Analysis
-
max time kernel
55s -
max time network
68s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
24-01-2023 04:45
General
-
Target
AYRFydoZ.exe
-
Size
139KB
-
MD5
f2f0128222f4fdde378133bccd62853c
-
SHA1
2040bde9fa68e318c96bf7433e37db4ee6226588
-
SHA256
887e75c66218aa2570e84194ff097bfcd103a1c0befdf134387a88941b8ec731
-
SHA512
568c63d7cd6395a9ae64d0cda24ad9b2b1158856d1324f72f055c15959c3231ec0f0e4b451b0926bf6719ff844b02cd23405d20cc6e1bde6c0448e223b3332d1
-
SSDEEP
3072:nROzoTq0+RO7IwnYu6VHir3J2qed7WzUXVn19d:RkdNwBF6VCAnJWzUFd
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Drops file in Drivers directory 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 56 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\AYRFydoZ.exe"C:\Users\Admin\AppData\Local\Temp\AYRFydoZ.exe"2⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 5603⤵
- Program crash
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k rpcss1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/328-120-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-121-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-122-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-123-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-124-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-125-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-126-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-128-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-127-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-129-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-130-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-131-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-132-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/328-133-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-135-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-136-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-137-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-138-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-140-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-139-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-142-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-141-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-143-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-144-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-146-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-147-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-148-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-149-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-145-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-134-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-150-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-152-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-153-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-154-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-151-0x0000000077460000-0x00000000775EE000-memory.dmpFilesize
1.6MB
-
memory/328-155-0x0000000000450000-0x000000000059A000-memory.dmpFilesize
1.3MB
-
memory/328-156-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/328-157-0x0000000000450000-0x000000000059A000-memory.dmpFilesize
1.3MB