Analysis

  • max time kernel
    138s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 09:55

General

  • Target

    GongShaFuZhu13/【x1】攻沙辅助/xgs/dm.dll

  • Size

    906KB

  • MD5

    faf2c7db70ec0fe4596c0395e5eb228f

  • SHA1

    bcc89bff37ac8eccd85162c44c0477f412f2c616

  • SHA256

    d003f814a6828ee02a26049407d38785262e969faeb00b6bc3179ed4fec061ae

  • SHA512

    1b0ee5731f1726cce2047800e8c8adcc725f92b3c94b0e56e9cc2d33f64e3f9e1a0356558e97b8ed80ca40ba068dc07b70f4df46f6dc62729428d05e8725828a

  • SSDEEP

    24576:DWQBeP+QrqH2zKBd3G0Ypdrcc2iIZl2mBVU89XQBpizYho1SH:DWZnGIKb20Ar8iIZfBVdXQBpuYw

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\GongShaFuZhu13\【x1】攻沙辅助\xgs\dm.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\GongShaFuZhu13\【x1】攻沙辅助\xgs\dm.dll
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\regsvr32Srv.exe
        C:\Windows\SysWOW64\regsvr32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2448
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:2696
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2736
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2844

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          8274c5eb25a9cc6a20cea81c78e97e2b

          SHA1

          21dcca6f4abff83f6000252b93f5dcf853ab3b35

          SHA256

          4db6c6ecae01e34dc2e7596886175025c10374fc458be515fe60bd227b3b4130

          SHA512

          be7305a865e40746e4a3d75aac68f418a4b5b4387e304b698c4499cb068e2ba32557aa63646f05c53ff42b08284940701ba64d18254026c8bdc7a0f52a24e392

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          9307e3f98762c02f00968d33e2550311

          SHA1

          0b2a40b37d2a71254a829ce7523c045cee21fc82

          SHA256

          0a10d7889e3db5b1e5c840fdd8c86bce900d48203d6721418607e25202040294

          SHA512

          e40dbedba1f262af189901b609b4b794bf705382cc6fac84be86fc7fd2cddbddc48cc88194acdc90691db8a3beae8efecb6ced57bae3a42929a093b123fb5f6a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b1a05930da3151598614a8bcc176adcc

          SHA1

          57f42bcedb0e7ccad47903649d7538441fb9422e

          SHA256

          870ea814e3cb4856779b576e5639a261ce273b15923e41d1ae134024b0dcc740

          SHA512

          4c5097be4700a3db20d66165116d5038c0ec3bd9a4fc39f4374b97fe0dc04e79880aa8b931e11a36941db46d22231d72c67e1d53d1be4000b18d5872ccdf5c62

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          68f595337e709ef07600781b33a1856b

          SHA1

          728d4dcf5f9a9e23317fac63e7a7587d94744930

          SHA256

          d0f33a3398b15c96b671354a6486563f134752fbd0343eadf4713e33a54830b1

          SHA512

          074ca40388e66d67e7344a67a860eddb96719023aa1bf7f5923f9f89cf108a34c9e9031587719f551678410eabd87fd80ad57893a01f55b172a677fc40f72ebf

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          ce201dbe184b38897aba7d41b0475e47

          SHA1

          5381264d9c5094e7dae33aa940cc42807c8a1340

          SHA256

          3199870ff3ac4c07c189d123d867392a9137b3ce87d2ceb37ed6d0490c37e655

          SHA512

          e37225706297a8ebf72eaa96fc77dae66776b764d8786de701877c11d32ccf06fa1f7fb4aa7f70e3e81f0613ff610a77f913228ba04b39844c3f2beb50f1d803

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          4ab867b15a72ec2bc8c101b31e28d751

          SHA1

          6ab2476aeb3943ccd68e259f8e4cd219ff87bf29

          SHA256

          d7bb35e4866c6c27d5989a9eedf300b0dd1228c5178a3fabea99a942db81c6d4

          SHA512

          e80fcb8986616a7b4b6a197db82eccf0b3b9df12a7019fd2be8538782b687d8cf77744504160a2ee01e881b0a084148e8c6868a7d7d2fe272edbd74d820f10b6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          e3f80d0a250af6b9ff8b8664abaee5b5

          SHA1

          7face469e59fb9cd57d7e8b8bf315f66267c70ce

          SHA256

          a1c994805d8f8012017939d7b90e1042237193e26bca2676929a5eaaac01607b

          SHA512

          170d58d94c8e53406a21740f77deb5f1ce7a4cc824e071539ff3d2714859e3a64dec1b755403c2def8136d14227b99980d331de04f95977b23317e5fefd5ecd6

        • C:\Users\Admin\AppData\Local\Temp\Cab7551.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Windows\SysWOW64\regsvr32Srv.exe

          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

        • memory/2448-7-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2448-9-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2448-16-0x00000000003D0000-0x00000000003FE000-memory.dmp

          Filesize

          184KB

        • memory/2448-11-0x00000000001C0000-0x00000000001CF000-memory.dmp

          Filesize

          60KB

        • memory/2768-0-0x0000000010000000-0x0000000010194000-memory.dmp

          Filesize

          1.6MB

        • memory/2768-3-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2844-450-0x0000000000230000-0x000000000023F000-memory.dmp

          Filesize

          60KB

        • memory/2844-19-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/2844-20-0x0000000000230000-0x000000000023F000-memory.dmp

          Filesize

          60KB

        • memory/2844-21-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB