Analysis
-
max time kernel
99s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
24-05-2023 08:05
General
-
Target
sample.vbs
-
Size
110KB
-
MD5
8dc859faaae724496048e07a5110180b
-
SHA1
58b589269f78f36bd25eae913984c2e904d9e359
-
SHA256
5a9b347e38b129cdc4fb31e15c01381c60bc4d9c29f3129a78a6f03648e2273c
-
SHA512
c612ad3d9b4f8917e4406fa2edf7e5a24e66da3e09c960f823fcb2fa48a87634442be78f67211af80c7cb703015d6a5db12a8b0b8480c2d2b003b921f721b800
-
SSDEEP
1536:AyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy9dGCsQSY:AyfkMY+BES09JXAnyrZalI+Y7
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 30 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sample.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:612 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD531f034895c6b95bb21e27212c881eab4
SHA1b7db8ce06521e65f5949196272edcee348da5490
SHA256a64450b71f51a7518bc8d44ebe497411f1d72b936ef6f688ad27dd077313c2e6
SHA512c92b474fa70f0d93f79ea826c498bf7005cc69801bb267ce351f8cfe01d6d1e03723a9f81a56b2d6593f8434e8003d305ff7c80aea025be38238c9be4251749d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53ba16fe1598ba963c1403835df2d9707
SHA15e9a2a812dfbd36af55d2f30ba90bf2f2f8a1858
SHA256abd352c04ded97e171abaab6cfd84957ea2c00a270c69dc9b53cff89154d71a5
SHA512274b0dbd1f5999227841d5a96b1a61db1c99bcec47cc13b64e129bbdf2dcc5697b04187c97bf9bff6bd6e14918e4086250bea0d5489eacdc587545636d65d6ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5524d25316bc1949589837882ef92c90f
SHA18440de79cc00ce84c44d9ae016909bc3b1a87cb5
SHA256df3cdb77c5ff02645af3842b90f110c3adfaf318a14b71f7d4e526a269b1e9a3
SHA512da8c7426b1dfe14ccc411a342e7d6296bcff0d00f2a1628c90975dd92b5e844c5ece83337bb18728b02aaa7bc2f45ca232366f11c0c16135a06a13ccd562c651
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5867b0e1ec93b30c545ce575e81d7b515
SHA14024dfd9cc207bc61348562fca49c85071f72f62
SHA2561d98c568baa739b26bae97628108e828eda018d5990cdfd38c4c4cafe620a98e
SHA512a5511b5f2fc80b8894e274c57ec50ea3b2b9647c966cff9a3bc71b058299d0c59b05ff0b5a6ca57a4d0ce66b62293bc005e14bb8c3c6e4411efb7f4f16fc95be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d8011e6a4bb23e1bf5d44a84d76c4c64
SHA11e27669dbbf86e43be580242bddcaa579d8060b1
SHA256beeaa76091cd6871a076838f7ef6534122c568791e6e84cadf276d417c225fc6
SHA5127d82a866828078d37b701b6882e00c0d726f6c87520a3d2890a709be05e49f429f960154c772851f1dc6238893d01687cae15c820b93ca21e827e0645fd48e95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59cd4f05a1c1748635f0d41899370678b
SHA1c7ad6273dae1f163c350810e81aaf408ab262eae
SHA25604588ffed562aa65bfdc874c808001ac3b4f397d661d6646e6bd0c39c4cc0de4
SHA512a75a1ddddd9040e661573541bc63cf41293f434ded9b15061a97010c5fafd544d4dc0c3f40c51ad9d8855421e801caf3816847f39b10a53f089be02f934fb471
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ce7ef036606c110f1f290268f6f7f109
SHA1ecd39380aeb82b53afe4bba918449beae0e05f7e
SHA256bb53b41c16c2d234a211b96cf6c16bac6d50b8026c9d902e369466c0e7d036bb
SHA5124d1561a8d5035187d63aefe3d70170f222c2124a1eb0db5650e471540b6cbd84c34f8f70f7ecd52dac3d4cc6d8ae7890b02da669128c62b82e2f59a5a253c824
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\Cab784E.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Tar7990.tmpFilesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\77SH3Z1E.txtFilesize
608B
MD5628e2600a42531fafd5c72e488f45bba
SHA1118d994a900347f1c7eedb1b8b09b7d087464d2e
SHA2569087618a6f88abe192cbce306e8f47944dcfbe5d4907074df91c358c78ffcb44
SHA5125e1f4dfe206eaf8f7209c385b31805cebf9be1b82404c39c30c2e878aafdfa21acf2e1d8bb972fb605abb61ee9b9e50217f4cb85ecb0e1fba1e19d49bcd81091
-
\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/728-68-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/728-67-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1344-64-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB