Analysis
-
max time kernel
136s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 17:17
General
-
Target
3536198df2a492cc873ea37fbe37f487d012ea4c5850e6dc9023113c71eb7436.exe
-
Size
184KB
-
MD5
511d9653a39a34b1f6463c9270591ef0
-
SHA1
34f2f685603e75d34edbd40632403c0bf6f94dc0
-
SHA256
3536198df2a492cc873ea37fbe37f487d012ea4c5850e6dc9023113c71eb7436
-
SHA512
01d6b0e41db20cb77d413a8bc775e0a92756befea139d90cb809f8428110952b3c299b44913cb7a4ac4a8a7af58934fcf398b6fc6962b28eb4e48925c551e564
-
SSDEEP
1536:UsFkAwGhzZh2UXYmvdRmSZad2jN0RAD3csVO9/w8gN5aXZ7TyizULeCTL3L7:TkAwuzhjdRmSZiAna/w8gCXZHnCTLL7
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3536198df2a492cc873ea37fbe37f487d012ea4c5850e6dc9023113c71eb7436.exe"C:\Users\Admin\AppData\Local\Temp\3536198df2a492cc873ea37fbe37f487d012ea4c5850e6dc9023113c71eb7436.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3536198df2a492cc873ea37fbe37f487d012ea4c5850e6dc9023113c71eb7436mgr.exeC:\Users\Admin\AppData\Local\Temp\3536198df2a492cc873ea37fbe37f487d012ea4c5850e6dc9023113c71eb7436mgr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5076 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5b0805f4e7a0e1097f06666c2c7fb6258
SHA1aed1cd5a47c14337a2f466017b14d8d1d3957528
SHA2568e89555ec29e872a1438260acf5cc27360c247af708330a337bde5f7cffd3843
SHA5120ad13cbce2b872e7573623358cc57127ecc81e019d09738e30a425fcd41dd040e4b57368bfc7277dc8f5bcae8416c4486267ad97e3fdcee2794720df9f5c9a0f
-
C:\Users\Admin\AppData\Local\Temp\3536198df2a492cc873ea37fbe37f487d012ea4c5850e6dc9023113c71eb7436mgr.exeFilesize
91KB
MD5551161ba25d6c58cf6a4afe7587f7dcb
SHA13f36d947c0d082433bb121a9914b4841ffbfb5af
SHA256f676ab20252c6ff437c7e3db1a8a3875715bf1a5a59812439f296cb5cd724b58
SHA512f68a52bcfafccaf9b4390f7cdd9a57544d82a1f41656aeaf98f46ddc0198e636a790088cf8b734244cc5144a00704a8430e469c46284387d04c5a38cba17b00e
-
C:\Users\Admin\AppData\Local\Temp\3536198df2a492cc873ea37fbe37f487d012ea4c5850e6dc9023113c71eb7436mgr.exeFilesize
91KB
MD5551161ba25d6c58cf6a4afe7587f7dcb
SHA13f36d947c0d082433bb121a9914b4841ffbfb5af
SHA256f676ab20252c6ff437c7e3db1a8a3875715bf1a5a59812439f296cb5cd724b58
SHA512f68a52bcfafccaf9b4390f7cdd9a57544d82a1f41656aeaf98f46ddc0198e636a790088cf8b734244cc5144a00704a8430e469c46284387d04c5a38cba17b00e
-
memory/428-147-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/428-132-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/428-150-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/428-145-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2520-140-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2520-146-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2520-149-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2520-148-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2520-144-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2520-151-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2520-143-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2520-133-0x0000000000000000-mapping.dmp