Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
31-05-2023 11:45
General
-
Target
RemoteUsbMapSrv.exe
-
Size
55KB
-
MD5
ff5e1f27193ce51eec318714ef038bef
-
SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
-
SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
-
SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
SSDEEP
1536:Q+hzRsibKplyXTq8OGRnsPFG+RODTb7MXL5uXZnzE:bROzoTq0+RO7IwnY
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 30 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RemoteUsbMapSrv.exe"C:\Users\Admin\AppData\Local\Temp\RemoteUsbMapSrv.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:864 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD537506f341f675b5a5e24027932013942
SHA147c474cbfe3e8228d46749293792980348875406
SHA2564cf564165c9637e306dff78c1428fdc1f2b8c2c7cfb04f62b7f57111e01b09a7
SHA512853189bb4dbec3049264c9af79c42d20166e281ed0f47d9a08180301c2a1e7198491def5ac83eaffc124b4397dae08d645f364b4acf0d7ff4a004f82c4ab3c91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50c6453c1674cfa9532c1bffc6345976a
SHA13469797214987ab7944ee6080bd368ca53567d38
SHA256368bb76be35942fa107763776c2bd66043ca33c1705b4199e7c60b76ff862e66
SHA5122c9ac898e49ed771c4911727394d074b18680759bc1fe3a065842553e2c53558b9c2687248e70ea273e5f1f4622f51364df1ae57527e0b6044125c112f30d51a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f1b04e10f11736df1ed7356aa3fe7675
SHA121a6e549824c577daf61e4676cb6a24ad3c16813
SHA256202790ce418b98a54d91cd4b72cee0f642a71c90ce0df212db231ca28f8d9fa2
SHA5127b3cf2258ca9312662a201cd4b8bfeab599f8e5a736375dfe28d3e387ef7c42f99e9193e75cb4db807b569a1ca1ccab5565ba4b5fa28ab0a2d61a9fb44be3a2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53eaf135f2a3f8478e221ae42b5aaa829
SHA1679397f5d4301df0d058d0393c9709da1fcc4e92
SHA256f4c450151cc4a93eeb8b1fca9acb1719c94d6d3b3b65c619baf8c033a6e57e13
SHA512d427ed0598adc860f2bd2a0ba47a56793a696a43ddbdf2549e7e80595d0f89c5879e3f1fdef2fa37635812c56e50699f5d8f114ef914fa7ef8383f0f9e68fc62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c8654d065770ec0a9720220f99cab1a5
SHA1a7fe6df0e15877ab3cd9a31d7a5a0868ee1b0b54
SHA256d95a79b207e40260ef03a80cad1acfa81e713a91aaba691532f50c8efc13891a
SHA51252b85a32cd0cc9478733830b01a7262697f7e8cdbee1ca99d8ed1550bc449d1c7c33a8ed834b35a0e4e91a727656323775acd509233c012fcf970fe313df546e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f4b11e65a1ee4ae2deb8ce3f40d31f05
SHA1eca10e24542ec57b6ee323b1a1e49701b43ef520
SHA2568b49a62347a6f1584b4022455be5a8c7a7cd4bc38d46a1377d4e527970127752
SHA512a5fb378e4732ef44e95af531ca4def69fc2db05a1b59329257913f6ccb8b8df247712b7439c8a6e89729b20cc28412cc6c2cdb4c118d375c27ffdd89b6f2f4a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56645b8e6786b42d342b21d9aa900eea9
SHA16816016d4f78a67edb82725e7a3fcf8fa0d5b3de
SHA2566959490b331de2407ad6aef2e6b1bb9812aa5a1ff05f4854c417f38f88937316
SHA5128709ddeeed18d93ada7b7f37e3691b838b73ba638fb0538b1675d7d2fa210505b10319ca956e434c2f03f3c5a42601e8ae4aa3690355365618e2cb26859ce177
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58c47fd70d94a632f209cc3b7c48a0c83
SHA12aeb1514471f2360fc826ee9d9151c4c38228a14
SHA256b5a77b508625b983a60a56680e0baba110785c578b070adffc6e78d4e2bfbfa0
SHA512d3861e6b3cfc492507482ec83221b53db9393aaf363f00aaa78aaf71aaf00c069a3fe366c4c8ad5047f5f659034150a7a337ebf2696c528407fd9845d70f2274
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\Cab3A64.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Cab3B92.tmpFilesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\Local\Temp\Tar3BB4.tmpFilesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P59P23OI.txtFilesize
607B
MD58ad814e288a9392c7913cee28d4aa700
SHA1c735e28a080ed5cf43b9e8d81e59cc5a85efdd3d
SHA256896a6886273723618b7165fb8d2aa7b506c7d6c9468ccd86a3f3827e4a2e1511
SHA51294591c2cadabbadf770faef3ef32f7abce29d3dd5702cefb2881b642175f76a4a953f89b98c0da3fc24f981fc77431471c88d108607f83f182ca3f698ffd6f9c
-
\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/1576-62-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1576-61-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1604-58-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB