Analysis
-
max time kernel
4294183s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
12-03-2022 08:43
Static task
static1
Behavioral task
behavioral1
Sample
RAMN.vbs
Resource
win7-20220310-en
General
-
Target
RAMN.vbs
-
Size
169KB
-
MD5
e5e7f440ae47fe295bb93034b1edf3c1
-
SHA1
bff968fb18c296edabf8ad52953e7c36ae0bcdea
-
SHA256
2a5fcd571c34b11c0c630c8cf1f50a91a136e931e0057f7f8e3ca36ecd73d993
-
SHA512
a45c68efa11bf061c5ed5fd09e2c616acb2333b67cb1f86382eac88ac1f2fb1120ad2517381e2125eb5a98a5d69d602918cc1ac1277cee1f5a976d8e1a3eb92b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1664 svchost.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe upx C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SVCHOST.EXE upx behavioral1/memory/1664-60-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\pxDF19.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svchost.exepid process 1664 svchost.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
Processes:
svchost.exepid process 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1664 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WScript.exesvchost.exedescription pid process target process PID 1704 wrote to memory of 1664 1704 WScript.exe svchost.exe PID 1704 wrote to memory of 1664 1704 WScript.exe svchost.exe PID 1704 wrote to memory of 1664 1704 WScript.exe svchost.exe PID 1704 wrote to memory of 1664 1704 WScript.exe svchost.exe PID 1664 wrote to memory of 372 1664 svchost.exe wininit.exe PID 1664 wrote to memory of 372 1664 svchost.exe wininit.exe PID 1664 wrote to memory of 372 1664 svchost.exe wininit.exe PID 1664 wrote to memory of 372 1664 svchost.exe wininit.exe PID 1664 wrote to memory of 372 1664 svchost.exe wininit.exe PID 1664 wrote to memory of 372 1664 svchost.exe wininit.exe PID 1664 wrote to memory of 372 1664 svchost.exe wininit.exe PID 1664 wrote to memory of 380 1664 svchost.exe csrss.exe PID 1664 wrote to memory of 380 1664 svchost.exe csrss.exe PID 1664 wrote to memory of 380 1664 svchost.exe csrss.exe PID 1664 wrote to memory of 380 1664 svchost.exe csrss.exe PID 1664 wrote to memory of 380 1664 svchost.exe csrss.exe PID 1664 wrote to memory of 380 1664 svchost.exe csrss.exe PID 1664 wrote to memory of 380 1664 svchost.exe csrss.exe PID 1664 wrote to memory of 420 1664 svchost.exe winlogon.exe PID 1664 wrote to memory of 420 1664 svchost.exe winlogon.exe PID 1664 wrote to memory of 420 1664 svchost.exe winlogon.exe PID 1664 wrote to memory of 420 1664 svchost.exe winlogon.exe PID 1664 wrote to memory of 420 1664 svchost.exe winlogon.exe PID 1664 wrote to memory of 420 1664 svchost.exe winlogon.exe PID 1664 wrote to memory of 420 1664 svchost.exe winlogon.exe PID 1664 wrote to memory of 464 1664 svchost.exe services.exe PID 1664 wrote to memory of 464 1664 svchost.exe services.exe PID 1664 wrote to memory of 464 1664 svchost.exe services.exe PID 1664 wrote to memory of 464 1664 svchost.exe services.exe PID 1664 wrote to memory of 464 1664 svchost.exe services.exe PID 1664 wrote to memory of 464 1664 svchost.exe services.exe PID 1664 wrote to memory of 464 1664 svchost.exe services.exe PID 1664 wrote to memory of 480 1664 svchost.exe lsass.exe PID 1664 wrote to memory of 480 1664 svchost.exe lsass.exe PID 1664 wrote to memory of 480 1664 svchost.exe lsass.exe PID 1664 wrote to memory of 480 1664 svchost.exe lsass.exe PID 1664 wrote to memory of 480 1664 svchost.exe lsass.exe PID 1664 wrote to memory of 480 1664 svchost.exe lsass.exe PID 1664 wrote to memory of 480 1664 svchost.exe lsass.exe PID 1664 wrote to memory of 488 1664 svchost.exe lsm.exe PID 1664 wrote to memory of 488 1664 svchost.exe lsm.exe PID 1664 wrote to memory of 488 1664 svchost.exe lsm.exe PID 1664 wrote to memory of 488 1664 svchost.exe lsm.exe PID 1664 wrote to memory of 488 1664 svchost.exe lsm.exe PID 1664 wrote to memory of 488 1664 svchost.exe lsm.exe PID 1664 wrote to memory of 488 1664 svchost.exe lsm.exe PID 1664 wrote to memory of 584 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 584 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 584 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 584 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 584 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 584 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 584 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 660 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 660 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 660 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 660 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 660 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 660 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 660 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 740 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 740 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 740 1664 svchost.exe svchost.exe PID 1664 wrote to memory of 740 1664 svchost.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:324
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1076
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1760
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:660
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:380
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RAMN.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SVCHOST.EXEMD5
df455f0fa8fb3fa4e6699ad57ef54db6
SHA151a06248c251d614d3a81ac9d842ba807204d17c
SHA25615068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1
SHA512f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
df455f0fa8fb3fa4e6699ad57ef54db6
SHA151a06248c251d614d3a81ac9d842ba807204d17c
SHA25615068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1
SHA512f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6
-
memory/1664-56-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1664-58-0x0000000076F00000-0x0000000077080000-memory.dmpFilesize
1.5MB
-
memory/1664-59-0x00000000005D0000-0x00000000005DF000-memory.dmpFilesize
60KB
-
memory/1664-60-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1704-54-0x000007FEFB5A1000-0x000007FEFB5A3000-memory.dmpFilesize
8KB