Analysis
-
max time kernel
125s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
07-05-2023 07:41
General
-
Target
download.exe
-
Size
55KB
-
MD5
ff5e1f27193ce51eec318714ef038bef
-
SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
-
SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
-
SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
SSDEEP
1536:Q+hzRsibKplyXTq8OGRnsPFG+RODTb7MXL5uXZnzE:bROzoTq0+RO7IwnY
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 30 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\download.exe"C:\Users\Admin\AppData\Local\Temp\download.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
62KB
MD5b5fcc55cffd66f38d548e8b63206c5e6
SHA179db08ababfa33a4f644fa8fe337195b5aba44c7
SHA2567730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD515b86eae3638caecc2e1723802f92fc0
SHA1b3209d8bb286cc97823e6ec235728f3f563daa47
SHA256b2da083f6040bab810bba25abfaa5c2b5267a515263497df0f5e7b1d291672d3
SHA512632e69c6e79848e2689a4d6709cc2109cf170414afc3448bf3b05f8c2058556f369444bf7d7528568417c11d0a140476290a98d0910485b4d586d239f1deda25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD564fe31a27b22e233c266cf56e7bdd95b
SHA1b7398dd86f359376607a85c03bc0784ed6f3c92c
SHA256061f38303716b0c010a0cb721ee52f09dc819595253de9773a45647b4f65c1a3
SHA512b543b357f09d52158b97fc521ca5abc84dfd8eff88f9c3f2e271db96448be32f3d33d3d445929e8f76d6edd6b0c97ba3a6609fd9b65acd3f9ab5466da6ff8bd1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50934e547a515b69a436bf08f3e94f999
SHA15c625d3d7812030294d6041d1922a81592f50608
SHA2560190908aeeb4b427de05a0edc1f32e6261b7ec1ce2618eb75d87ff8e0fc83bf3
SHA512a4f22c79f18fdc3c2eb55df3db9cbb70cb43da3d76952ba7944cba9d75ec21dcc79f2fe9aa7ec7a4ff43b75fbd49b42a7b428983cecfb11661c9ccd4045def89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD534861366bba09b38a2d9f05f91c4d039
SHA1a08f88441861089f458700c0295aaf8b2208aace
SHA2564aea798674c7851db1b1112e2d72bf3816e6ffe2126166ad09cd75f7c3cfc584
SHA512f32738ab6f685ca758c6197aebf16bf37842aac5cfb651940331403b4dee06c11eebd1a63c708af1afaf7a10d75b01b6ace9f1f4914c09c30abffb3826e5b5aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54d7b91a2c609b9678c065d82cf53d4da
SHA1114b832c8fc3b5fda0dcffd1d9933571a4de534e
SHA2564e1ba4f4901c82ecb05fc63e2294b3d464512656ccaae76a5de1a11805815f29
SHA51293db76bf8f5184e2ed7ef51367f5288b5f9f194ff961aad53f4844c251f2b5d90e3fc87c94af1679aa35fd478d066ac9cbee72f3be69b557b49f874445f60694
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QHKTFKHM\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\Cab87C.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\TarC2C.tmpFilesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ABM3W5G6.txtFilesize
604B
MD594de7a856a65d0152f6ccaa3582f4786
SHA1e9de9a753c18eb039e2c21f3ef5f969e5ac6f05a
SHA25685cb96a03d931304fc50abdbe5904637873f6f97f9829034fea266a0ac100957
SHA5126d790581bd0b57279ea5d21538878289a41eb7b6be6eafd0a5fe679c6a0f75b87ed5c5b2d27dd8e1c077d7833c7fce8cad0d74a4cd12970b0532a2cefed31398
-
\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/832-59-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2024-62-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2024-61-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB