Analysis
-
max time kernel
4294211s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
14-03-2022 05:12
General
-
Target
SHITYOURSELF.exe
-
Size
121KB
-
MD5
c497c71621630045eb8d0673ae817d70
-
SHA1
74c6e0b93f8c6d5d5634bf32a47a6c4968fefc01
-
SHA256
b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
-
SHA512
73a8f54b95ccdfaa5f2e42dca771687612e514de87904840f4eac5fc87f0262051e614c0b0f4d576fe99f58b421dc106f45fe3bea011e0eb8bdc2d99e92f6463
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe"C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeC:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6BI7NQDF.txtMD5
fe3b869208fab64802ae498375f7bd27
SHA126a728d513854f6b6ab436b8e9944067f92a092f
SHA2560d46ba0cb49c5c0aab4186efb4b7d856be37d64d8b0bef7c35b96d5fdc26a075
SHA5126def5fc68234bd3e35cd956a917b25d41b584556a94dfe0ba9d408bd061011a203bc9f38b2de3c37d9673bf6786c7465d83abc055c4efee2fd4047af1392992d
-
\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
memory/1016-59-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1016-64-0x0000000077760000-0x00000000778E0000-memory.dmpFilesize
1.5MB
-
memory/1016-56-0x0000000075471000-0x0000000075473000-memory.dmpFilesize
8KB
-
memory/1016-65-0x000000007EFA0000-0x000000007EFAC000-memory.dmpFilesize
48KB
-
memory/1924-63-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1924-67-0x0000000077760000-0x00000000778E0000-memory.dmpFilesize
1.5MB
-
memory/1924-66-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB