Analysis

  • max time kernel
    133s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 21:50

General

  • Target

    ebe670d435f8ee1c8a403f5c19d2626aac45c5c31f90e667e04c84b56939c16e.dll

  • Size

    171KB

  • MD5

    a3ee0c445adba4b7b5a916b5546924d9

  • SHA1

    623d2fbb3c1e865748a3fa4e4829a8db042542d2

  • SHA256

    ebe670d435f8ee1c8a403f5c19d2626aac45c5c31f90e667e04c84b56939c16e

  • SHA512

    d9143c8a0e2371d98002b448d47f7b25efe5fbbd1311fe6ff07341b5b81f4bfe06bf8810e318515be0903f6d6675c60754e7c4ef0e1cee0e3df9963924fdf000

  • SSDEEP

    3072:bcwO/iTOdgWtJ6LCHn/rkiENpYrvQaSISixCC/xwp2rrUDA:bDTOdgWtYAjkR/YrvQaSrcwptDA

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebe670d435f8ee1c8a403f5c19d2626aac45c5c31f90e667e04c84b56939c16e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebe670d435f8ee1c8a403f5c19d2626aac45c5c31f90e667e04c84b56939c16e.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2240
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    56ce566c93e06c59bcbaecd623adfa4b

    SHA1

    452315251ea6d098cca7b73b1038b51716c2145b

    SHA256

    7cb9f69838cb89eb27b515c1fd6652ad6e7afffc74f4f9d1d52b38a89e077ff5

    SHA512

    fa4524390b0e009061de4864aecaa70bd51d6d183a2851120c881025947df501610240001c658873d765f71fe7292549d506264dba8441d5f1996fd85dafc697

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    94ae2ab263bfaabf9ddd9cabd9605a5c

    SHA1

    f346488cfe83b2e8f684ef03208b6ff538fbd17c

    SHA256

    2ed0d5e0770f5efeb383775873f1b7fbb6b88b69212b4f2f43edcb61b6d20586

    SHA512

    086514125fab49cc3778d43c73e3e9f9e05ddd540d44d844b650bf8a79b397dfdd07804b88b23783f2812396884cf90fb1c40820d2bd0cd6ff9e5fdb6ce6c6e5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ddac644921d8323e44bb8e40d6cafe69

    SHA1

    b40f64697f9d6c2e9c19c937270556cebee9a594

    SHA256

    e990428330e3a3c124aba0fa433d7ccc7c988b9cec641e3d496a044b8b826063

    SHA512

    b588c4539fead67b72c585543745af14f355d084269ce4ead7a80733743d49cb159ce21f1150f7eea6f5597e88e1c1f5f1937fbf3319870461445fd836c9c6f4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    25640a5a72ea018a3120875acad631b7

    SHA1

    9839d5b2cfd8c1967e0715fd8c2629aaef7b7105

    SHA256

    d748bdf838f307323ea55d65c8ba468bed6c310ed894dd23713ca984cdbf861e

    SHA512

    770674ba7108bddf23afbdbfc929b543c02eb60c42694929fdecb92d8300e0eac27b299cb68b47bb7aaba6952589fbd05bde5d39520c1c2998cdbbaca354d5b8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    78792ee7caadb6edce4d1cbf91f10a0f

    SHA1

    1be409352645c4c3a5aceb66507304156ec55c2f

    SHA256

    ccaa7bcfb4c5b05f9165bf76d28dd0382d4e76657d6d07735c1c7c2ebf5e6b4d

    SHA512

    3c49494beb70a9b964202d7fe2acc6c172203fde0fa1c19f592cd3d3c5ea8a1a4dc1b29023feb28de470817237abf24a3fc2a6ea61a73ba04be711d708f29bd4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    64876a3439cbdb49ed6385c3313877ac

    SHA1

    091700ee0399d71a85353c4dc9e7fa7fdc05a53c

    SHA256

    3d8414128fa14ee5f79f562b8f6f8bc8b14cfdcb0ed011e59fc5ea7d04c26c8d

    SHA512

    44e3bc3bb536769e685b6b5ac018ad2f86709bd4d27a42b4fce5f220f25d9ec963d16b8795086080e6cf5507a77846a28bbd03913e8ff7ceed70384b78f4778e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    45e8a1b5d9fe2ef8a3fc729b8fb64679

    SHA1

    50bcf5e72038737afbd1b67c7c02ea5a8edc7699

    SHA256

    57cd01f72cc7157ba7b6245064320aac7d315128f655ca28ba280b7e1f21fa19

    SHA512

    6178d2b09291dde72b47a14c29ec5011528f120a05cc4cd28c42b962db2470def87c8a5d0c7542c81f9b58905df461e34e194f9b6de01ecb8dc7ed410c87df32

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7972b598d3fae6761cc185ed6c58bfed

    SHA1

    48fdb1cc9ea7d797f53384fbb5ca9cd2ad606cc4

    SHA256

    e962657ff63850c72b0ce7ad70a225585654475fedd657c10e477c11d2f1ccd9

    SHA512

    76d9ea6e5cc32767de15ad8ff32147c8dfebb0f5c5e2eb4a228b9100c4a072d7451244313e3cafe3dcc3c0f620c026b966199c967dd31ec0ff34f0f9cca1df1f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9e917ee95236e88de6212052240aed36

    SHA1

    b07ddd3be50841c24f548947af5245c5bb044009

    SHA256

    9e0ac96460c64c8a7bfa458bc7639b146baaa538b27f8627cd86a7647c861456

    SHA512

    5f437e3c6ff43cd49543f0ca60064f1fcae033cf0cc3ef056ea1018c90f7810175651a9f192a1b5e439472a3ab718ec167e4cfc2839d107c3d79851aef2d8544

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6dc7753ef6910689b97a554d9b98c859

    SHA1

    9d9c1e060713e4381271f1169f30d943188a85c3

    SHA256

    4bc9e038a02325418ecfc4b10da5b429876ff924d5ec2b75fb812ea2a397a69e

    SHA512

    7a304dd5c17953c6f47425735633feb82e9932625a4e0bcfa2700803ab14d17506aa213c386d09931a5ec04794d8da5a431d9ef4458269710b21761d3c0eac68

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3627ffce63a00e17af8045ccdbf94b48

    SHA1

    d091d838310a59185c064aa22eec4c021e756c45

    SHA256

    7e6e2fd69a1204a948210ce2288065c1ad0833dc2423e40397f28c936de9ae50

    SHA512

    84acf38bacb67d7fdac9685c20609f6aee0587578bd546e12322ef63899172cf34f35df282528da3e6e4cde70f81fe5842c104b6be3e986649d299e220469ea6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    28ee48036cf4698e4e251df9e0bfd01c

    SHA1

    02647edcf734fc0d7583473f91e16ca7c713bfae

    SHA256

    553e4e8546f3aed0fbc743462af4f4eef3f244c03871f207efd190c5e1ecd267

    SHA512

    1b11c33bce8dbd8b82680ebda6cc98a80eb70484392f99355f83b59cb8d741e9a2a00d1cb1b33feef73b024cc539b6f9a412d00afee634495d562e392577273d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    26e3e7f0bec68d6d70330b34092ad149

    SHA1

    62d7ff70c7c9b88ceffa8d2028ba63b2e90b4dc8

    SHA256

    f9eb24bd1dd5e7a1358991384142f20bfbbdd9071b3ed0e355925660918d8613

    SHA512

    5e76793097a322910afb6630a1a303a1cfa47fbbf4d3f39e5a08664474d12ac09dad841a87e3316b57e202324649c8218956e102973303900b93d322bafcded7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    63b82fb649f2f58228bf35f154c13ca9

    SHA1

    b260ed34877aa1fb345439be4ff9fbed116941a6

    SHA256

    029b8a7913bb4633f68e85a2b51ca68c5a94a7f7386ed19677ce07cddc669b2b

    SHA512

    811961b80db51b12d0b9d5a1ad2a1b80573e58f770508f8ac1019d06b10223060361114cf0032afecc069d9e540871859580dd696961ef4df8d630563fb96b68

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1f19547aa1735da9e730a465e5d2a650

    SHA1

    90982185597c26e3f57f17e7ea807dd7879729d7

    SHA256

    8e9f83988ab9f24b402ef53b40e5b4bef227ada5f3ccf7cf6ca21914b047f9dd

    SHA512

    8f1820841b0755337db52ff2be546823fc07e67671698ef7689c6ba9bdc6f1a1efb908cec21206cdb49019e5d0cb8435cf891a7cfdbf7112561758233796155d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    acf5f1cca1dff24ea64a960e1672f0c1

    SHA1

    5bde49ead4f29683baae60cc380a73d8a6f4d226

    SHA256

    fcfb354409aab693d0909d969f57500deba0047d73ada50b874acd9398b3af43

    SHA512

    04b9974c20f32057ffeee868334a76995db7548a28675cbc578b08eded5022f1856d7819559769713a70018e314ca94b94aa928da3ceb160d2d907782b2c65f9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    76573be622bd5fd89e1ecb6960ead233

    SHA1

    0d898d3f2ac93752a51a8188e38fa48bddf230b6

    SHA256

    2d583ab19e20f842c7c1c816037b3eafdde9dd1a38bf87acf6704a884e9582a6

    SHA512

    97387ad721ca8156bb96c1e46d18709930ef8cd6c552202ac364aa87e5037bce8f2387df9b13644d75c21e7ed94e795a2582c4cfa5d3631377c730033673b288

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0cea741d8ff1478fba31d0459b0b3e2a

    SHA1

    cba0651424fdf23ba11ace1936adb92904049db3

    SHA256

    f260c6d055bc962f587f4e5b6ad697071147ce9c4048040e64da5b27fb189024

    SHA512

    2b2b28b1b3398706badc05fe098b2385eb8de3a19a3d73fb1d62a167febe9d4e5240cd747f9287bc258ae22876516edc0d7567c0de497518348f1d429aca6612

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ee0e63d487d2ca72eb3f55a4fa700d73

    SHA1

    00d78f2e4d460d12593d01fc7efd2d54dcef8e7c

    SHA256

    74fb906132680f0a6f50df92056a4be30a8ec87e967b5bb92955a3e1bc6d32ab

    SHA512

    1a6f68412053fc4b99de828f02a6585179bd348934b232f2b6ffce6cc75225fce87b4ec96955d14ffb8c9467ba78cb61f9c0b2bbda4cbd28ee9f40f2a3c8dc41

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a02d3750149506d9d6f96aad12b669ab

    SHA1

    824472124d72ee415abd7dc54a0667cdd89b7585

    SHA256

    68513ed685164685a11bbde65e02432a166199ebdfb18e6f6fb1b6448da3386d

    SHA512

    69375269edf43bd03f47239eacd9af795dfe4350f9e295a6aa1dd2d9732e646cd399a4d07d6c4a12abc8ba63f72a3e97f6dd1cfdcbe09a35d05134c47c01f5f1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ad994e70f9afde712294343ab8a96d96

    SHA1

    1376a1f60594b41ca65a5e29edcf0c44e0793f16

    SHA256

    25092de2975ecdb8a13f5fe78a2f7e8c750062dbc4f3ff329e664a500cd114e0

    SHA512

    c23f6e2dd8d93c41e6679f4a02c8e9715d9cff2426ebec7074365efc80f5309f7a3148af78d73e3c61b56677a9486486818fcb482941d0fed3d51cb42eeb8ce7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6be528c1e90aecf0857c6059154c683e

    SHA1

    b53e36f93192af71870407e73fded5e2c8e3536e

    SHA256

    92be3ccc497178635cc0fcde39e6714bc3c40f3e8f74f83eb80e77fd2982cf14

    SHA512

    c7287cc08d666b336f6b6b11c89a98ac193a6816090aa87425719ab20bd2acb25c468a31f03b69966b2c91f90fb10c55dffd0441ba802ef867314d9ad08f5f15

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bb4710e4e230ab71eac5420aca5a1eb7

    SHA1

    5d17cd1aceb3cd06ca1af6f0de0f67bcf3fcd9d2

    SHA256

    f876fc3ec8eb73cfe6c31cb1f95ca2bc8fe2a81ddd19f2a14d2a0c32902745f6

    SHA512

    a0ec52d5b67ab2406c47e82071d678ac53115b15bde9958a2fb67f3cd37da548b053367129ad451089ee27f7114d1d1b82bab357850bd1a3a7d22948c97bee47

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DAF95071-A91B-11EF-9D9B-465533733A50}.dat

    Filesize

    5KB

    MD5

    82a5f702322bc085a8b5e5a8e09ae336

    SHA1

    274b5f43eeeb3f0d621792683e714bb17298487e

    SHA256

    9e6a50a6c55fbe83eeabf0a149b11a689fadd20276ff6854c66683e6a330645b

    SHA512

    db53293e8c1f7c731a04c4596eea7e051117009fbfedb5a129532432bf7041d2bbdadbd55b7e0e3366416c4c3eba9b7c714aa6a0f1f499f1e6309dc2b6c4d520

  • C:\Users\Admin\AppData\Local\Temp\CabBC11.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarBC82.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    134KB

    MD5

    774b9c11bcc0dbf50425e3935100b905

    SHA1

    519338139ca0deaa4b42e056468087e18fd1f253

    SHA256

    be6cab2cfd23bd5cd633264eb9a7d55f0feacda3aff05db031af04a531585590

    SHA512

    6d9a570b441f96013bc5ae2bdc6422beb0f48c3953da00e2443e94de531f8abda9ad8403380543f95e0ac16d84985e1a5829556ff7bf26fca85afbc86fc07872

  • memory/1076-15-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/1076-11-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/1076-12-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/1076-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

  • memory/1076-16-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

  • memory/1076-21-0x000000007773F000-0x0000000077740000-memory.dmp

    Filesize

    4KB

  • memory/1076-24-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/2312-17-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

  • memory/2312-18-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

  • memory/2312-19-0x0000000077740000-0x0000000077741000-memory.dmp

    Filesize

    4KB

  • memory/2312-20-0x000000007773F000-0x0000000077740000-memory.dmp

    Filesize

    4KB

  • memory/2312-14-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

  • memory/2312-453-0x0000000077740000-0x0000000077741000-memory.dmp

    Filesize

    4KB

  • memory/2312-8-0x0000000001E60000-0x0000000001ED7000-memory.dmp

    Filesize

    476KB

  • memory/2312-9-0x0000000001E60000-0x0000000001ED7000-memory.dmp

    Filesize

    476KB

  • memory/2312-3-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB