Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 07:18

General

  • Target

    333b4ee0dad081c684ddd5ff2c4e5eaf6581077f5d2d7cf4d452d87712d12179N.exe

  • Size

    1.2MB

  • MD5

    b497efcb979ec390ebc545af329f4580

  • SHA1

    3dbdb697e7d8bed107910f3e1bfe2dbee6c63b8f

  • SHA256

    333b4ee0dad081c684ddd5ff2c4e5eaf6581077f5d2d7cf4d452d87712d12179

  • SHA512

    7bccecced8dfab161760e8773e2b7b2036e7819ae972d50d13d0e151c292429701bd8769f0fd8f02b77bf861e7d6619ca59f380c3efd0256b4a61087249c5fbb

  • SSDEEP

    12288:7qOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey++r/qC/:7najQEPnvg6PhWDC750MD

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\333b4ee0dad081c684ddd5ff2c4e5eaf6581077f5d2d7cf4d452d87712d12179N.exe
    "C:\Users\Admin\AppData\Local\Temp\333b4ee0dad081c684ddd5ff2c4e5eaf6581077f5d2d7cf4d452d87712d12179N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\333b4ee0dad081c684ddd5ff2c4e5eaf6581077f5d2d7cf4d452d87712d12179Nmgr.exe
      C:\Users\Admin\AppData\Local\Temp\333b4ee0dad081c684ddd5ff2c4e5eaf6581077f5d2d7cf4d452d87712d12179Nmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    49b45cf5d02109af9d892e0672b047a0

    SHA1

    3419df51dd427ef673a6505cf474ef59089f061d

    SHA256

    24c50c5e2cb8b454d20e52ca22437cb8f0f1b03a537c7b1646d20994730901d3

    SHA512

    ea13d1495e7d480c43b8414f7e4b5e1bacafdd7f1f0b538233503490ca47e59f125dba1800625400923e16410e196b43421d6f158b5a7bf6c426b8ce35876baa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    884937c8bea366c6ea91a51e14f74177

    SHA1

    5b011101df40512a13903c88c21ed9d55c4a6c7f

    SHA256

    e1cf579842c4c13e58b87b18bccd6f5f7ca55176eae7ace5f1f374c028003664

    SHA512

    2982a01fdd7c952a0c81fa65aac18ec1bdb369ffc89b8af1b343c7c725b72c6c33a183e707159c405eafc0d84fc25701bb121923b9e07ae2b58e5722f279d1df

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    95fbc40157bdfc2f9431f59a7cc991ad

    SHA1

    8b20a7e561bf231057406d34dcf79f5141a109f9

    SHA256

    65f1c7f91970f302f29803d1229d628a6b6587b0a44b35cf2d69d41233b314a7

    SHA512

    b8a8d8c16009a0922739c9f3954e5e4d85ca00a18f66bc953d57fdc861c857a90539ac2e2720885d53fad18bf7ec3003420a66d0b8a52ea3e399c845353e8cda

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    01a141283737957b071b955ef663fb9b

    SHA1

    2f75e39f08df75a9fa44ae3ed88238109a694b8e

    SHA256

    bb5b24b7994358d6b18bc5cddbd4cb96451a67c949a2e041c45ff331de72a0c5

    SHA512

    624b104ab10267c6addeec8d073d6b32cd9b0b9f593affe1dc018a7863accf1dd3f512607ff92cd7808227a550e5c85957e8e0204a949b7c00aea88c322a60e2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c38500adfd6b558b682afdccf9511b11

    SHA1

    8ca22975a68c90dc5df055ae098857a030f3dca9

    SHA256

    2ba69f6ad261e439e815b8267c2c23ec62896a2225e27c8d154b4c02c4e570d5

    SHA512

    923beea20caa038d68682deff822cc3109242d16deddd1c467fac96065e2b834af07032261e6ed35a37c5769bcf226be187d96fb2ea2932d984e1e6dba0b94de

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    136ba7f2b786dfcba49909ae79be1504

    SHA1

    2a6a1b3b4c47c0579a389c11089c8a394c1ddcaa

    SHA256

    ce4d5b7d7123ab28aaf81c1611501dc0cb1c22dfd2b0664f433a1f328fe7caae

    SHA512

    6bf5ccba55d78c51d44456b1a16dd4d5d7b72707e0f0d2c69440719a2e3bdceef450401d33c868de7bf8804e23eef392e5d7221f03fc10569e94cce83c412c07

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cc804ff8ad9b28f69e025f3b7da99ccc

    SHA1

    76ebb40e317648e3980b848be0c6a9da9957f057

    SHA256

    0c5fd7af224eee8cc893deb95f465c25807127e1d8fe3443b157c25740e3e975

    SHA512

    08422df9adb0b80a7d38c632a0bc190319896e106c2233351fc4aa2d681275f46b3b6597aaaf544888f61d2f357c079f5fea71110ced6156df0293a2b4fe820c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4e792a346efb1d81ec0b5655bd4aeff0

    SHA1

    c2052bfff51e7f7abe7b13edc905a315fa726f17

    SHA256

    f388a135de5d4b523f07d7ec5870a54873324bfb5323d49afed7add7a7538899

    SHA512

    75bcd709a479dbf92708c5439873f47d144e50b6b53a5ec1918f64c2b419a11b1b28d0b6662be9b24d42f6f772d77e4b966b37d1aed47858c58617081552e4eb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4c7dd66aeb4319d63bfb8cffe2664be7

    SHA1

    07dd259632489e2015ab2b4a0a02197c4e0f8a78

    SHA256

    6678ca2e715a151d9765ca4d59169c1a004c028a70d90f99e7ec842eb7fd13c9

    SHA512

    0b29b1b545c60cb0b519485cb5ef9b1492352ffc5cb94ba8c26a35718256a53f8b67884fa65f6ce12af2bd8a122b4eca3bb3437754851e31f9be1c6de47f6eb8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b94695b90f1278c798c1a1f205133518

    SHA1

    16b13339baca52ff5a0a885e97919f0d9eb7506f

    SHA256

    db88c4e1753f64cddb14bb579aa9a3d8968d6276100d11fb13faffb48973895d

    SHA512

    f99c3ff623267fbc644acbe0a43270dfa834d38152d1d260942a7cb7b93c14586bda96201aca39b112963e09b62df9ce5c11f8822613e2e61dea8a8fdca267ad

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f7675ac86eb0cfbd6536ed6cc8295035

    SHA1

    c4035c51a624b702c94cf712f6bd808ec637a90a

    SHA256

    091d4a1ff87f1f8f2d17d30ae7e3907d66cfc3f13e4df9acb44490d53987a9ab

    SHA512

    384609453383aee7d6c610f5e9d361d9139025288465d58335d32b88abe3c1064281ed829c4fbf6e0d7d70fa87d3d4ace4236090023f92489a21c7c40123e3c9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ad380247e3bf216ed691f31ca5e7471a

    SHA1

    15691911d941ef0227f06a235a1bcb140887cf97

    SHA256

    e74c6c5f3bc4e11af00684e0d0db1787db108fe3d2e8454812a3043eed4af1fd

    SHA512

    763cc2c51717cc6ee889e6b68bd74a5d60066b52990dbd0214914b957529952c3f596b627e22e6a9538e626b2a8c91d2bfc51cbb619a3c6ed0e9ca3ae604c74d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d42e6c96fa0e10962c2af5792905bdc8

    SHA1

    832fce1e21e15b5926f54e4b3bd9e93980008880

    SHA256

    368aeb5bea6c495e21f82f2778e711ec42c00fbaa18c736db06350051f4e19fe

    SHA512

    074a35913157acf857678e226b85e9072a3938c795e3bc75ccc710e858021838018ad84cd809b75878b1f81b3e37c3a0e50e16b017800c2ebacd3ddea92e03c0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c221548de448606e932157e63c872cb4

    SHA1

    e397dfb70944aaf66a2b21f6e3bd5c527c4f107b

    SHA256

    c095a0f8aa60a6595090b4ddfc13ae7110aed1a87442b4d9b589e4721090a707

    SHA512

    c892a5430c759474e3b120db37e6706337b4a042b852951f78e59bcdfb2660a318a50f1dd12fc98bc3493371ecc91a15cd24eddde1bc8a4b7fafa60a12eec163

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1049b166d6aeebe5cc73d9d80b1cc2d3

    SHA1

    f0b85da6f2e875591edd419e141e2b0afbf7ef8e

    SHA256

    daa05ea82d3d49ea8821296fc26096dd6b46d187bbce506546cc952ad6318686

    SHA512

    db450f34a03ab8ec83c60ae9114038780f5fa03177b9ac7e217a968eb1cf19393c0195fc32e6af97440646042520d84d5dbc7a9a3ce2a9e4d0c85223c2a252fe

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    da5f7710ac7d784c82391f1fbc7af93e

    SHA1

    8af4f355dfc983f2e87179a7b236e67096b29544

    SHA256

    d6764a420d2345c1545ca0c8b78353e318cecdeb47e9373c21e0787f17c7cc2c

    SHA512

    1ae16541e07f57c20c6ca82c354b299c43c107a8bbddc9ae809cf02bb86139838c5e6788f09b9204d357c5897387d6c2e48d880e01bfc195d22ed356c6b1092f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    696362caafd778c5adfcd1e0e34a949f

    SHA1

    459909f101551094a19ec99ed043f417d3f9ad87

    SHA256

    bf03b5105538d8bbf4af04d020b27096e898d9fbb1811fe6cf86f95ba07dc545

    SHA512

    b1f0bcce42c4d600084b62e57e2e69ae00517dcef0e30dbbbec59f15feb4750d188b166c08b74be376106a70994d20c0da18edfafa2d7c6a1f2d89696c31bcbc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ed4c7dcf088610ebd4f122abc3f14ece

    SHA1

    62f8f6dc46cdbf9656988f89175714222f8fad28

    SHA256

    1ca93be64f5a47742eb9a9a18d802c7f75e430dfd2446d6c76f8b5b461d18113

    SHA512

    2b53cd17ad0e5b70b40d50bf21bef14a9cc7f3910eafddf1f75da4e818121d04f285f7b53c27b9d69d23ab3ec8d3f8e80132e85793250c28f81af32136b69809

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a1522a3883f576f5f5ca62694097195e

    SHA1

    636329ef8523c47d900b377bd54752ff5e07d602

    SHA256

    af55c92d2dac3d9b2189709bc6f3a78fd5d38384f1d5570fa910db0fc5cc0c8b

    SHA512

    b7bb7bc199625df8b69c88437acf00640dab284faaa273367057765b80010cbb66a8605ab82936ad6078b6eda3dd89b31d3feaf1e4e91c7f242c28a622d187ab

  • C:\Users\Admin\AppData\Local\Temp\333b4ee0dad081c684ddd5ff2c4e5eaf6581077f5d2d7cf4d452d87712d12179Nmgr.exe

    Filesize

    93KB

    MD5

    3dd70587ad0e0903d8462e7faada5085

    SHA1

    ec0ba226d85dd6c56a03044a8d5a239a32e0a6e5

    SHA256

    8edb1dc2ef928c1b9aa615072d074f1e4918d9d3f34c0e7afbe06c434ba04f0b

    SHA512

    145baa1d4a66b1d008f0602bb2dd778fed70e0814d9ab1b268784164e04c51bc77fe24783554023930f8a0bffdc7e44e9db2187bafabeb8fd62454f5375a8b37

  • C:\Users\Admin\AppData\Local\Temp\CabC7C5.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarC895.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/1680-0-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

  • memory/1680-24-0x0000000000400000-0x0000000000536000-memory.dmp

    Filesize

    1.2MB

  • memory/1680-8-0x00000000001C0000-0x00000000001DA000-memory.dmp

    Filesize

    104KB

  • memory/1680-9-0x00000000001C0000-0x00000000001DA000-memory.dmp

    Filesize

    104KB

  • memory/1720-15-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1720-19-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1720-20-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1720-21-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

  • memory/1720-22-0x0000000076F0F000-0x0000000076F10000-memory.dmp

    Filesize

    4KB

  • memory/1720-18-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1720-17-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

  • memory/1720-14-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1720-13-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1720-12-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1720-11-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB