Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-02-2024 10:35

General

  • Target

    a6243d6db924f3a1b34cafc3b9bc5163.exe

  • Size

    99KB

  • MD5

    a6243d6db924f3a1b34cafc3b9bc5163

  • SHA1

    5b4e9109876c1129813f52365344ca54dc77a3aa

  • SHA256

    c88a8f4362929f801e4de2e9a056c0d81f09bd4545217be34786783f8316f28c

  • SHA512

    8abfe25c4c761b096f5f4f4697331284fa2c4aca40330831a5c43498c467955ee7f8e8b15b5bfbf73ed0b3ab70fe571d464ef4e659ced2229d891cedddc7fcd9

  • SSDEEP

    3072:TCuvo0N7CdRp1wHa8tORcXChoqGVk8jwaaHw7Koj4rDM+l7:OuvZgnp1A9WcXuDR

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6243d6db924f3a1b34cafc3b9bc5163.exe
    "C:\Users\Admin\AppData\Local\Temp\a6243d6db924f3a1b34cafc3b9bc5163.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:5048
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 208
          3⤵
          • Program crash
          PID:556
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4520
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4520 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:936
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4520 CREDAT:82950 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1348
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:3224
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 204
            3⤵
            • Program crash
            PID:1608
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:676
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            3⤵
            • Modifies Internet Explorer settings
            PID:2368
        • C:\Users\Admin\AppData\Local\Temp\tdahvpucvygixogg.exe
          "C:\Users\Admin\AppData\Local\Temp\tdahvpucvygixogg.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5048 -ip 5048
        1⤵
          PID:744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3224 -ip 3224
          1⤵
            PID:2444

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Defense Evasion

          Modify Registry

          1
          T1112

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CH7VV9L3\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Users\Admin\AppData\Local\Temp\tdahvpucvygixogg.exe
            Filesize

            99KB

            MD5

            a6243d6db924f3a1b34cafc3b9bc5163

            SHA1

            5b4e9109876c1129813f52365344ca54dc77a3aa

            SHA256

            c88a8f4362929f801e4de2e9a056c0d81f09bd4545217be34786783f8316f28c

            SHA512

            8abfe25c4c761b096f5f4f4697331284fa2c4aca40330831a5c43498c467955ee7f8e8b15b5bfbf73ed0b3ab70fe571d464ef4e659ced2229d891cedddc7fcd9

          • memory/2996-41-0x0000000000400000-0x000000000043A578-memory.dmp
            Filesize

            233KB

          • memory/2996-39-0x00000000004A0000-0x00000000004A2000-memory.dmp
            Filesize

            8KB

          • memory/2996-37-0x0000000000400000-0x000000000043A578-memory.dmp
            Filesize

            233KB

          • memory/2996-36-0x0000000000400000-0x000000000043A578-memory.dmp
            Filesize

            233KB

          • memory/3088-7-0x00000000004F0000-0x00000000004F2000-memory.dmp
            Filesize

            8KB

          • memory/3088-19-0x0000000077852000-0x0000000077853000-memory.dmp
            Filesize

            4KB

          • memory/3088-1-0x0000000000432000-0x000000000043B000-memory.dmp
            Filesize

            36KB

          • memory/3088-2-0x0000000000400000-0x000000000043A578-memory.dmp
            Filesize

            233KB

          • memory/3088-12-0x0000000000400000-0x000000000043A578-memory.dmp
            Filesize

            233KB

          • memory/3088-16-0x0000000000400000-0x000000000043A578-memory.dmp
            Filesize

            233KB

          • memory/3088-18-0x0000000000400000-0x000000000043A578-memory.dmp
            Filesize

            233KB

          • memory/3088-6-0x00000000006F0000-0x00000000006F1000-memory.dmp
            Filesize

            4KB

          • memory/3088-8-0x0000000077852000-0x0000000077853000-memory.dmp
            Filesize

            4KB

          • memory/3088-0-0x0000000000400000-0x000000000043A578-memory.dmp
            Filesize

            233KB

          • memory/3088-5-0x00000000006E0000-0x00000000006E1000-memory.dmp
            Filesize

            4KB

          • memory/3088-3-0x0000000000400000-0x000000000043A578-memory.dmp
            Filesize

            233KB

          • memory/5048-11-0x00000000001F0000-0x00000000001F1000-memory.dmp
            Filesize

            4KB

          • memory/5048-10-0x0000000000490000-0x0000000000491000-memory.dmp
            Filesize

            4KB