Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 00:46

General

  • Target

    6daa7268d90d50641f41c556d5af389f0eee5bc7dbc6a891254289dd879caff3N.dll

  • Size

    204KB

  • MD5

    9bb76f64e7b6e78460052b40f578fec0

  • SHA1

    40f4d328a4ff0f3bc3a5365fc9c87953d8f95c6b

  • SHA256

    6daa7268d90d50641f41c556d5af389f0eee5bc7dbc6a891254289dd879caff3

  • SHA512

    5972aa166b6969350697ae37898151277f0d4e7754773fb488ba4a1c47da516afc674a15a19657f5f662a068949da5776040d3308b2bb958ad128bd4c040e5a3

  • SSDEEP

    3072:R4FioBm2dcuE0oo28xzAdWGFHxGTuXHHetkqcqvnhzduEE:R48oSA8bGTuXHHel/Vg9

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6daa7268d90d50641f41c556d5af389f0eee5bc7dbc6a891254289dd879caff3N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6daa7268d90d50641f41c556d5af389f0eee5bc7dbc6a891254289dd879caff3N.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2980
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    22dda954d24765020cff2705d7ce213a

    SHA1

    dfe266fbb7afa7fa3e71a4eeb79fef2fca7aae77

    SHA256

    a9ed272a024a9ebd8c640f885889a94575b5b5e1f408794a5e2b4038fdf747b1

    SHA512

    6875c288664476a3b9ffa60c60ae8d0d1d6fcc1adf5ead241ef0da7685f6565df22fe99bbd9260fd170dda68a4880ab5f53b24a2a0314f92f1707b1a25ce9862

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    efef3d273d8883621a98fb17afaa94ca

    SHA1

    ed8e101663783f7539266b7cc17a7d8e06adc443

    SHA256

    73ae3cc7eb81a61adbfa57d6f5c3715834984a69d8086c874840f9b147724d60

    SHA512

    fb823b4adba8c44bdd38b28ec662b8cc69599c676562bfefc68ea9a9d9d65a82e52fe13391fcb1ba6e1abf882aa0633c716d709722d557cb9fe975f1e7092b13

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0ea424ede318b360a11050ec48fff027

    SHA1

    da0f6a7fe8b7176e17cfad37d20b9a08e8fa3901

    SHA256

    836c1240370a13a7cf9945f7739047797491906ec434cd4015226b8ec5bf30cd

    SHA512

    e94502621eae126e47cb906dcb5ac726a10a6aec5c8902d124360ec4847bd6c24ada94f95faee3addd3726c95bfa36738040325ce84eeb89487860b80ce49c4e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e1e6f1558f26d77442e5c84156d4b41c

    SHA1

    9418c0fc4294cbed3aa624d8c0ee6d64e713437a

    SHA256

    2c29291520f6e63cd904beca4b50d8e792afd1a603bc690afcb39e6bfea90cf2

    SHA512

    ec7ae685be5b4edcd231fd9095b55d1f7e679e4985b21dee85130c932331dad8277ace8231da57e71e71cd4d5fb9f647e417fddeccce79736be5bbd7518407d8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d36641bb2ec347192dfe27446cfdf298

    SHA1

    00973a829a5312415a251aacb121b630dc7c4cc9

    SHA256

    8dd28129b0b5d7899a63d8492a1b537f40096784b0e5bdde6a6ee567e0d13b6e

    SHA512

    e86978adcd9cef164e70dd5056a9bc9df986670e84950c678425da8b0a36b04b6460fac9bd2f3ed70fd04a4805dd5a3b3b60bb062f3bb83251562a3ed4050303

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f3fbb4942dba3b6afc4ec8e72b6e2098

    SHA1

    7c813d063fb2cdb92e2f1ffdb3be09520daeab66

    SHA256

    4a1af3b5d3c882880ac5c32615748413ad5abe1ed0e5239c8e78b5d0e594b3ee

    SHA512

    b229d5f33ec3d0f9e6ec0c380dd70bb37a6416f8797ee2a559d48ac9600f7f5279486f309180be74006e4df143dd6c63a77cdb81f868c21e5903104f0cff2419

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d8868856f8c55f539a1374f5281ab81f

    SHA1

    6bf5b9cfc4291b095380e934a0f51b8a1fb083a7

    SHA256

    5097f4fcb409a9755db35af976bb1694f2acda383ded453c6f094c6777cf836c

    SHA512

    d253ad9afe883e3143057fc5fbebc6e386caaf9a90a90ca735fd3f7cc4e3401d7e7e11179adbd8b3f0456948b8414fc5be1461f6598550e5d7d14e38acbc3c70

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7c0c09a5dde34e96e483f2587de6377c

    SHA1

    f551183d19648c29146189ff27490269fefcd328

    SHA256

    cde488152951fc077f7e7cfd08db8b2ef411a6be2f3e80212813b71915b706c5

    SHA512

    1eac944843eef06821da00bea989381bf360c622b16e3eede89c4c8f8f67b302384555566d51029728376e2a85248b676dd3abc2712c1e44edcd43614b8ad3aa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b7db49748bc6456ca2e18d67e76b3764

    SHA1

    9bdad3a7aac294e560884266b9b0b7b49f23e85e

    SHA256

    0f9977e6d44ecacbe3035504c5995290d927011f180d47b0c24e4bae72531d22

    SHA512

    a84111fcdef02e9c6eeb161148121abe44ce43f390e22a06250fd79374ef305370c6fd30a55f0a703c75cf69e35635b3715f53920cdaba7215cfa92ce549c51f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    69342c7a00357f0a8e1e5917b12e5e2f

    SHA1

    931f2def8baff41f60809f6f3af8fac9cf3b10e0

    SHA256

    cfe6c4c7248f5666d806c05fa7b8add295ed9c5c33ec620fd059073561e71f4d

    SHA512

    cd18412630a03ed9133895f017fa2a593eaa1298cb8dfc6a40adf72ece3b4c9a3f37af544cbc935a9467fd7fb0d95fe4ffe50a29671c4e18037f7451bdd04313

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1c800e86140f0c3025429b307e2376a5

    SHA1

    0c8fac1dd7191f7dc1b31ddde42aa6fde0504034

    SHA256

    3a1a1560f48fb1a1a8ec134f6891e8ae4df8bc88cbb8c3c8b1def7f0b526f49d

    SHA512

    01a07fb07899a14abbdaf5e587b7067415d0535dc09b9b8458aa554373e815afce29ba94e4f80a7eba320adb053804d320836e78c0b172fce7c68e32e1dc5bb3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3ef5797843e36bf2141a501d7d2fd2e5

    SHA1

    855ff3cd51c33b9354dd4e3a1ee8f4251d26edc6

    SHA256

    f401cd96a3668492b37f147eb89b903275e8a74542627b66293a05392b3296bc

    SHA512

    5f5b8376750bd1f55ee047a80469a036eb9c818a668f6225e02cb34f1eef31b9ed07c77db315c14329f8362ea2f8d65c621df40c4939b9d7694db837b772054a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2dcd14ec193f2af9af503a3eaa0a9c0e

    SHA1

    2a2f19ac3c9f9fd39f53246b629da9cdbf55ecc5

    SHA256

    41e04a572d7be7719588197aebf1a5eba3282f36bbd06e6a95307d25e99c9a6e

    SHA512

    b2e630a9c10ea7413afbc96d8f66f1b3fda3057273ddfa4942cba8d37fe6010a3121ea5b3bdbde7b60c4e5086344daa9e2d52445adb18fdd254821acb2051af9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6b947f8e4dbcf09d7a2e466ef37e2feb

    SHA1

    bed5f0e89349bb62e8a82c80a0d33d01ec2a2dce

    SHA256

    372a9abffaa6c23af45e633998f92c115966637f74a89fa0c6f11dbfb9cbaf3e

    SHA512

    565100bde563759837e79adb1e036ff78905541c4ae221b35008b20613a6c162b2cd022a74d597d603553f9b9eee4a44b767115490e5c6ef38037907d4a8b861

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    85fae12ea10b7c72db8a200a365a4a03

    SHA1

    14b81cd29a66f3ccf4f12364680f827f11e71811

    SHA256

    36a599c75d37189e8af5c3ea897150b5cbc8f5aa6b703792aae1126c87233402

    SHA512

    a4e7bc88a1caa88d126a4c5dac46e7289384d57811fbf6156329fca01bda2420fe71ce36cb8d7492c405e839f010162ff85f1e8cc98259c34a12ac654d199681

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    79965f5ca2b78613ba0ec805770e863c

    SHA1

    39b030175c4a88dcefbba9a79a7d4e8ff7bb1e3a

    SHA256

    1b403c36bacf50d65a70c2626d335a5bf24ed8fffc35296abae6926dc57c38b0

    SHA512

    2ba52ae582d691b6070cce4d63e39170a19e3e4be36bedf4ed5cabcdbcd9fe6893ffdca1f58fa4149f48f0201755d2d14dcc147e10d9eb4c0f4c045c05899016

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6afabf21693efe33016ebf2cd4249258

    SHA1

    0dae7365c587f830a9ddd83b610824d3c74adfa5

    SHA256

    65de6ea2238a2c2a69876550e17f76213065503a075bafe83bc6af83b4a6b550

    SHA512

    2186b65f1867db524962c03d15332c711565cc77f0126cebb768834b0bc78c6e7f9d3e4cb73b0a73d9d34a55cfb4851c47234145653a944d72adf63639ebe7a8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bb6113539add41dff812c9492f8692e9

    SHA1

    1f014b01b9cbcc1384ef7a6d8dc3aaa151d4f166

    SHA256

    07e695b32596a6828534fe14b9bb0f6ca68ba62758f290d4096e34a90ca042c6

    SHA512

    e12de8f0f35e5455cf9427a6dcd38a592ca3101d032182247fbf4aa975781b4db36129ca6555e2564cc9cbc114fdc32118c53acf58512ca94619c993ecd8d398

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3d3c819310641237259791c7d6cfe091

    SHA1

    2a34152225f42476255dc81ffb5d7f91600f9c55

    SHA256

    68a3addae7197e78cfee0cb320ffa143f95391f78b5f4ee479a3d54136920d86

    SHA512

    711a6c24b4fb58036d3b5000305f4036fff8584f50360c7176c489e0e6e70d9bf4db9a4891f80b83ae45263dc842776cc9b891cf54f9061fd65e2bd49f548ab6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e89cc7d38e9aee7e12594941ef1a7d81

    SHA1

    9f568aa3afb0c2fce5b38a774e05b97bca78f495

    SHA256

    2d61796b9939d27f6b8533c56777382594a2a69272e787f7dcf0fa9f16517786

    SHA512

    db8fc887c85b2638ebb1ff8f573222eca3ebdb9e78be54ab7db43d9b19849fdc3008c14be40cc1296b9022f649838af3034919fe929327267e1ac8b3aeb3af7d

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24CC8CC1-BB47-11EF-A5D8-F2DF7204BD4F}.dat

    Filesize

    5KB

    MD5

    be5e166ba3a9d048fc585d2ef0a3c3f6

    SHA1

    04d7e5a08e3ee05122ace50bbfa6a9450c066f95

    SHA256

    222ffdc116cdd72463c23b5e6f6171429b26232cbd08e3764f068a953585b77d

    SHA512

    509cc8a2cf302da03c39fbe6412fada6da7a99b56b84c98e8fba924b2f6d6f6e27ad0bf6805ee6cb8bc638044bc25e9b9624cde425765a624149779d62192590

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24CEEE21-BB47-11EF-A5D8-F2DF7204BD4F}.dat

    Filesize

    4KB

    MD5

    005be68a48e054a11af562c0aad96cbc

    SHA1

    ee81b37b0bffa39eedc079139845f69097bfeee9

    SHA256

    bbcd3f041bd64c0d5f1d4c71c5bd4b685616742a8f4f051e3432634f1b42ecc0

    SHA512

    00dc95e2da434fe4ce43692316e9f9817256bff9b0f27ed53d93c95c1149e603b9ff3bd6b744cef237ea13f8f45b0c64f4ea02241632b0472b4cb07847851aa7

  • C:\Users\Admin\AppData\Local\Temp\Cab1630.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar16C3.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    dfb5daabb95dcfad1a5faf9ab1437076

    SHA1

    4a199569a9b52911bee7fb19ab80570cc5ff9ed1

    SHA256

    54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

    SHA512

    5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

  • memory/2600-4-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

  • memory/2600-11-0x0000000000250000-0x00000000002AB000-memory.dmp

    Filesize

    364KB

  • memory/2600-883-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

  • memory/2600-0-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

  • memory/2600-10-0x0000000000250000-0x00000000002AB000-memory.dmp

    Filesize

    364KB

  • memory/2600-2-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

  • memory/2964-15-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2964-18-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

  • memory/2964-16-0x0000000000330000-0x0000000000331000-memory.dmp

    Filesize

    4KB

  • memory/2964-17-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2964-19-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2964-14-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2964-22-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2964-13-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB