Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 10:36

General

  • Target

    9ffc67b3f0b49e35357ee68dc59d074e38035c4d34476170c4610c131d4a7e22.dll

  • Size

    231KB

  • MD5

    00d354ce7ce7e61c0288f0970f5bf2d0

  • SHA1

    fc05475d7f0e20dbefbdf3c7637004fb66b9e63d

  • SHA256

    9ffc67b3f0b49e35357ee68dc59d074e38035c4d34476170c4610c131d4a7e22

  • SHA512

    7be7233bb2660bfb22460eef2ec72c59cafff6a326c6d0122fc6b2ff8b751f69d5f5b068e4dcd6d23f67d2e30ff00c078353e022e0afa38b01fcdda3ba6209d8

  • SSDEEP

    3072:+sGwxP7Ghb+GgJ2r1fHZF8+T7+B84TZpxGAtl5a6YsbGHWSlE5t6ZoiLCmGK9cO:pBQ+aVXMB84TZhtusbA3OEIK9

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ffc67b3f0b49e35357ee68dc59d074e38035c4d34476170c4610c131d4a7e22.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ffc67b3f0b49e35357ee68dc59d074e38035c4d34476170c4610c131d4a7e22.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Windows\SysWOW64\rundll32SrvSrv.exe
          C:\Windows\SysWOW64\rundll32SrvSrv.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4108
          • C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
            C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3368
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:992
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:17410 /prefetch:2
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3832
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1496
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1496 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2628
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:780
          • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4908
            • C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
              "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1452
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3476
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3476 CREDAT:17410 /prefetch:2
                  8⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3912
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2988
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:17410 /prefetch:2
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2556
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1560
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1384

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe

    Filesize

    168KB

    MD5

    c64813adfc336147b0e6230f949236bd

    SHA1

    cd3b7088c1e071ea93952673a4c59edbfbd619cd

    SHA256

    38f3ffec87edfe3ff6da75cc8604651b8170581d780ee5b258bc591fe72e6c6f

    SHA512

    8a2cf2459f810c33caf1ad4adcc241ed4b63c865703e4ff36b198f7f994a28be8abb9fbddde939931f0daa214522ce7b56696cea088068f127827cf1a2a9a628

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe

    Filesize

    168KB

    MD5

    c64813adfc336147b0e6230f949236bd

    SHA1

    cd3b7088c1e071ea93952673a4c59edbfbd619cd

    SHA256

    38f3ffec87edfe3ff6da75cc8604651b8170581d780ee5b258bc591fe72e6c6f

    SHA512

    8a2cf2459f810c33caf1ad4adcc241ed4b63c865703e4ff36b198f7f994a28be8abb9fbddde939931f0daa214522ce7b56696cea088068f127827cf1a2a9a628

  • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

    Filesize

    111KB

    MD5

    1e58c74d262752a2060fbd8010d75169

    SHA1

    9adb4d47fb327e7f7293130c424c64e27ce6da2f

    SHA256

    05a0c977d25de24bc7778ff6b83f81a94f555a181f48dac40fab303c69b43d98

    SHA512

    22185e4742b69d1167b1edfc7025014794cee91b52573245a969c1d416def993b4a284679ed54577d4db1dbb7931763abb7a3d777e7c57492f52bf970ee42090

  • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

    Filesize

    111KB

    MD5

    1e58c74d262752a2060fbd8010d75169

    SHA1

    9adb4d47fb327e7f7293130c424c64e27ce6da2f

    SHA256

    05a0c977d25de24bc7778ff6b83f81a94f555a181f48dac40fab303c69b43d98

    SHA512

    22185e4742b69d1167b1edfc7025014794cee91b52573245a969c1d416def993b4a284679ed54577d4db1dbb7931763abb7a3d777e7c57492f52bf970ee42090

  • C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe

    Filesize

    55KB

    MD5

    42bacbdf56184c2fa5fe6770857e2c2d

    SHA1

    521a63ee9ce2f615eda692c382b16fc1b1d57cac

    SHA256

    d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

    SHA512

    0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

  • C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe

    Filesize

    55KB

    MD5

    42bacbdf56184c2fa5fe6770857e2c2d

    SHA1

    521a63ee9ce2f615eda692c382b16fc1b1d57cac

    SHA256

    d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

    SHA512

    0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BA9C4798-6990-11ED-919F-4EF50EB22100}.dat

    Filesize

    5KB

    MD5

    bae9aba39f9bcc3f3983e8db26478f62

    SHA1

    d1f32a5d65c40e2fa79558ba07804492c6f39848

    SHA256

    285053e251868fdf2791b5c31c3a276056389e31415909736a6c1df3de0ea547

    SHA512

    c1d34ec9894972a2132be97db81b6e73097f51b2fb7cdd5db737c11b6ff4c91fd5118e6cbcd5766344d4b8e83bcb430defdb7b4aa9fb4bef827fbf65b9db3d15

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BA9C4798-6990-11ED-919F-4EF50EB22100}.dat

    Filesize

    5KB

    MD5

    bae9aba39f9bcc3f3983e8db26478f62

    SHA1

    d1f32a5d65c40e2fa79558ba07804492c6f39848

    SHA256

    285053e251868fdf2791b5c31c3a276056389e31415909736a6c1df3de0ea547

    SHA512

    c1d34ec9894972a2132be97db81b6e73097f51b2fb7cdd5db737c11b6ff4c91fd5118e6cbcd5766344d4b8e83bcb430defdb7b4aa9fb4bef827fbf65b9db3d15

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BAB67E08-6990-11ED-919F-4EF50EB22100}.dat

    Filesize

    5KB

    MD5

    4f28a233e54269fc76aa1f7e7bb1376b

    SHA1

    4b45f1ea1be3c57c0cd7389e00e1d5fffe89c055

    SHA256

    9dbac2c143c414052bd99abcb9e8fadd2c0f9f8d3f84a430be7d37273695e607

    SHA512

    14f1eb433bb1114de4f8d0c53f99ec2a45728e3a4165fa294967d5d3fe5fdf73bdc26b3888f6752276c099cae7081f3a8cae7863ad9c4e650ecbb65b7c2854e5

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BAD0B566-6990-11ED-919F-4EF50EB22100}.dat

    Filesize

    4KB

    MD5

    7b27a7f29b063972966bbcdc1082507c

    SHA1

    64b7c52fd1eedf19a5ca2e59630f22c44317a3fb

    SHA256

    131a699b60ab06f4892b2600f495a755dd0e1c2a4a28a34a53ecb9c3094e31ff

    SHA512

    9e864d015711a5b887380c87da2aad676729d2d176bbdb68e4211b8698af1ed8b2ed4039bdbdf840a66acdadccbddd59a737281f8f0b06672c86acba6b002e30

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BAD0B566-6990-11ED-919F-4EF50EB22100}.dat

    Filesize

    5KB

    MD5

    7b47606e559bedd30ea11be21fedd2a8

    SHA1

    ee24244628c387499e8baaf9b247f11e993ea537

    SHA256

    3d8f5b752ed41d883092b781fc341e7d54d50dd10a884b0f0d89c54e3a40a6dc

    SHA512

    d8feb999d1205d4a43e8c510e8219bdce84c8bf2d8cad22d74947b0c22358fa23d7246b8c7d67150b52ea7e82b248d979e38e3b7abe2ea5cb1a17b643ae23aa0

  • C:\Windows\SysWOW64\rundll32Srv.exe

    Filesize

    168KB

    MD5

    c64813adfc336147b0e6230f949236bd

    SHA1

    cd3b7088c1e071ea93952673a4c59edbfbd619cd

    SHA256

    38f3ffec87edfe3ff6da75cc8604651b8170581d780ee5b258bc591fe72e6c6f

    SHA512

    8a2cf2459f810c33caf1ad4adcc241ed4b63c865703e4ff36b198f7f994a28be8abb9fbddde939931f0daa214522ce7b56696cea088068f127827cf1a2a9a628

  • C:\Windows\SysWOW64\rundll32Srv.exe

    Filesize

    168KB

    MD5

    c64813adfc336147b0e6230f949236bd

    SHA1

    cd3b7088c1e071ea93952673a4c59edbfbd619cd

    SHA256

    38f3ffec87edfe3ff6da75cc8604651b8170581d780ee5b258bc591fe72e6c6f

    SHA512

    8a2cf2459f810c33caf1ad4adcc241ed4b63c865703e4ff36b198f7f994a28be8abb9fbddde939931f0daa214522ce7b56696cea088068f127827cf1a2a9a628

  • C:\Windows\SysWOW64\rundll32SrvSrv.exe

    Filesize

    111KB

    MD5

    1e58c74d262752a2060fbd8010d75169

    SHA1

    9adb4d47fb327e7f7293130c424c64e27ce6da2f

    SHA256

    05a0c977d25de24bc7778ff6b83f81a94f555a181f48dac40fab303c69b43d98

    SHA512

    22185e4742b69d1167b1edfc7025014794cee91b52573245a969c1d416def993b4a284679ed54577d4db1dbb7931763abb7a3d777e7c57492f52bf970ee42090

  • C:\Windows\SysWOW64\rundll32SrvSrv.exe

    Filesize

    111KB

    MD5

    1e58c74d262752a2060fbd8010d75169

    SHA1

    9adb4d47fb327e7f7293130c424c64e27ce6da2f

    SHA256

    05a0c977d25de24bc7778ff6b83f81a94f555a181f48dac40fab303c69b43d98

    SHA512

    22185e4742b69d1167b1edfc7025014794cee91b52573245a969c1d416def993b4a284679ed54577d4db1dbb7931763abb7a3d777e7c57492f52bf970ee42090

  • C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe

    Filesize

    55KB

    MD5

    42bacbdf56184c2fa5fe6770857e2c2d

    SHA1

    521a63ee9ce2f615eda692c382b16fc1b1d57cac

    SHA256

    d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

    SHA512

    0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

  • C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe

    Filesize

    55KB

    MD5

    42bacbdf56184c2fa5fe6770857e2c2d

    SHA1

    521a63ee9ce2f615eda692c382b16fc1b1d57cac

    SHA256

    d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

    SHA512

    0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

  • memory/780-152-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1264-144-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-157-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3368-156-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/4108-148-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/4848-133-0x0000000010000000-0x0000000010055000-memory.dmp

    Filesize

    340KB

  • memory/4908-154-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB