Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 09:55

General

  • Target

    GongShaFuZhu13/【x1】攻沙辅助/xgs/RegDll.dll

  • Size

    84KB

  • MD5

    a2d61eff3148f2c70404927c0146306e

  • SHA1

    cd9f8247d726a9b437a49a5824dbad9b1a6928a7

  • SHA256

    7f5183494801b0b4314fe387589b7d5d41e03025dff3dde70f7c7e09723ef5c1

  • SHA512

    d2eff12a8baa1911ec2f28c43243afb7fcbbe3e6cdeb799364db95089fd370dc8f30b49c7ea3eb81ae4b846e29860428a84c96497ecdb1f5f928200605fc5e00

  • SSDEEP

    1536:I2FWCT03n3KYFcZvi5/0LI6LdEavoWZpEkt/Edm50E:lFWCT03n3KyyqmJFbpEOE0C

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\GongShaFuZhu13\【x1】攻沙辅助\xgs\RegDll.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\GongShaFuZhu13\【x1】攻沙辅助\xgs\RegDll.dll
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\regsvr32Srv.exe
        C:\Windows\SysWOW64\regsvr32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2044
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:2576
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2920
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2516

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          64ed7951d2c255471b578aabbbdce08a

          SHA1

          bcc008f6649c723a6a1bc0a471a31c2cfac7ee14

          SHA256

          9d805a094a5ec2ae1b5e9e4196cacdb7957c65f7d2a91c086882e84ab4da379a

          SHA512

          680e8936be7302fe257d5df3f4f82e7e86561313bc53834c5e73b8741d0b509c922157c22d9eb884fd4bcb09e75b6056e800964e0c07ace3c44e6e7a1fafb60e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          cd668aac2d3575d13387853d811624e9

          SHA1

          89bd64ce02ef78f45f5068d42d8fa0e3f6239011

          SHA256

          ddd50ce6d0869c2dd0661719ffc09d6692122dc3fa4e2be802356db021b75d5f

          SHA512

          c936354234ea38d60b783fa58557b3bb5db16891257ec36b39fa9e8deef9707bada47a3b19897dada9a6560acaeb4d944da97c88132c20deae4df8953ae117a3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          7a994a77e4295157344c8a96b49fb702

          SHA1

          f4ff49a8eb7abea0850143bc5d10f4db4c220a7c

          SHA256

          38290ac2807bdd5e16efe8d794e88a8bf811dfc0b1b6a26d93b39a73bddcc548

          SHA512

          28238ef074c5f405bad84d53d381324b94593521d32b55dff1f3689f0818fce793b90a9b7dcbfd7988b10914eac79b47743f05137fbe88c2f189a24fbeb06ddd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          3be53307867b8428dc487cbca920cdb8

          SHA1

          9b498b5b9ed3fa4271d78ba396bcee850f52169d

          SHA256

          a4ba765d464bee0417fc708fe5a284fe00a20163537ae68ae1870b0ec142880c

          SHA512

          8b99a7eaffb90ebf79d8e015014fa10bff9cad0b4151b0e22878d062cafdec2e44d5d1b05106b9261b5440434748d1d9afa8e565d11924370bf3ca969c4b9899

        • memory/2044-9-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2044-18-0x00000000003D0000-0x00000000003FE000-memory.dmp

          Filesize

          184KB

        • memory/2044-10-0x00000000001C0000-0x00000000001CF000-memory.dmp

          Filesize

          60KB

        • memory/2516-17-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

        • memory/2516-19-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3048-3-0x0000000000130000-0x000000000015E000-memory.dmp

          Filesize

          184KB

        • memory/3048-2-0x0000000010000000-0x0000000010016000-memory.dmp

          Filesize

          88KB