Analysis Overview
SHA256
8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9
Threat Level: Known bad
The file 8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9 was found to be: Known bad.
Malicious Activity Summary
Ramnit family
Ramnit
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 07:16
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 07:16
Reported
2024-11-17 07:19
Platform
win7-20241023-en
Max time kernel
140s
Max time network
128s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxC1E8.tmp | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED05AC81-A4B3-11EF-9841-C6E03328980A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437989683" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe
"C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe"
C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2036-0-0x0000000000400000-0x00000000004B4000-memory.dmp
\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2344-10-0x0000000000230000-0x000000000023F000-memory.dmp
memory/2344-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1984-20-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2036-21-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2036-5-0x0000000000250000-0x000000000027E000-memory.dmp
memory/1984-18-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1984-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2036-22-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2036-23-0x0000000000250000-0x000000000027E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE207.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE2B7.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a90e49b4ca39d206c77464b86779dc7 |
| SHA1 | 9522ec6723b719db72c4126fd18bd582921fc86b |
| SHA256 | 6600e52d0aed97974a049ce6cdcc40d815fb8d3b711283fbcce81c2db0130769 |
| SHA512 | f689f70d1d639928f12c141dcb3ea877a943102f9ebc04196574248d5c061fc2db28c3d4d86e96e8eb3fc291362f6beb4b2ebb671a4b6a8db2ee1cba06671606 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5cebeee3aab13c73f9b390d3e436dbd |
| SHA1 | ae2cc5778dd0e6e7151c79e56043c4506ba17ae7 |
| SHA256 | 4b683437db3285ae641466ab49d42dd10f86cdb40e30e0d6b70c4ad4698f2778 |
| SHA512 | f7d7aebb4a8a1e69fd00d97b60087e85fbe89c866076a9ac0d2b101280240d876d6aef3e5059bd9445ad88cedc9b055062a308f9d66b211851ea6bda1735bc69 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3fb4b1d453d9646dfd2fd889942cb1c |
| SHA1 | 7c6aad11a316b514697a1b56c292b7329be375b0 |
| SHA256 | 18d44b9d2831360899889d35acfcc81ed548fc3201b2a4ee4c1224c585a39ca1 |
| SHA512 | 3eec4306cc5b7230ae975749ad4bd4f2ba216b3dfeea361cf3658f18e153c573c4dcb0aaabb24dd864323ace3eed48c235de4d231ad4057644e972427f69a64a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cdeb2e4fb72e3197bdb44d2a058e3c3f |
| SHA1 | 1a796dc33dcb2d8bd17e961f375ce4a61d39f321 |
| SHA256 | b7019a0398e68b6b77ae31613ab5b864e06d518744018f6f44f03bd350f1b526 |
| SHA512 | 5610b70b8d56b7bbd2864b96cf5d41f1551984bde3a3e4e1a9f2b5cebeeb676dadf5fb296985404d6c331431eb24c6f9014c3eca92615148332657d7e84b3438 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f42249a607b358578a694342f0315b3 |
| SHA1 | 8b14b6f11ff346512e256c5eae7283755d64000c |
| SHA256 | 31f0ba12c9eed45b0e35e992c807289dacd773084475cc00896808075ad84c9d |
| SHA512 | b38f215df20344a9550ca340c404f0bceceb2b03f2b3e7d60391e1b8557c66f860b43d31e641a7ce8d3a6348f0d8c4156afa259ceda06a94ebba4973ae205c32 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a0f9b0667f16c06e6d19040996474413 |
| SHA1 | e49300346a7812bebfacc3afacadbb57021b6f97 |
| SHA256 | 549abe18c9313b35c60f6cfa87de404f2a323e19878492f9dbae6edcecc9d3af |
| SHA512 | 52d2bcf5f0eaba8331ed0128b38d896d064775b6890378cf8c03344a0061d0e9b4607b92688fbc7e66e49801342f0ae2dc00d276e698d049ebda61374517b925 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc780a7a430c7b57ce6b31007c1ea234 |
| SHA1 | 0e84abfbe18d8329898961d89b90e23f02a40d96 |
| SHA256 | 66a45316ed1aae4d2e166946ec59ae5431db3420f6f3825725cd602d85579a72 |
| SHA512 | a66d1cfcb0f05781c62498ca92db3550bb9ebdaa96980dd28e62e0ed0f0834767f6c1e3e3a40bc9392f269debae0d6d890982270d940b77f8756da49f3de87ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 747d29dd7b4d8236007ad862267b2479 |
| SHA1 | ac809388809b2361f186c0cf4ca05a69d5bebed8 |
| SHA256 | 614fd98866ff08429ee8f9a1876e2302f0175f55774d2f5270f87303206c4b38 |
| SHA512 | 3ccabd3e5e43ec5d44bb1974f7b97bb3611fff3fee2b0b932edb9def77a3e010784e00e50c834d84cf18b47fe17f68b1f57f8533ad0d5d798b255b8612ec7bb2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e0bd461040591ee5e82b362c1d4efba |
| SHA1 | 8e9023e414165d08c8f95416f9bb49efa7db5945 |
| SHA256 | 578663236f6035327e3d70154c78dda866651f898bbeaddf6ff34691bd3e1f67 |
| SHA512 | 5974f627f56ee7e8c376f24122bbf389a0566e8e04de0dbe99e5d5f04f7ca144aeeea5caedd373d9303c0871f27dd57175fbe6c7b110c813f56b67ae03e976c8 |
memory/2036-453-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a332375bfaf32f7473a2c9b892ac308 |
| SHA1 | 268e7f4d2b8548cfad7dfbe22fd3a23f2c26100d |
| SHA256 | 1abb1dc878162baa4447b6a0016249f17a3470f6882c92c57cb8a7e4b38ddf52 |
| SHA512 | 5f407f223f9f6deba53881fe8dc7adaab0bcf5d12ec8eb4f4b61f4b70e30ea204a097b541cd6a57501a516ca21549ce69b27187ffeaec507d18b9ee1a6b38209 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76586ced10007695b8959d502102191c |
| SHA1 | 7ae33630a812fb67335db87a3fdbb43e85fb95e2 |
| SHA256 | 7de30229f9e38f91e9a657bc075980d03b56a9d01858805475a4130d7c25ee7f |
| SHA512 | f33f7adbc70ade7316349f1dffe9a687d0d22c3029ba5b292ede757370a52bac2a1538018767be17630a849162a94329333c285938eb7e6fa4025692530770b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c06851508b7a413601fb626b19d52030 |
| SHA1 | 3474382d982a9844f541cb08ee2495111829f086 |
| SHA256 | 3694b67495cf27fc8a6fad457ff87fe59487d2887b802d8cff1e8f7bcf4a3a8c |
| SHA512 | 84b85e1e8596280da365d02b0a0463aa0ab40f80e188761275d4346f181e1596806bb8c41d3663893d3432246390b986abecd5bad87a68f848cc48905a7ddc4c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 148c1a87efc84692d8555098fa5b8a61 |
| SHA1 | 8bba325af5de048bc95a549c7a968b3186d2928f |
| SHA256 | dfa12c71c60a547f1572b13511c822cee63b85387509c942d7a5ecc469eecf45 |
| SHA512 | 51b30b9eaed2ca5580d4179a664f260668f208d32b098b9fec4c8083e38ecb1087cffac0e64b31ede15db8f983d8c6add21baae31d595636e211ec0246bf721d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17a951054aaec3f5698e50df27b1d541 |
| SHA1 | f005de77f4bb37a689ba0f704ca838153cef0bda |
| SHA256 | 0847175894362cb6893ac8d835f7f2ff33f445dad1a130420d3c911ce3e146f1 |
| SHA512 | d6684c3fa34a97b599348a35aa1946cb4de951193be4e02d7365e77f1627c55f3491333f6527f592cc7e6977ef1b1ed8697ae7616b33c8b01674e29388eee733 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f38d190d3383967b15647a0d8fcd3737 |
| SHA1 | 0f8e4b77f6b1b8963fb1900197fd015f4bfb22cb |
| SHA256 | b74961e7cba1dcdf04454c1b4c57c58b013cf2126f7c0b9bcdb066c353d34269 |
| SHA512 | 73b6a2522b1ba0d373c0ec7dd9c06f69e4f33fee3ce1d2adff20cdbe5faa6c0833d8e513613984c06d0055b76e094aed79c6fc1db89277f7b6c090d6d2512b99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb57fc4a49759fccd1c990c9345d01e0 |
| SHA1 | ba17328d17956c7d65dccc4b7dec737d8257074b |
| SHA256 | 5fad57a82cf0a5313b9a2b7a3eff0683718b8d17b7f88e01aa7c7b96a628f61d |
| SHA512 | 30a1b6b19498d5dfd8fd5d499224b4ce93e6334740e6bd86d2442899f21b39d76f46970a9cd49bf14d90cfd28893da39d190d73de1410fda7e6c50aace1c0345 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ecfc1ed6b08145f80ee68ab116c2c11e |
| SHA1 | 76fbb95372bf21b875ec301222255913460f9136 |
| SHA256 | 2b410b494f5e1eb104eaa3b185b0ded60ce00aef93dbe34bb55233334cf05212 |
| SHA512 | 8943b49f0b658ef378e5f3d7ccd792ea721985154e8c3b2550534cdbdc08c6fdb4aa9f5758d3db27e62b6eebd6e6cf288109aaad9220e7b028178b35206f9ee1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab23eadb2529f45ef1be05bb42e6a499 |
| SHA1 | 6ccdf0dd86fbbfd38a9e3e054dac04d7f2a045a3 |
| SHA256 | ba14f739917b673254fab7e128a5a4ba3c3b564bb426c92b862ae0f0f171cb89 |
| SHA512 | 339bba7b9cebdda97448afe64e552e3f821022ecc4dd9ab2da244fc4ec2c2ab43d145fa4f41abff83efcc55ba8fc79cdb71bdfc25a4f3c6b6ddee2f452c58cc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b4949ee09374fc2acec11098acc44e2 |
| SHA1 | 04da70776debb129c7daf2cbdbf73034bef90854 |
| SHA256 | 9b779fd78dc6ac745d4c4dbce445f969daf93aa4b95f8a826620dc60616ae8aa |
| SHA512 | e14c11995cc03d4bf18abaeab665b06769edb680a9614ec5b70cf7f2fb818824263fdb5a3493f8eecadd91505a06ce3ed3d2304b2cab3cd85faf8844a172cf9d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 07:16
Reported
2024-11-17 07:19
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
142s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxC747.tmp | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3257326485" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438592791" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EDBD5134-A4B3-11EF-B9D5-FA9F886F8D04} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3262639297" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3257326485" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144128" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144128" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144128" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe
"C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe"
C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4588 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4960-0-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/4584-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4584-8-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4584-6-0x0000000000500000-0x000000000050F000-memory.dmp
memory/4972-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4972-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4960-14-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4972-13-0x0000000000560000-0x0000000000561000-memory.dmp
memory/4972-17-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4960-19-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | d2c6a662e9bd0c89bf8cd03b201f89bd |
| SHA1 | 7c019c00c24825eedda6b9fd3e200a39aa47771e |
| SHA256 | 08fec4715e35e941a8bc409fdafb8fab8c4b97e8883325b9082562eecc1cdca2 |
| SHA512 | 332b7cf422c2f656208ad9add4b15ee0c4ee7ee0074f67be9b7af32e9b4b59d487250bedeed06cf1763c13fe0da82cefccc4ada975dd148bf686f9cad08fbefb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 47dd4781de0aaee80ac1bbe909a046ab |
| SHA1 | ebc5b00e319e7035ea493e2d3bfbf9d2a35ac433 |
| SHA256 | 27f18b2e0ba9fff59bd5513cdf8e2eaac29d75055ab23451ce3da2fef31fccb2 |
| SHA512 | f1785334d8ceea49d6808cb465415ebbbcaafe102d88b216548cbba562796f677d604655104634d60b341008180a1676ff6ddccbea9ba9cabf5742bcd898afbd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |