Analysis

  • max time kernel
    121s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 02:36

General

  • Target

    bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572.dll

  • Size

    719KB

  • MD5

    bcbf9d2fc64727580c2f6b88f965b980

  • SHA1

    381e0beb7ec08a8be2ce29c5c34825ab7cac0345

  • SHA256

    bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572

  • SHA512

    b61458a57d3d911b47fa00812602c91c1bcf1f8559d7c36ac1a440ca5f651a1f315e9aaea3d01316a5566c60d826afbcf03b91ff86480538ceb585b4cdfd1287

  • SSDEEP

    12288:Fd4V2aZv2JArDRsYoQyErEjWiB26w8CXlYiCDXfL10u5Tu0X:Fd4rZiwDRsYP7rECiBrwllYTDjuu5y0

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • UPX dump on OEP (original entry point) 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2060
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2596
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 224
        3⤵
        • Program crash
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3c0076de027b68ea43e9542fdc933fd4

    SHA1

    56dd4410ba4e7bc43e206a96268174fb6a06b144

    SHA256

    52962c260f75f33e9976a0ac39959e754f9d2899fc412cfd5188104c98203a31

    SHA512

    d422e98f01f816248588e52b03e62d69c311e469bd47b9e59ef63a90acb10fb2865c73ec923aa29539e5c6eb4beeecb45bf9af40d310ac5e9b580fd4665a0d8a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a614fe96d74d96a046e92566faa5114d

    SHA1

    061e1fa534b5f2a9922e1f8de7b7a282dcc3261f

    SHA256

    23624bf7a4eca9d7035579b09263c0c38207308b8543f51927ac0c200885ec0c

    SHA512

    e78c801b31b83451d2ca44714fa492874dd2bf00af5c978c33be17759d25d0884b7876e17dc6f78c94015a7df6ab737cdf177febfd3fcd522c1af3ddfbfb2b42

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5244227403a6ea79d4f264fd00716e88

    SHA1

    71007aa81b28671817f00cf80b231e983b6d8d3e

    SHA256

    ff38cab6d37aa2ae7f07d7ef6b9cfd1de59a395acd80d66278590ed09dda1e02

    SHA512

    ac85385d1df329424bc2262a834793015882e9f6c6ac5b3e1d738f41c90602bdc859cc22806a5ca82cc0a29529d7744543fd34f5e345878d6b63533f4d6517a7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a76c18c892e639e097ed6f677ec5e4d6

    SHA1

    6544e22774477b622362f371f04dbef541b9fc6f

    SHA256

    3d365032f4fbc2d15f47c28755394d7710326c8243ef96be00d738e1cdd49137

    SHA512

    ebfd0e9c156ca5c3f21d62bad1aabc993dcea02ef962fa64daf986026a1fce0e3e8b9dca0aa15b0b91df7942ed377d817bdd783c7e4f07b27194c9568727a9dc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f7ce3ae7fac2c0e9901527db8b4668ad

    SHA1

    3557790ccfbc6469b1532098952e45e36d72b44f

    SHA256

    763845705ae1655e7de38098dbec713093224b0dc5d315518727698f82934b34

    SHA512

    706c5da6883cd2958de3549bac78061516170152da7e13144d32b9612dcc38c327fb055fd637363c7a2c01e52b2e7cba988d4ea584cb49cedf73084fa5f82d6d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    960729805ccb12582a7cfe44d2079bec

    SHA1

    38d614347add873dd8949d5096a49fce79d71f91

    SHA256

    e7c80cb17f9d765d196477648eb80482360b8de21baae63418642442b40111c2

    SHA512

    9d6f543617a84a467293681bb93038e94e307994ddccf5ef635c546b0e53a5cf04ce3d540e096919a7f45a41f2a0effbd07e51085899422f9d96e59d1b494bbd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    82ac3d2aa73e506f829c5098d79dde72

    SHA1

    46823545ad9004edc0bc6cd2576c8ab0b0de9a4a

    SHA256

    d3c3538b622ed036fda7e82f49c32cd07c22d403bad606c2ca383459f9c557e5

    SHA512

    fa5812ee8aaf1cac3c270bed787942dba63c8b758616b21f68945af72c09d938cb670a36ab609225f0b086a9c67b10baf4be08a6ad4237f67ef7012fa2ece97c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c1460445d25488a58373f4659bd25b86

    SHA1

    713169b3defb76b4fa17a823d676780df0cf6057

    SHA256

    bb20e07d29ac59fccea78e572687857d40300f867e26529d6c42d0179a0140b0

    SHA512

    0d3cb56e58bb06c6e6f52812a040fa9c3f2032b3085a8c28b493cf06314e913de9acfe71e1c863a3a70f0c2e6d3e5c28bb6c4950104e9d9cc2aa7d131f5f5d0f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    90459610548be304d3acb8a552de377e

    SHA1

    3e5f64fa0e5205c1830035e5ccc3d8ca1cbdd8a5

    SHA256

    9d0eb46e48ff04c51db1ba96fb6156723546cf1b5685f1d99c2db0b45ca61dda

    SHA512

    10c55b1a3d79e3d6cda4b6456d7b46cde3329b212291c730aea7c0df4fa73824777fa901a714f9cc0c8ec05ebeac069c52e397fbf25e442111a6710748a39770

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e61627c596b59f1bdc5d24ed986fda6a

    SHA1

    63364475832f3ab860bfd9d354153213e1f841c9

    SHA256

    3aeedd8f6fffbc6345a7eb874f80dbf50473edb93a14622190c66cb99e309e46

    SHA512

    1e30bd71269056b4c01148821c1c26a011334db67223fd7bfa7905eef36ad2981676b1e1db7f955e628f780c6ea2d91c3e9b0335f750b29ba876e908abb12519

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c316695b4efb8975ae4c0b5a15d3e5e8

    SHA1

    67bcc0640e634614c72c54a7a2ff4d94bf0ae618

    SHA256

    b3873a57d1fae840fb571721660a5b14d6b70fa726caf2b7cacddabd15222180

    SHA512

    fa869ee3a09d8bcd980eb640755f3b8ffad17f717b689d4d787c7456f3efd77b0186e3d01c3c506520ce354f5f27d94a12ef06aa64f25253dc015124ddc05c02

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a9e822b4cca7a29fde782208e55a2791

    SHA1

    fe73ff7dca02e941273b5f58f38abf82661f55e8

    SHA256

    8f7915d8980b5670170837c1c5b4800f06d8ebeda66f9f0f7c972461dbbc8f6c

    SHA512

    c2461f8af63804016ac00ec8641c204e27b3d45961d1048f39f64e7f5f06ebaf234969f3f0149b0752ae6d8f4031eea2c580b39e7469ebef6818ed4257c82de7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    508d8bc7d77e08920c83b74794d2ebb1

    SHA1

    cae5f5fc4ed34483e12b4693c5302c3f3b334205

    SHA256

    e17d86e19f4de81c2c9fd0f8e8d1ebec0467218f231c1cc441336768652fae7d

    SHA512

    5014d86bd7dd9abf45762e9dfeba840ac4661725876a0cadfacd2045921146de0593fef539d0d74ce35105dacc6b2999da27ab8080e3563a8f732df77904c30e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f3286c80aecfc361c8df4cfd2d00f097

    SHA1

    bb295344a549881f187c96a548fa0f9b3bd3f5bc

    SHA256

    aa5805105e9ee54f8296db3f6a6f2dd821c2e833684327ea38296970e0bba0e5

    SHA512

    744c00ee3c1aa8c1ad66d6593314841abf143e693d5afce468e02594a6b5e40da90fcbf3b238aacf192fd329bbc3524f91aa866f0ee5f167f5ff22ff1c0ee513

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7c95187bc4c32f0f455bde7696a815e6

    SHA1

    04d28dada552f7cadcbcda9f96852d2858b33a3d

    SHA256

    89cdebffc8a612f090b076ec31c91f52c729eceb8cc3c1b8bcb68a8f0613b944

    SHA512

    ec696c6d021727495b70caff711c12f9ea79044677abe42bcd9f762a52fec615d63964b960459155893d4ebec39dd06ba184c57f667b910731bfd3344af1fd45

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5d5b9bac6a1774db3a56648ea93587ea

    SHA1

    5c56a366c0d2023686513785a348f27d81d8871e

    SHA256

    6f5337645cf76462a448181cb14af1cabd8b5ce72b852a20d45f1c0bba9881f4

    SHA512

    bacf5b839aa406f9a662f621d66312408211a6a7831e529f14ae7c810ae9960120ca36d8bfb7513223acbc35dfc408164f4a5cc2303fe06f0059ba2868f7933e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    600abb2051c571c378988692118f9857

    SHA1

    458dfe43a1d35adde6bd30741455cdb7efd61768

    SHA256

    665f18f56e63de5b363df23d8ac827aa7f8b06ebb3bb88a1bb469cac3ed1f10c

    SHA512

    94f73015f04983edfaa07b7d9c23372ff4740768c9a7066fa2b43a9dcf26805ac906058231bf640a5e40cfa24e79cb2766c909650a4781cf7a472fa184aab27d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7e4a45f218c5111d9dfdf30fed53b680

    SHA1

    574fec972f26ddf74aaf3152672750e0e80792ef

    SHA256

    d8149113482b8079d482d92f5f37c5452a2e68cb25a2ad22d1ca918b55e445ff

    SHA512

    3039075667ecb5384d2f7f5593911749ccd1253bfcc59943530c20d2df8dd8b7545e6f008546c307add0d90925d8f084a10869effea4cd20195a2c126b76020c

  • C:\Users\Admin\AppData\Local\Temp\Cab2731.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Cab284D.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar2862.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32Srv.exe

    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

  • memory/2764-20-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2764-16-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2764-18-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2764-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2944-497-0x0000000000180000-0x00000000001AE000-memory.dmp

    Filesize

    184KB

  • memory/2944-496-0x0000000010000000-0x00000000100BA000-memory.dmp

    Filesize

    744KB

  • memory/2944-5-0x0000000000180000-0x00000000001AE000-memory.dmp

    Filesize

    184KB

  • memory/2944-2-0x0000000010000000-0x00000000100BA000-memory.dmp

    Filesize

    744KB

  • memory/2976-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2976-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

    Filesize

    60KB