Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 04:00
Static task
static1
Behavioral task
behavioral1
Sample
e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe
Resource
win7-20241010-en
General
-
Target
e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe
-
Size
411KB
-
MD5
c46780ae0ca47177112a7d135d95ed10
-
SHA1
b734992f4b47190417028ee8daa7486a30ed4016
-
SHA256
e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0
-
SHA512
18c1d42a8d38872dff389f1ba5c3d0d579dec49f8a1efeba5b3aa75be29f05ecfcfb8e7aa34cc0ef57ccdd5172db8109abb1eb686329e1f0b6462d32fffd2f21
-
SSDEEP
6144:61yUN7pmPUk9VMwXHOCgs+ej/4+zBNnmjf5Yr6ibzsHPwY3mhesXWkoF:6Q8pQ96w+ns+GwoNnmy5Xves/E
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 220 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe -
Loads dropped DLL 1 IoCs
pid Process 220 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe -
resource yara_rule behavioral2/memory/220-7-0x0000000000400000-0x0000000000439000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 3280 220 WerFault.exe 82 3676 3220 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3220 wrote to memory of 220 3220 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 82 PID 3220 wrote to memory of 220 3220 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 82 PID 3220 wrote to memory of 220 3220 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe"C:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exeC:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 4923⤵
- Program crash
PID:3280
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 4762⤵
- Program crash
PID:3676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3220 -ip 32201⤵PID:4344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 220 -ip 2201⤵PID:3516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe
Filesize174KB
MD57888876a491f083b317a7b3127b0f9d5
SHA1fc699bf9e556298ea6653f6706805fe642b8c24a
SHA25688cac81bd77b809f2c34374d3f042ef5b1d25e92576743145a958d8f71743736
SHA51289dd77f8ffe111e637b3b669c9c17f07455b89e3d71adcb68463fd1aa2caa81ba699d78525d3ddf6f35e40677a458a88185a1f840a261eb69b18405c206fa561
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219