ff40cc4860719a
SHA1f6b762c9b8d8277786eb82e94f59f9bf101e362b
SHA256d66d1349c21276f80cd69d0f2fea5a9c37eafdce52e73185d2439a718c456b08
SHA512be4e2578e9278e8e896763eb6895d15f421946874e795747f747989a10efa34fe0ceffcc871e5a1cb2e5fafd52e23ee0f73504cab31bfdf79513b97ec436a443
-
memory/740-114-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/740-116-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/740-117-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2420-115-0x0000000000000000-mapping.dmp
-
memory/2420-118-0x00007FF9BEE10000-0x00007FF9BEE7B000-memory.dmpFilesize
428KB
-
memory/4040-119-0x0000000000000000-mapping.dmp