Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 01:05
General
-
Target
d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266.exe
-
Size
3.3MB
-
MD5
29ec167f930bbf8256a66463872ff525
-
SHA1
4acb67568804342520d71aed66d3d4fc0feac49e
-
SHA256
d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266
-
SHA512
63c1418dd42618f84d68c3fb74356f97f94b1734ee4e28df63dae1632b8a16eef120017070e824ff496aca11ebade6636f6fa7ef52481a3fba258d9005a3886b
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 8 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 10 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 56 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266.exe"C:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266Srv.exeC:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266Srv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:406532 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe"C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"4⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"4⤵
- Modifies file permissions
-
-
-
-
C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe"C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0FC62E0C-8D01-452C-B743-6A668CEAF151} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exeC:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
1KB
MD5f32eb1a4d8a23d51471527eee47af68d
SHA1eaa2f50adfd587263c9d18550f0397a3394c7242
SHA256b29280395f22940e60913c1aca2ec0f6c121d0171d0f3c182115adc872ef2c81
SHA512d7e9a5099d73d5dde36b649f93dc74afcb30471660bcb5f1088389af2f73ee8b2d3bae9631bb781c09456c8d5ef7fc3af2997bed131e2ea5ad0c72b5e5f9ddb8
-
Filesize
1KB
MD54d965f04ee6c54371570bcc0746daa4e
SHA1b7779931f77414f4c4fccd0e3ba1385bcfb3c070
SHA2567253bfdd76e55efa6931e3cf901086efa72aca24d45919a42f0e6ff0c9efe037
SHA51272b914915ce67faa8c0e626808c80a93bd634fbd0550c147b63244edc84b4d95b52880a4af1f5368546cf67036063c3472d7bcf98773fc3cc8ef130107a46481
-
Filesize
344B
MD5d74af9983d5608e59a8d72a67972e0c5
SHA1b62bbcf62c89cfe6b7fab7966e3ef92255285571
SHA256d7d0f8faba95225355d9e8c113e2bc0291359a3394a6032c8a31b92db77b586e
SHA51298d6ccc05ceb6731cbfd8d984bc7cfde40fc2e980490e411b88d5c63e41fbb7adac728315a4d6a7e2b28771f1fbb04b103a15410e04eeda744737e17045ad3b4
-
Filesize
540B
MD5263444724d07f8424ef7b7d491382f33
SHA1f5dc362dc6a95bc420073941f1e0116f18b4d9df
SHA256cccb8c9736988839d274fa8851974f1727c6f1f2f67ce14c37b96b0fe38bcccf
SHA512bbca61fbd6bf7215eb7d81389e267a8276a2bfbeef7139a0cc85e65a9eb27d159b733dd74e0aa95f431a8f282662a5d1462557778eb03391a10c4bfab5717d04
-
Filesize
492B
MD53cf1aa8487abde25068bad3fe101bd7d
SHA110e3ad3f32e51d93a3cd410467d95b1b17ac0457
SHA2560a70a875ae6ae926b8eddc3562ef2e5442f1d2d0fbb641a79ebe821ac964d106
SHA5123c73fa38eb2798a66f1ce9d7d1505376d2ff2537945184509d5d038eabfd7843f66a70cb03db7b635ab94ed65d27ef339d653a43d23f4ba4489dbb8f50548d99
-
Filesize
5KB
MD539399a907b33629c438cdea6626153e0
SHA17ecc28c60f77216cb087b92d0ca90e8ed8105a9c
SHA256d8e0ddc2beaf685ba972f4bbe8863b0e2d137e0cb88108800119773ea16836ea
SHA5123dd9d4ecc120005c25e70a469534035aa5af77c4cee8424985e20bc7a324428637669d70ff401835df959abb348ac6141b6f3888495dbb154a2aab3aa356de53
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
606B
MD5d488f23a0d6c24a6f9755cd44bf752e5
SHA1ede8b3e6493c4de2c66f2748bd84819ef4c89407
SHA256d7228fae548068e46c85cd9c9fe3b8c3cf41c8dde0e7849da892bbf668166eae
SHA512c178503e1a72626b971fe329a79366ad921ffde5f46b6706ae85d9b4f23dfe6628a596d962ba5a184d5a321a5da884bbbf623ac9f35ed7d7e28dcc0993f3bbfc
-
Filesize
94B
MD5dba42bbc521a15f3414f9d4fb2727322
SHA15c51995b1770a7750631b312c16609ab037c668a
SHA2560207d769451e7511308e5e58acb664e05d34a27402a3be2e4755b20368e6fa89
SHA5126e5726b29c6441079a071b74c2c86ae2f05cba661a1c06e0a247e0969b630d6e8b42f59f6d4084022904713ce24205a4a47e43678c507424a9c183eb674d7e10
-
Filesize
180B
MD52bfcb95c37bebe9e0d70eafb76f92da0
SHA12d95ffbecd2b8c875ee94d461aae4bbcf1cdb1ec
SHA25675e01a6cca97360fe1beec2383750d5f7653212fabe3646f796b263c04c9c604
SHA512d98d0c8bde4a68bfbe95c8b1a5059d8af8aca8ba547ebbdbd305575b733c567c4cb4f6c045e704ab34403b5c8f44ed6a9ea73a288dc1837f389a70134c0b0779
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
2.0MB
MD51c4a6c4af547084522341fd581796e7b
SHA1465609a615eb247b83d011317943f30ceeb46904
SHA256e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e
SHA512186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068
-
Filesize
2.0MB
MD51c4a6c4af547084522341fd581796e7b
SHA1465609a615eb247b83d011317943f30ceeb46904
SHA256e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e
SHA512186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
978KB
MD5c19991ba8335387ae24c6cd7ef25e9d4
SHA16464ef5c79840112e56bd733b2fd6db599f46467
SHA256bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb
SHA512f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3
-
Filesize
2.0MB
MD51c4a6c4af547084522341fd581796e7b
SHA1465609a615eb247b83d011317943f30ceeb46904
SHA256e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e
SHA512186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068
-
Filesize
2.0MB
MD51c4a6c4af547084522341fd581796e7b
SHA1465609a615eb247b83d011317943f30ceeb46904
SHA256e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e
SHA512186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068
-
Filesize
2.0MB
MD51c4a6c4af547084522341fd581796e7b
SHA1465609a615eb247b83d011317943f30ceeb46904
SHA256e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e
SHA512186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068
-
Filesize
2.0MB
MD51c4a6c4af547084522341fd581796e7b
SHA1465609a615eb247b83d011317943f30ceeb46904
SHA256e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e
SHA512186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068
-
-
-
-
-
Filesize
184KB
-
-
-
-
Filesize
8KB
-
-
-
Filesize
184KB
-
-
-