Malware Analysis Report

2024-09-09 16:47

Sample ID 240614-n1lmwszbmc
Target a98859d971689a430c0a1b80bac601ec_JaffaCakes118
SHA256 53606c2b601c5ccd9e48acfd2c3d9efe1067a0e332ce164deda39331a89bab4d
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53606c2b601c5ccd9e48acfd2c3d9efe1067a0e332ce164deda39331a89bab4d

Threat Level: Known bad

The file a98859d971689a430c0a1b80bac601ec_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 11:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 11:51

Reported

2024-06-14 11:54

Platform

win7-20240611-en

Max time kernel

132s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px201E.tmp C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424527782" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EBCA651-2A44-11EF-BCC0-5E4DB530A215} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe
PID 2944 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe
PID 2944 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe
PID 2944 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe
PID 2432 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2432 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2432 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2432 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2944 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Windows\SysWOW64\WerFault.exe
PID 2700 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2700 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2700 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2700 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3040 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe

"C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe"

C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe

"C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 204

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2944-0-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2944-1-0x0000000010000000-0x000000001003D000-memory.dmp

\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2944-5-0x0000000000220000-0x000000000024E000-memory.dmp

memory/2432-31-0x0000000000240000-0x000000000024F000-memory.dmp

memory/2432-30-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2700-38-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2700-40-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab35F1.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar36B4.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fa5ce7119f3c2231590dcab84c2d42c
SHA1 4911e6861845de7e3086d58787bbfa3c565ff579
SHA256 c71020f3de5a051e965805efcd74713561da8582ea657f7a9e4975d4e20c2e90
SHA512 53a8ec04b502fc75e0b9e4c7e8e2f046f38937f9d57b9024ffd40dc0e1d74f7a4fc71a0d8ecad4f4d9fceb91eeb6d1d2610fb5468fb36ce40321f23d521268a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c1fc9b9220c62844747670551aa286d
SHA1 78581496d91b0ce4daf22c1b2e5fd19b8e60ac11
SHA256 05ba6ccbf7fb56c7501632946e6ab902921003a8859e297ed384d9fbb9e6f68f
SHA512 a80c9aae1a6f1ff710afbf97bb458c7396201650b45b7348b88b44e607d0d4064a2d0887e7197866d4555266a26a49edd30e96c310c5826d155c38b7d4f224e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a43a83c26be0905c80ca12951c6e3226
SHA1 725dcccdcf91231f1a1b21f40f02689dd23b8f36
SHA256 d85b50879255c7e959a2916b36b564b0fda98a6856317286ab46ca74bcd46973
SHA512 63174b820c0e7d1a1f5f2dc15866b6d886f77176f449478be7ed2cbe33e88a95104125fdd0ea752b6c292729c3766fe119e0c5d291028b9c580256a87a531fac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e95892599ab129dd5be38db943981ba
SHA1 0918dbce857958bc6524583f617d0873b8b76038
SHA256 687fe04f8c16dacb0021cf25f54eeb486cff3b0fb866def688f710196c058278
SHA512 1c01cd40e5c09c485c87be9c4b13e1bd9df7aee9aa8fa83845b198b773bc8848076bee3bb3c93694cbafa0c28782f8ba3998e89c46fd6dbe2ee58e26306cb3e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f1237a86486a179f864a95ecdd016d4
SHA1 a3db59c37fcd00f1b885d0d3900bd4a71355fd34
SHA256 a78588efe36045af41fac006fcdd5beb5de74235a6f314a6873d6202e1bf3e4b
SHA512 413f716e80fd971c76e8c59eb5301e8a6addab6c0630109a917b4ef98eb9536836022439592d06af9a0cc45152d6806b8598c7ef7392f17dfaf9aa2ede3b46cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 622ffe1d63cd1a0b451ef8b1f9758ca6
SHA1 e807ac5292ad744486141c2996cccb49f625e3fc
SHA256 7488f018c513afaf6018b0b618aac1d0343db361e57463d41906ca8ecb39684a
SHA512 b0edfd6fcc4ab1e9bca907738f676d1cf422c4941782804a4c0f7aafc307ccf571163f40449a64cfffbc9592ea35217c856602b52740a03fb8ec8c0db3de7e13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0866a18d3fd7876ac3e3d8bd78a03e9b
SHA1 0449cb055062856477f3550f290cc32d3f84afe0
SHA256 fa44571d4beb2268ff65c3a4a66e86166394742563711362538eafdf7e967f40
SHA512 b7c933c88e9211a1c70173e7b19f63fa2ad159759e8cfa2a57f2f441f4cd1a88eb6b9ecd51b647632d61a5fb1bbe5471f63d1ca5f249256bed9bf18408e793d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4313ac42f2fecab691347bd599a31c5
SHA1 29bb7898c8303f44ff3c31d2494cfb5becda4204
SHA256 d2af2a0f206b0df8d4ba74841058b5c554125ad26560f8fae0dcd23f3d5ef24a
SHA512 d1bf39817e69efb3fb821cbb4697df51e5638bb8b39be1b1b7a0853126dd5c83550ec6775814e73ada633359883ba8b5fe39d354e203d82c9fe89fc6d0184525

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99546a1e0cfbeb9f8cb24d6ce69fe356
SHA1 9adcec0989628e6b2a11b5b359236f728593a7ae
SHA256 57e60c5063c294621b73a909fae0325999813de246b5c27d15a3355edb40424b
SHA512 fc8cce545924ac2c299fbe3094bad362ea10f0fd442fd8adee4bb5f8f81bd4c0c6374f2e9f61798ff5e230bf221463c7aac3f8471442f094b9adc832e0ed65c9

memory/2944-421-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2944-422-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac5209ae3546cafe00524886ad86fde9
SHA1 e9df96a709ffc386803f6bf8d3ae96d54f6acdd2
SHA256 5761733a7db34e5a124d56f007eb640b5e72a695821480855dc895f4c4e0af4b
SHA512 0e6966117771d04cbc80fa69ccfe3c9d6567e336c59f0c8b36beba4e0bd459cdd2d198cba21266c19ad6be509047b576acfde7aa0d99cd76e00b268af5b52467

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c6de2ba86fa0224342f3e7d9df61ad4
SHA1 d0fb2df9329103f6ccfb5b57b5e266045c6f385e
SHA256 1878a0d77b526d784796058c5be823e3384fc31da194afa81dc85cf5da1b5405
SHA512 a06bb6ddab796e0248f0f0f912b65c9e4f7384aebb15c12c27f2ebfb17dccd8aeeab578baad3548c6065f441fda01816e90b2d28749de2726509e460d1ebbeff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47a3924f25659ac6e3693fac46df0f1a
SHA1 0688d9a681313ec2756d05b5cab908439c43b256
SHA256 80592a43a90512d804b957434f5d0dba4336b449b4446fb7e8a8174366514284
SHA512 006502af800519cc845bbe5facaf46cb7986399de7ffed89dcb8ec11979e2e98991d1fb9a6891866dcd25e0617636d34b8af4f36e1ebfe0185ca1cf7aca9d6dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6b2e8a2622d97543b6915922e1dc39e
SHA1 12af0ee17ecf1f733b6275797db2e984e909713f
SHA256 f89c945b3ca467c9d97958ed061244220104aa08a999a4e123f91a6e6973042a
SHA512 a5288667e0277aeecac2fbfa8b0172341bda4e48752cbecbb49918a67df5fd3320e0b5cf58b6c9bc5c188bb12e95e4d0a8833a2615cf8dbe6e0e5adda407771e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46e7b758ae7ecbd6095f4b215b47dda4
SHA1 2b910ce0f67aeb71d4a79cc9f064b80abc8e30ee
SHA256 fa7c50ca96480fcccb5701833a4efa72e0a38c0a9e3abcd70f53f9165e19a592
SHA512 4d5d4816c01efdd6931dd9894b41a01a5be075ee658123b775afd145fbbeea2d41cf3fbc7533323ac96bca1ce3adb9409b34031cf4bb381619eb9f2a9adf29c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb334c5a21e367bd159e037f6af1516d
SHA1 7fac117ff7474ae921bf897f20ec92b8c2fa7314
SHA256 2bd36b6b4dbc9413c46c0a13b585cc969238aab768da42d603adddae6dc77037
SHA512 32dfa061b35cd313c20f9e9095dcac9c8078db53afa5fe2158ad31c505008952ba276aa0e248bcfb3bf2974699ad09ad932d8af73fda0b338b34bf7b85f92263

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9abce3947430e3a7390c700a4b21a206
SHA1 429b98582ea2d1b6c137d6235903009814dcbe98
SHA256 25f76b9fec08150fcbb9d0f9e3f16c897ff3f159c6ff827b53427d3743203461
SHA512 df5ae7585e269fa2af12313b7be64913200fcfcdc9056532b10ba9ddd8b286d7a9a1bd7ac930a1313e9f195217e5b121b008d2be262b094aadc3219714f91535

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c2795ae742c5933391b34e10efe3b4a
SHA1 8742870f69ba2a0745cd4a6a7126ad46f5f2d1ea
SHA256 056b82c7b7e8e1d242c99e5cc6aa4be4b3deeda6ee648046eaa4d44b28b4687c
SHA512 ff7a02605db310378d9934b435fd2ed2786c1f68261e5a5b97578f5c8f1fabf02bd2b6579967cc88c30c4921963da49b43604836636d2968b0d5ce16d20658d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 911e4f3a710a0f85526439b459b81e54
SHA1 325b099ad63d0af8a700739e962842691da2b1a9
SHA256 0307b0120f2b59286a6b24a770ce9ec9906fc39be426d9c3155b4a5a6f0c0c1b
SHA512 ac1cc921745aff3c4ceafa1d0f9e248eb7402c8153315924e20e75ad0cdbc13ed3a6e19b1154f3108240cf1c73f576ef13d9f8272715e75cd5c7ebf1abdbff28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2f1960ade0de0f14bb8066a41d8b592
SHA1 ce2c0bc18023f41a7643299263f560e5cb7184b1
SHA256 d4dafdda753b2995a159d5003628cab34d4878b83c4d58dc074bc1f02f6fc7a2
SHA512 8b875d40d2025e7c9b8b111f74e89b873620a7c8eb46aad18ec0e82db33caf10bc3d6574aa4cba778e6e65480cd1aab798ae321388c50969e4893a0c480d3b9a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 11:51

Reported

2024-06-14 11:54

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px49CA.tmp C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112785" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1394584949" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112785" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1398491296" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425130889" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7EB884E4-2A44-11EF-B1BC-76D7D0441B5E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112785" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1394584949" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe
PID 5000 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe
PID 5000 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe
PID 1828 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1828 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1828 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3940 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3940 wrote to memory of 392 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 392 wrote to memory of 1032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 392 wrote to memory of 1032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 392 wrote to memory of 1032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe

"C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PRO.exe"

C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe

"C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WPE PROSrv.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 52.111.227.13:443 tcp

Files

memory/5000-0-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/5000-1-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1828-27-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3940-36-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3940-33-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3940-32-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3940-31-0x0000000000490000-0x0000000000491000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/5000-37-0x0000000010000000-0x000000001003D000-memory.dmp

memory/5000-38-0x0000000000400000-0x00000000004FC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 11:51

Reported

2024-06-14 11:54

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WpeSpy.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px252D.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424527804" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7ED77981-2A44-11EF-99EB-F2F7F00EEB0D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2224 wrote to memory of 1016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2224 wrote to memory of 1016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2224 wrote to memory of 1016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 1016 wrote to memory of 2660 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1016 wrote to memory of 2660 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1016 wrote to memory of 2660 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1016 wrote to memory of 2660 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2660 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2736 wrote to memory of 2536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WpeSpy.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WpeSpy.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

\Windows\SysWOW64\rundll32Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2224-1-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2224-2-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2224-4-0x00000000001E0000-0x000000000020E000-memory.dmp

memory/1016-28-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1016-31-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1016-30-0x00000000003D0000-0x00000000003DF000-memory.dmp

memory/2660-39-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2660-42-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2660-41-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 11:51

Reported

2024-06-14 11:54

Platform

win10v2004-20240508-en

Max time kernel

78s

Max time network

87s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WpeSpy.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px5728.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424527793" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7EC875A3-2A44-11EF-9519-62C35996CAED} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 3504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4864 wrote to memory of 3504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4864 wrote to memory of 3504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3504 wrote to memory of 1916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3504 wrote to memory of 1916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3504 wrote to memory of 1916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 1916 wrote to memory of 4460 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1916 wrote to memory of 4460 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1916 wrote to memory of 4460 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4460 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4460 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1468 wrote to memory of 3964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1468 wrote to memory of 3964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1468 wrote to memory of 3964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WpeSpy.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\nzhsdsdsdfob_gr\WPE___\WpeSpy.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1468 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/3504-1-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Windows\SysWOW64\rundll32Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1916-24-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1916-27-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4460-34-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4460-33-0x0000000000490000-0x0000000000491000-memory.dmp

memory/4460-32-0x0000000000400000-0x000000000042E000-memory.dmp