Analysis
-
max time kernel
138s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 10:54
Behavioral task
behavioral1
Sample
f9a7463309aa2fc7c54bd24872563ac3f3ad1b06f38d534b630fa5c1a06916b3.dll
Resource
win7-20240903-en
General
-
Target
f9a7463309aa2fc7c54bd24872563ac3f3ad1b06f38d534b630fa5c1a06916b3.dll
-
Size
153KB
-
MD5
707774c51185e6c76b8594fc4db4e435
-
SHA1
511f24048f0efa9e8eabc147489d90345bca40d9
-
SHA256
f9a7463309aa2fc7c54bd24872563ac3f3ad1b06f38d534b630fa5c1a06916b3
-
SHA512
6de969b35f57c49809068e75b693088ceeaa2ef6c68f1d85e20ac21e96be040141453c2ef0b1cf3210fa151bf34d689a67601ff2aace39256dfba13b3a318132
-
SSDEEP
3072:oAy8YnjbmrBByW8rKui6f3SchqtQX0ES0l5lW+FH5/M1d7+M1:xy8y1WUqchcM0mHq
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
Processes:
rundll32Srv.exeDesktopLayer.exepid Process 1932 rundll32Srv.exe 2388 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32Srv.exepid Process 2988 rundll32.exe 1932 rundll32Srv.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/files/0x000f000000012245-2.dat upx behavioral1/memory/2988-0-0x0000000010000000-0x0000000010083000-memory.dmp upx behavioral1/memory/1932-12-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1932-8-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2988-7-0x0000000010000000-0x0000000010083000-memory.dmp upx behavioral1/memory/2988-6-0x0000000010000000-0x0000000010083000-memory.dmp upx behavioral1/memory/1932-16-0x0000000000240000-0x000000000026E000-memory.dmp upx behavioral1/memory/2388-24-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2388-22-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2388-21-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2388-26-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxB1D2.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exerundll32Srv.exeDesktopLayer.exeIEXPLORE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32Srv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438002759" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5CAF8971-A4D2-11EF-82CE-E62D5E492327} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DesktopLayer.exepid Process 2388 DesktopLayer.exe 2388 DesktopLayer.exe 2388 DesktopLayer.exe 2388 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid Process 1528 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid Process 1528 iexplore.exe 1528 iexplore.exe 3068 IEXPLORE.EXE 3068 IEXPLORE.EXE 3068 IEXPLORE.EXE 3068 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exedescription pid Process procid_target PID 2948 wrote to memory of 2988 2948 rundll32.exe 30 PID 2948 wrote to memory of 2988 2948 rundll32.exe 30 PID 2948 wrote to memory of 2988 2948 rundll32.exe 30 PID 2948 wrote to memory of 2988 2948 rundll32.exe 30 PID 2948 wrote to memory of 2988 2948 rundll32.exe 30 PID 2948 wrote to memory of 2988 2948 rundll32.exe 30 PID 2948 wrote to memory of 2988 2948 rundll32.exe 30 PID 2988 wrote to memory of 1932 2988 rundll32.exe 31 PID 2988 wrote to memory of 1932 2988 rundll32.exe 31 PID 2988 wrote to memory of 1932 2988 rundll32.exe 31 PID 2988 wrote to memory of 1932 2988 rundll32.exe 31 PID 1932 wrote to memory of 2388 1932 rundll32Srv.exe 32 PID 1932 wrote to memory of 2388 1932 rundll32Srv.exe 32 PID 1932 wrote to memory of 2388 1932 rundll32Srv.exe 32 PID 1932 wrote to memory of 2388 1932 rundll32Srv.exe 32 PID 2388 wrote to memory of 1528 2388 DesktopLayer.exe 33 PID 2388 wrote to memory of 1528 2388 DesktopLayer.exe 33 PID 2388 wrote to memory of 1528 2388 DesktopLayer.exe 33 PID 2388 wrote to memory of 1528 2388 DesktopLayer.exe 33 PID 1528 wrote to memory of 3068 1528 iexplore.exe 34 PID 1528 wrote to memory of 3068 1528 iexplore.exe 34 PID 1528 wrote to memory of 3068 1528 iexplore.exe 34 PID 1528 wrote to memory of 3068 1528 iexplore.exe 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9a7463309aa2fc7c54bd24872563ac3f3ad1b06f38d534b630fa5c1a06916b3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9a7463309aa2fc7c54bd24872563ac3f3ad1b06f38d534b630fa5c1a06916b3.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5878da608bec005ac938f22514dbd7300
SHA11cc2254046ab2118e0801b57d14329ac02c15937
SHA2566495d7f95ba5066499a11142a218501ad3f0886d9a31bc0060508096c0369822
SHA512dfd2f76c3f8f9a7356d9f58e92273c5a760075cc9d359c1746aff8ab13b39ec576e43711322ff6e68cd0c12d82464d8664eefe2da9e0bb89f6e317bddb5876fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ff1e333668ca89695bb0841793358f9
SHA1b38199fae9989d4418c2ddd73c6c80cd10a0ec47
SHA2568b2bfe956a9ec4124805679ead413ae8990d5994195b88adf4d03142226288c9
SHA512a83dd865d73d6ddd9a0d0f9d67e7c0fb9fac94d4528a2c2e15cf4375c2c2f66cc129564408ba9cb4b1f47318609d799109153a1595bdeb88cbe847bf0679cd31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51902f86eb9e5757358e4427044a152ea
SHA1e6d7fdadd2076f5e20995c4bb91ab2eb409e8f0f
SHA25635e394cd33e1169e5efdbcbcbc08cd1d1e8b7b17f2e55629d44d32faca59aa21
SHA512be0b6b618f351d879157d4e61f810802cff5e2d82a8781c2551660bf9a482e94cfd1541c95d409d25af54b1d9b215e0c0c5220a48e1c9e6960a1acd278c0c515
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7567155b6608a404b0d57b463e7b39f
SHA179ccb29446c40af8942bbb041468fc7c6949df8d
SHA2564c272230ef52f58d09300de0e7d9b11dd37256e520d3fee4149c248a4479910d
SHA512ceda7057d6d9c331b6a6c95e17f425c7616734322ee9628d0579d643fe3828837a54622785a770692c313daefb242626e76393338d9a58f5e9656704e48ea3a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ac0ebf6c4a0c0e65d110f79e3a6bf572
SHA19a13ac104f6e136eebf8fabdc365632345e025bb
SHA256a7cc27fcda42103e75172bf2ecd7ac17a351e4398b5abe80edbb382ffac7d5ed
SHA512021b855fc35d6f1527c9c7197c64d149bd8fe4bb4a2c2899959f4b4d2e5e0e01e000a1705bf79639cee70df9f0120258851ff83c433cacbc4f8e7986a1711c87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b7b109e9104a90da2144d4e97163eb41
SHA1019f3f39afe8f3f69d7c60bed4303e54abf7808d
SHA256e0c29ccf1f1c179b688801f482584259773829d3afde7c3fda265a1055a36326
SHA512ee95316fcee3681802b9fbcb8cec2e0defa6bfa72fe7d01646ea43816f1d94e044abca190429e9f664a4060e4cf6c85729ba535b029e0cf313e170016268711b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cec57cad74a876b042bf7c5fadf9b347
SHA10b153a9cd348b52c6a044fb149da0c1cc42f3fe2
SHA256a7286c25bd3b56232b0af1c2bbce1725f8cc9937694f098d28145a9a4022c9c6
SHA512a389c0ccc3372f482268e759e833eae237ae97b8594fd564ffc056d629993eca012019651a993af5b09935d276a79dd6de1477a6363452adae30ed79a7925032
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a41d316ff8681ba1df2ca9dab93629d7
SHA1c5fbb81d5e69fb6ba1846d08d4dd169d313dea03
SHA256b40b589efe43a6cc54809057c7219e07f7ec585544fd9f49b59313570a63f05f
SHA512cad3e4f6401743039c5e66cff9eb5baf23aad6077e3db2639d6416677e629a077426dad7f4fec0f6926a335f843002852d44b8912ffb36ae3c20fff8bf70deaf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5251ccdf79a17bdb5503e8d6912c25d5a
SHA177661d35a73f06c08b6284c61016c2ac50539e81
SHA256963bd000fe54d57c4cfb68d98d645c65ec3a4e17a5ed23764e1defa02d36dedd
SHA512b4eac4d0f8484129376863df675d371f8d3424a969ca4d2ec0659df76913d9306981db4b99f392aa887aee5b8d19e98fbb75b1e772fb3976175bdd58af37eced
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd2db5885e1ae825e57bccdb8a4c4fad
SHA17dcbe480ae3df66db5b25d85ee9d57e6ff7b8714
SHA256f48aed79022ee0c40c918057b485fbb0174b7678f18442aa1e52462092b10c96
SHA512f30aee8245648107383c0f0b36a98d470c9fe6380e6ef4296c8c14f0ac11de71d9462ae1c25e6c590006cd5ef3b10d915f56a0e2a845b7c30e16d74c88a738cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD555e93f8c21195bfcc973b226232d2da1
SHA12422b92adc5cd908c81e79574f635ed20164f8c7
SHA256f921786b5d233299bf6875b99f074ae6f6c37cd59050c45e294bcf74fd0c92a7
SHA51253baa55d0e3963787d215b240122c786ab81a9f232fb8626492775ba71f59c882a928af3c0a9a3365258b19053da02f00557b428e5610f3271acef54612a0112
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50cc138c4bb7955ee4a49df6fa67fbcb2
SHA11c5ca78ecf1a89432529c93710ee44769cea90f2
SHA256b4a02bbdc4e543ccb6a54937ba707c60bce33e4bbf359d1368c97613370c0414
SHA5128cee03bcf84efedee211af5c217b31dbb0986eb2812a12a21fe01958243bd41b133e46b20767469ebf321e3371bc56dcf4482172d78e40c9b034162824417a00
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a