Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
23-11-2022 21:13
General
-
Target
5b25f5c707386a572c496b5b3eb0fcbf8829b8bf11cec0caeda66ee7ad01a640.exe
-
Size
63KB
-
MD5
45719d29d45b105b7e7039aa8583d321
-
SHA1
ad010ac4be747184f67153ec6b3bb474a0f52b2f
-
SHA256
5b25f5c707386a572c496b5b3eb0fcbf8829b8bf11cec0caeda66ee7ad01a640
-
SHA512
38e782f28f5dd51f4c751335f0fa2387cd2ebe299b2effb29861c475c4d518b4875177db7010981da2af4de1162f7f5425374eb29d2f5ccb8654ae668130409e
-
SSDEEP
768:o06R0UEgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9IC9:mR0In3Pc0LCH9MtbvabUDzJYWu3BU
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Program crash 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 49 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b25f5c707386a572c496b5b3eb0fcbf8829b8bf11cec0caeda66ee7ad01a640.exe"C:\Users\Admin\AppData\Local\Temp\5b25f5c707386a572c496b5b3eb0fcbf8829b8bf11cec0caeda66ee7ad01a640.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 2044⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4460 -ip 44601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
63KB
MD545719d29d45b105b7e7039aa8583d321
SHA1ad010ac4be747184f67153ec6b3bb474a0f52b2f
SHA2565b25f5c707386a572c496b5b3eb0fcbf8829b8bf11cec0caeda66ee7ad01a640
SHA51238e782f28f5dd51f4c751335f0fa2387cd2ebe299b2effb29861c475c4d518b4875177db7010981da2af4de1162f7f5425374eb29d2f5ccb8654ae668130409e
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
63KB
MD545719d29d45b105b7e7039aa8583d321
SHA1ad010ac4be747184f67153ec6b3bb474a0f52b2f
SHA2565b25f5c707386a572c496b5b3eb0fcbf8829b8bf11cec0caeda66ee7ad01a640
SHA51238e782f28f5dd51f4c751335f0fa2387cd2ebe299b2effb29861c475c4d518b4875177db7010981da2af4de1162f7f5425374eb29d2f5ccb8654ae668130409e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD58208e62f9e9410718ab977459a468ef4
SHA132f165d7bd74d976daa49e8f6955ab354a080477
SHA256a08b7246c78681334ec1247eda3d33ef9e880e98fa52bd1b3d3caad6ce48cf28
SHA5120ddf40e81cc1ea1804dcbbbbb82ef5aa8b6a91cb317d749dc0e42d393cdb23e0db6a4ab7c794f8b97bd4b888b205b206e8e8df5d354d1c6c8aefbb60ed5985c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD58208e62f9e9410718ab977459a468ef4
SHA132f165d7bd74d976daa49e8f6955ab354a080477
SHA256a08b7246c78681334ec1247eda3d33ef9e880e98fa52bd1b3d3caad6ce48cf28
SHA5120ddf40e81cc1ea1804dcbbbbb82ef5aa8b6a91cb317d749dc0e42d393cdb23e0db6a4ab7c794f8b97bd4b888b205b206e8e8df5d354d1c6c8aefbb60ed5985c4
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8B0763F4-6B8E-11ED-A0EE-5E349B7DFDEC}.datFilesize
5KB
MD5b2fb82cc729564294a05ce34da0d7db8
SHA1804a861dab4487328a098bffa3b3a01ddeda6351
SHA25642e54d202854d48e5b7f3437204a6d08f9829fb196589418ec419af4dc85d955
SHA51250ed0bc371d2bd826c8866c8a0f292308e71b7794f1815b25f6f214f3ac3dcff1bb20dce3a1791385973588ffcfe7179ab6472deebb73cb9cd34e75df1993168
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8B0E8A08-6B8E-11ED-A0EE-5E349B7DFDEC}.datFilesize
3KB
MD5dadb5368801128a1ac995e020010daac
SHA1a9e9aaca844e673daaa38d171205bcf1d07efb6c
SHA2560efaa24ccde3536c98b4653eafed016c60e7be847518c46da8b5e1aa214ad431
SHA51227c8f92edcd197fc40228f93e044fafaac86ac8b0013801c9bd994d6d4a6e83362ccbde2f0c880e556debd4f672946b8f8668c8cea2cb2df4844e222303e99f5
-
memory/1780-154-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1780-146-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1780-145-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1780-151-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1780-152-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1780-153-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1780-144-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1780-136-0x0000000000000000-mapping.dmp
-
memory/4460-148-0x0000000000000000-mapping.dmp
-
memory/4764-134-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4764-139-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4764-135-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB