Analysis

  • max time kernel
    119s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 04:13

General

  • Target

    39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe

  • Size

    103KB

  • MD5

    1bc429b6743105b5951d3bd01e4ff245

  • SHA1

    fd773e9f1c5d3ba3ea268fd1bf5ac9759a24ed23

  • SHA256

    39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3

  • SHA512

    80ba790914500f6d327cac05c9e61214a2912424e136949947a7cd67797af94abe0a0ea2702d9f3561a93d15cd6bb16b3277a991551aa0a6ec336f39be1d4a6b

  • SSDEEP

    1536:o+lAvqY9shtgw+RDj0fnHkucCP8DB59ROSqZ+FH5LTMrZd7+SY6S46:NwqPgwoDj0ES0l5lW+FH5/M1d7+M1

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe
    "C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe
      C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:280
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6dfd6dbec36681aaab2a04db39d6e269

    SHA1

    b06fab41aed84df406ebec89bb9fa0f386a8c8e8

    SHA256

    30c48522aa79714f1ced01e6f8ebd4cb9a3989f475c429650905ec5847509aa6

    SHA512

    cfa08c4545150f8116f08527bbd009563522ab736992de528205429d4596fe2870e860efc3a254e45a3ea26a01694782791f8201561198363ab2f5634144102d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5dbf0207897249d18102a7f77d89a088

    SHA1

    56897b8d8ab4386271b764f4c7c98ec23fd11674

    SHA256

    1c5abf8063ff21dbd304ebf22811d2e762d64bd3d851d65c2f99cbebd969847a

    SHA512

    44e9c99d9a3d89d6e9305658533a1e610fee6234c0c53625a9c88e0aaf2988d94c2da76f7c7c2e3f4db5d76cb00f395a04f02149f25007924f7d891789b00ef5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ae4227cae79750fac155ca9f5bb3a45b

    SHA1

    3e39b673c8143b5af46d7c2fc441ea86af9d8d0b

    SHA256

    4a557a0a8bf1f878dbb0e196bb8bd27febc37bb227d6e5f846884663648fbab6

    SHA512

    cf4b9c70c935094a504ca20e7585f31d49c51dd9fff97b701ba84f767b559b194b1d738ab52dce2bf4c834db56814c490dce1c14ac7a5da8f08fad86910a7aa8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    37bdcb68fb19c99fffba5b4c40b72595

    SHA1

    c81b14eedfde08ae9b247cf44a5e46e3d2b8e388

    SHA256

    9087df44f19b18813a88995007dfe71e01b67be8313e6b3fbf5f400fcd2335f4

    SHA512

    51142c23ec32f20d84a1cb175f3327e3ddcf0031918ac955dbbc32ef29fa5eee8dd2b675fecaa925716e000b55f68ab23e0f0a6b8f1514088fa821a814026eb7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    36dd21b858f3bede0a079b38e3597c72

    SHA1

    7a5d009fc2329206126caef4747eb7ff4fd9231c

    SHA256

    a873f634c56b2610129ff0792bc7a1e8dca1343632f54ec5a820ee07293ac607

    SHA512

    e7f8c6c6b56bc4b69af0d07b5c5cb0f21c9c657d679fecceb5f20a56aa779b8bd8b1fbb6b701fad004beadb10a26e5ebc60374335e60c5f5ab49cfeccdd15a42

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    151cb1ff63bba61c8b0f330948295a46

    SHA1

    cc312bfbbf1e0a0182dbbdc91cc96dc181f47ffc

    SHA256

    8d6f245b3bb734defac8095bd09acca78850999df1edb262cd629b3b83f8222b

    SHA512

    b7bb6b694f79a241859e0e66617716e44d97489b8bda09b21d30befd84b65452d2d6a973e6983fe6302128b0e79824b42373f7bfdab3c2831ad80136115c4230

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c571e47f92745a0c98852639671c267c

    SHA1

    e071fb3b5d468a8e48fcf37b29c60bf2564329b7

    SHA256

    284fb0c4cacb6ca8b2ff951ad878dee8b9e4404e4e8e27c40463fba556b3fbc2

    SHA512

    85bca32f502ec022ffc5089aaf2224acf4b6deddb2ee25c81fd99c2d99d66548fc8a09422a7ed0b95894ab817b61343aec3d9c5eb8be6debae8d7c1a875cf10f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    74df43f020509dee721a70c2ca7d7153

    SHA1

    1ed6e4aad38342319633a0cb8143ec0ac5e3bda6

    SHA256

    e523e133dada2d66491c17a279457e2bdf9202e71fc323d91eb66fdcb9b012ae

    SHA512

    e41a2b3a5d5c740c4d3355c8bcf8cc86b74eb67bd0371baa8e5c58638954f84885a1b8c8895ae416a6df685decaf8fe5e7eb563329288879a7ffb06556c529d9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    218bfc32220b224a5f3a60fda012ce13

    SHA1

    d8ebdda7d864a86a114c3380d69fd2a487b9cbdb

    SHA256

    2985edc31a776d14d73d0d2fcbf47d095cccc694075e5ae65e84a9f805dde2dd

    SHA512

    b4f5485eb6815272258f981e9c8a0e6983f623eeb56d92cc74f845940c82cdf1f5865acbd0e357a94b7095f82931b262e5bf8023ee98b7d1a357d4fe269f61c6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9fea27a410552aa07a24a3688d80fa33

    SHA1

    b3286dff85224e4c6d8e477a04d8a5bce90b1575

    SHA256

    5c389300e3b59f244f7017292f64fdc9c1824dde6111346d6d214807492b7ff7

    SHA512

    6908e9afd08778129c2a4e7b07e8ba46dd18ce3e425327ecf3d8d511eb8dec886a89dfbaeebe06655d8a0ff9496b435489f7dfee926b4f2bf1a906c843ed6cac

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a37684026243a6a89455518d2a431981

    SHA1

    2328d9b7bb6cbe33e7db2df4d0d36f7576cd7a01

    SHA256

    7373a019237cae0ff8e4c7c72006648ab81b6b3bed53b5635c4bf904173ef744

    SHA512

    8dc2d5cd36d4213275c1928acb9e9f3611c7a163a06a2ade9ba28437263be3a67f1f8056c386ff1eb21ec1ef91b0f2dbef0cdc43bf37d84407572a54a6ca7128

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5612134c33e71d3ba6f955f98386f16b

    SHA1

    8334113d20ebffc4c4c03ab752b86c5c07ac2cfb

    SHA256

    10b5900372d40c6fb6cdae31467db20c8d521be62ccbfb3fd6f4d004c1a04b06

    SHA512

    d8f406499c1ec24ed895b0ecde1cffdbeebf8648f4d1985d4eec8ef474ff151db06fa7a860ec8860d48d564bc2917a3d7784efb5e61f391faaaa83eb57eb2b56

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1ddc98203a46b05a205df8feb5e4ae2e

    SHA1

    60e761424339366b7df5bbf160b0dabeb1f1899c

    SHA256

    c6ffb4b6c2f9627e2c69f90b5118bf37740f565517803a8a47f0b17cbd380379

    SHA512

    d215e1f397a96354fe6e0dba4d32622daa204ead8949ed8cd5c7b19e0298c492b996fca9ea99ba42acd813bb27b0910e0f2ee8de331ffb87c1c9f6448d39347c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b2ed2df0aec34f1be1a0681d5f5a61e4

    SHA1

    b3fd13771f4e8cd1321f466b270e274dc7ee5a66

    SHA256

    fda542a29a975c088dd9d559502021200549f03fdd1eac965b2f0e1b6bda8f0d

    SHA512

    9840d1cba7cac4b883fb1c8058b6f6499ca35101e9381446da490d10c27754416a52ead374190696d44567e65fe4081fbea333db4005c3770cd7e2e7ac49473a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1d5c178d4d6503c5dded7fa78f3fbb57

    SHA1

    a3b4990d22d801ec01c0bccb9e4926d851804a1b

    SHA256

    3552a534babfc1ecf50daebd4a91d40f012cb136d96948a42ee77c8cb09a6d59

    SHA512

    ddcaba6485e982f54d1626eb7064d6a2cdbe744e288ac91400cb270c09cfb0c89474803c6e6a1b1dda9e0bcbf627463567139481a7b49266df8a4e1cfcbe9302

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6dbb79668b239e4c348f70e8d645f8cf

    SHA1

    16784965530ca109e4ee83885514ba49e8220509

    SHA256

    f9c50e8552fee5163acca0e335b51d603dc2cbbe2aea9f07fbbc62155f816c35

    SHA512

    9a6697ed7d66dc42f4d64f3d15afe133503718abdb153fd55b58aa2a00121981a0ccc59b5d8c55a9580dd49a927fda3b06ca8009ac1174ee1328f0ed3096341d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    989644f22464a3dd02d89aa5f1b2b3f1

    SHA1

    d9d2e72f2167c01979ba2bffb6f2d290cd08ee1f

    SHA256

    8e3b358761b1035067e3ccf19f1049008f7cef7e3b3f6dcb5bc23baad80ed496

    SHA512

    b887685aa08c5faee890cd5b80a8e354e3fed7b6ac67085ce507da965488540c56bc023601a9061b23f903244b0168b32269fca4e91e04009aeea3f53d3933d2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    397dd12a5c9fdab2c5c8a663833f3e99

    SHA1

    d5d21dca032c92fca8c4fd5909a6754faeb49595

    SHA256

    3a97a838538e23591579b99cb1857c1e9fd8b3135e0c90f1b4c3ae64dfcc5f49

    SHA512

    4200123e2dfd7a7b4e588e14328f47203fc95d0168b837df36af3e852cdd3e67c3ee956abebf0e60b81529b1b5c37494c7f3130ad2a5aaba78e51c2a34a4085a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7bde3231629ca6b7d36f74866d4be5b8

    SHA1

    cf4d3398b189fd998ce6ab67899d2b9904415445

    SHA256

    bc9d3a49b5d36cc301a8a72a5e22009dac1adc43e2504c4501c277c8cb0d2cd8

    SHA512

    d1c328957c4600190935095ad34016685307e88a9f021854d4c1a2a0cfe28e8385473919cafe530d4d56a23be29f825084c3b96b8296d89d77feeb5f1df5000b

  • C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe

    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

  • C:\Users\Admin\AppData\Local\Temp\CabD9AF.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarDA7D.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/280-10-0x0000000000230000-0x000000000023F000-memory.dmp

    Filesize

    60KB

  • memory/280-9-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1952-20-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1952-18-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/1952-17-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2556-0-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/2556-8-0x0000000000260000-0x000000000028E000-memory.dmp

    Filesize

    184KB

  • memory/2556-21-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/2556-22-0x0000000000260000-0x000000000028E000-memory.dmp

    Filesize

    184KB