Analysis

  • max time kernel
    67s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 02:33

General

  • Target

    712880e6000392edbe9045cbbd033f22764526206900c89bfa183fee451e8284N.dll

  • Size

    188KB

  • MD5

    d5400a1109bd37fdd4e2ed5b846ab410

  • SHA1

    f6697d9ff80404a371e14fb85cf8532c8d66378d

  • SHA256

    712880e6000392edbe9045cbbd033f22764526206900c89bfa183fee451e8284

  • SHA512

    b7b0d1dc6dd8df93e61fdf6c7cbefef6e89e3b96176bc7f89d63026c8f29f3c6c7465e423b18a023402c51128f0071ed85fad26e444bb08ab59939593af9861a

  • SSDEEP

    3072:RyxAfJTYCfDuoocFHGTuXHHetkqcqvnhzdui:AxgdYAxATuXHHel/Vgi

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\712880e6000392edbe9045cbbd033f22764526206900c89bfa183fee451e8284N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\712880e6000392edbe9045cbbd033f22764526206900c89bfa183fee451e8284N.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2240 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2740
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2768
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 248
        3⤵
        • Program crash
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cf663dfcb6979e904b2b70d403dcdd39

    SHA1

    1075f20341497664abdce0727f7f42d5389c5ca6

    SHA256

    01d42746f59000d746d364ac3b5ad332966bf3b5183c7882bee2577a70424aba

    SHA512

    eda06ac25341088b4321c7355c3767e29f93d54767bb106ab8dcdcfa8860f6c5a57a4ae90a5e2929cd23c7562f737bb7cc83f2a7f9ae5341f2d0eb5bf39c28f7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dae18e9d1e94909b205d9c2601977d34

    SHA1

    4127ece1e6eb5b34ae76a104d8217fa75d6d9cdb

    SHA256

    52a7d9d6ffcb92184824ef97806e90b727c5ae6e0c9c87fd25523f518d82af92

    SHA512

    2b5a24db16637bbdbf1f19e8629b139100a045808cd739a499e62aed0edac4ccca7f8cdcfbda643d36b69577efceb347e3545bd3955161f111c3dd0bba95be1a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1dc975014d8d305397a75cd4a8349491

    SHA1

    fc0dc1aa31532fb0fb6acf2b66b06d96b16a1f6c

    SHA256

    1378740180d8a5a0f44d79dea5d3b1b391845928163a4ca5c34220400c6b269e

    SHA512

    7f43788ff24010ed13be4f2f88a77a9e15746683fe705e46925f0fb81d35c74ed7cb9e20db7ada3d36f60b43047ac12a03c4b9baeb652cc9f901aa4e30d0be1a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f6cf92a5cc01dc8de6056fcfa66626fb

    SHA1

    42341b5bcded2cc318d5069cf9cb1b9ceab166b8

    SHA256

    0afb331677aa9c6cbb4c4a5209461ab268b7b08a6f3f1a13b6b02017707d2475

    SHA512

    624d05d74455c797899561a9a2b8069c7cee86495508851dc487ac2bea3dc2e8e428bc029e7c06a79333efacff978d5509159df1e4a4ade28d8db3c00c758a6f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    27c8b9693ebb60c79a54852d991e7521

    SHA1

    e7aafd719ebb84aae64767c0cfbdd90a01107a8a

    SHA256

    5b13786d55b4a8052b6a38254faad90573aeb2d4b28ac7266fa4ecf31c2ed693

    SHA512

    2ffecd033a205d193ed5c8ed7ba678378d6a0e4a7932ca5e1b81f1555cc13ea7d6a02e618c8853cc1031d69fa5aadcfa3d2cef8b393d54b087e3655d5fc91f00

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    048d0cc25e26b968e9db5fd00a549b66

    SHA1

    889fdd2f464b5702263e0469a96bd4742b222022

    SHA256

    940dfbf47e11e71016813ad380f33571c60865c187d533d22cfe321d2ce9867c

    SHA512

    37c80988f1556ad170320cf622cb3cb936f488e861118646771a516cc0118473d1544646321f6374f9782b28b81940d1e0b68ef7743955e05617a248a8275801

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    97a40f40ffcd41a54515d8033b500065

    SHA1

    eb3c0af0747ce5320dc82c8c853ba34a1810ca1a

    SHA256

    da4a88fb4904bd1351d29683d3ea10da0326cd07350ab185e6417a88929954b4

    SHA512

    9c7dc1ee834023f6cf2c095ebddcf63ef51204a29f90778f255ab777431f09388e6893ac5a85c8b6b11f8a8f758ee182701902f084444fcdd74e8b5cdc02dc9d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    59d143fc5b909c90b52112bcc67a0f99

    SHA1

    d4117dafe6c5250e586978055edb73b5c8d323fc

    SHA256

    e19ff6cdaa95933152ebcdb72373f3eccc68523ddadcc32135802f4d99ff0a3c

    SHA512

    ed4e8de8290968626269cb4cf2c0f07a067f2f207e0d56773f048d99e842c6f6aa72ce7ef53caf6134a2f914967d834e4accf0b7ac676439e75aca0c3e96c9ff

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bc2e88777ffb225bac4e89cbcd704a7c

    SHA1

    48a6cfb5bbd87056a0e0a03ae690f567dc43a9c9

    SHA256

    c222464f958b900b9473ac33a263664ddc0ad2f541270ac1b97ad14a23a02ca5

    SHA512

    d3f0b7a51d6f2022887e807b4b8a6d88edac3c92701745965e1be3c8db549afbd121ee6bb8ff93a390f0bb965ad35ef2eb8d45e59e8606e7d2f5c066eccff45d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c33d9c3a425ae85358611891e0ae8b8f

    SHA1

    4c33e153e3d0794faf938725063db130c1f33c28

    SHA256

    1ae24759f622bdafd547e3c95a46f3ba7a38a8af2bca3c41d17656e6c1ffb961

    SHA512

    c215c49a1a4ef622e363b1b7ca548e7a6b9f3d7e1c14e88ce785f2132c3fe61242a3ace9e8499b19a3b12e03fb7f543ae0103d8025ac262ba510c7c6b7244a49

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ec0c1a3f5b2f1a7958de255c24cbbcf0

    SHA1

    756157bf295ae0e44fc995a8a37545e3397a717c

    SHA256

    c19498ed40528b00170ebca6b1e5467117af54554e224b09d705eca2395d75e2

    SHA512

    ea09d9531f4defeefc8fac78261e2736e0b7a129b8f406c4f24fb6ae272e76986912e9b219f57832d2262aa6a1790651030e2c31afdf435d2cf97f8111bd5bf2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ee1c0d2020db5032ebb383b5f3412a41

    SHA1

    542c6a975f48b5ba46ad2affa0efd731432045f5

    SHA256

    ece1d95821fefb060aa1dc89e412f293508f0538ca66e1a5c5cce8674c09ef5a

    SHA512

    c1a41665a5cd3abd0342c8125db82bcef7b24041fc3555282ed8af0701e1b2fdd1ef4e541dc11f743518dd48f1da1f3ff31d59a60c65aac3fae010566587a849

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d60211ad6b3cef00dfff74fa0ee84c7a

    SHA1

    680b045c8cee12594d8b162a418faa9295101cea

    SHA256

    ad2782724cad4b5dc85f8811ee6ee8462ad29ea635406e47f97040bb22c28d26

    SHA512

    397a47d1c7693c45829bdcf2cd24259e9e2cf8c01835aa54497e946164907c001a595fda7f52ff71cbb9817aefb08819f139d8e7df72d8d2d438845b04fadf1b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f3e7e62f7db29ee7eab78de5e187bf3a

    SHA1

    3007045783aed54ae1a74958b469d9910d8e0ec8

    SHA256

    d914e1e49e128323d7808453ed04d76bb4695067ce5fa59ecf370cb569de23fd

    SHA512

    51eea715e45ede13bfcad4d0d82b5853137336db896ddc4c0f3b22531220c85b65d0d42c24eaefe62d26629d8107e08980b91820d208b2012d0fd2533636865c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a8c40172dfb25ebc1bbdee940db5c134

    SHA1

    91147262df4ef9610f33976c10be469305c0b231

    SHA256

    2ccc1f66d36e933f003bdeed808a2145315b484a3a6d2376827261b1b185b0a6

    SHA512

    f1038144a8b578cbd179104037ec900dd97b906cab586dafc47c7a5a3493e730e42595103d582bb3aa7dfa9d37671866bc381413020857fc4b4616354d526938

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7e230bc8e04c77f1e0b1f1c8d76de276

    SHA1

    394287e15fd5f716adb6c821e444280aeac5dee1

    SHA256

    903a4e7fc867c81033711dc94aa190284ba9ad9d025e5885007f4da1dd7430d4

    SHA512

    169c340b00679ddc2af4b6723a7d304513c1b45abfbefe59f8b631a1e7eab65ac771f0b3405f017f530183b1f6f936e5eba39ddf4dfe15ffc95d8afa195801ef

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e93a641049211a70783d393d4701b0fc

    SHA1

    27ab3a5820c216fd989723d498b56aa02b92cc1b

    SHA256

    30cdc229c1332318174ffe24deaaf90930bb021f13933aa028bbddf3d56eed17

    SHA512

    da0315f04d652da4b08dc95d78667525b3e5e16c825ae8e1018beb4a781e386a88fdb1a7184769e672af6abe52c8acb55c7133be35b0bb419fa591d2a710ab64

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ec959d9327bf07b69c9f48909acbcb47

    SHA1

    bb079cf7f6c81b67b01c11e1f60ea7796f0d17e3

    SHA256

    1fe7149a66371f42d15dfc0cbd8eb543b13b2b8d76e746252bec2ad4d9aa0d95

    SHA512

    50bc01e8943e16040aea1b6af410d00e258ee16455ab1a5a6175eea081346e26cebd0e6e5b828c453ad58d612291cd30b54815222dffbfe8252ab82e22b26926

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2CCD2471-BB56-11EF-BA28-E699F793024F}.dat

    Filesize

    4KB

    MD5

    5098c7203e141c5ed80419d81e93aa58

    SHA1

    8d6f885da523ebf54dddce3fd3a2ad8350bf1b22

    SHA256

    e7127d04f2c27cbea0126ab2200ce00970b47149ffe9f54cc5b4262e1deebac5

    SHA512

    73a61d40cfa656d9ae19d9f63353fe6feb2409433385806c56fda046775e9ca9777bbc939391dfaefbd4a3d306912964d7a49573e944a960d1f97aebb672c70d

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2CCF85D1-BB56-11EF-BA28-E699F793024F}.dat

    Filesize

    5KB

    MD5

    b8f017da86c88130ba2ad4f6f2f7f5d6

    SHA1

    d90c1814ad8978b2968b87fc3f8873574de0a35a

    SHA256

    77e3e32b0bee0d31e9d9e9ee559f64d286c109306add47d277a7b66739dec0d9

    SHA512

    44152bcd313561f2c28e9706755e3ee188b71352256110f12a91a0c93022acc36b80c7b7eabcc4f0af051bc390dcd832f70618b7ef94a008184604c33e98b075

  • C:\Users\Admin\AppData\Local\Temp\CabBEB0.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarBEC3.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    dfb5daabb95dcfad1a5faf9ab1437076

    SHA1

    4a199569a9b52911bee7fb19ab80570cc5ff9ed1

    SHA256

    54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

    SHA512

    5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

  • memory/1204-451-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

  • memory/1204-1-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

  • memory/1204-9-0x0000000000230000-0x000000000028B000-memory.dmp

    Filesize

    364KB

  • memory/1204-2-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

  • memory/3036-20-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/3036-17-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/3036-16-0x0000000000330000-0x0000000000331000-memory.dmp

    Filesize

    4KB

  • memory/3036-15-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/3036-14-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

  • memory/3036-13-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/3036-12-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/3036-11-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB