Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-01-2023 10:32
General
-
Target
aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe
-
Size
381KB
-
MD5
0957d5d8d21751f2fd1ad2015b19abe0
-
SHA1
c098ddc18a8a0dade35436f968eb43c1f4c9253c
-
SHA256
aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
-
SHA512
a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
-
SSDEEP
6144:3rK18vkksg2P4vWigPJJJPJJJGJJA/+aU4Kau:3rMlM2QvgPJJJPJJJGJJpF
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe"C:\Users\Admin\AppData\Local\Temp\aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 2043⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4928 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4928 CREDAT:82950 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 2043⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Local\Temp\yhrdjtahwqovjxtw.exe"C:\Users\Admin\AppData\Local\Temp\yhrdjtahwqovjxtw.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 700 -ip 7001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 856 -ip 8561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD526cb63224b51d99ce887c9ff8130a338
SHA1108ad165d80234621dfba3fb62195a26ce821acb
SHA256c0a8afd7b1a047144b9cf337e4518f7ce1b5108dbbd135e593b4411855222a41
SHA5125f0782919fdc942a1614fd76e25b62c74e96e4e8a12a30b1162db2d9bd3fd6ae8160c3edc101f7ea80137aabdbae62ae57bbe29b96b995b66f80162a647bd76d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5ea73985ae8ec679af86fa439567262f1
SHA13540101d552b92bfbe45cb6097beb5d50cf3f78c
SHA256c1be9b0660ad90616a79c201426811de2530010e74ac272d162099f418326b4f
SHA512ae74cdb8794dee7d1bc84c4af78d866818bcce41c16104ee45e3b812eea501b31c31df1315c881c638defa46d36a98571e71064e44b44d05678507726830e05c
-
C:\Users\Admin\AppData\Local\Temp\yhrdjtahwqovjxtw.exeFilesize
381KB
MD50957d5d8d21751f2fd1ad2015b19abe0
SHA1c098ddc18a8a0dade35436f968eb43c1f4c9253c
SHA256aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
SHA512a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
-
C:\Users\Admin\AppData\Local\Temp\yhrdjtahwqovjxtw.exeFilesize
381KB
MD50957d5d8d21751f2fd1ad2015b19abe0
SHA1c098ddc18a8a0dade35436f968eb43c1f4c9253c
SHA256aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
SHA512a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
-
memory/700-134-0x0000000000000000-mapping.dmp
-
memory/856-137-0x0000000000000000-mapping.dmp
-
memory/1064-132-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1064-135-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1064-143-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2552-140-0x0000000000000000-mapping.dmp
-
memory/2552-144-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB