Analysis

  • max time kernel
    75s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 22:26

General

  • Target

    18be43becefc38bafaa3cfa4000a6f5e389c04f71d379f46771670de4c83bc15.dll

  • Size

    751KB

  • MD5

    b10e084cfe45ff07876489cdb0d550ee

  • SHA1

    c730b32a90464a382c85a4cad18e722cb1e692f1

  • SHA256

    18be43becefc38bafaa3cfa4000a6f5e389c04f71d379f46771670de4c83bc15

  • SHA512

    5e13f9e6754ec22fd42924cbc1a10952adc16ada4eb5c7693d9a5c079f4697ca912f34d05ab46ef22e50e97954f819731618f0c42f1b8e007a21749de0f25f5d

  • SSDEEP

    12288:G8Uq3+xvCXcJUNi7Q7HnvvRowFQrDs6rSnmMP7R3M:G8UquxvCXYUo7OHnvJvUrmnmMP7JM

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\18be43becefc38bafaa3cfa4000a6f5e389c04f71d379f46771670de4c83bc15.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\18be43becefc38bafaa3cfa4000a6f5e389c04f71d379f46771670de4c83bc15.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3044

Network

  • flag-us
    DNS
    api.bing.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    e-0001.e-msedge.net
    e-0001.e-msedge.net
    IN A
    13.107.5.80
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    747 B
    7.8kB
    9
    12
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    747 B
    7.8kB
    9
    12
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    779 B
    7.8kB
    9
    12
  • 8.8.8.8:53
    api.bing.com
    dns
    iexplore.exe
    58 B
    134 B
    1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.5.80

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0da5da01b400088fbffb1d837a630073

    SHA1

    e444df3931fe71554afa4ff0945d7c8f0e9a3cba

    SHA256

    fbd246dff69f087d773459f08c79fb295863790c07ab4a8be5cd2b0ab3db561b

    SHA512

    4ecc5abb5c7c3d182ebb5fc29820ca77c81a73aac5be90c95dea9ccdfa5dd076100085d0a1a1505be6db03b2e7b77180be4ff30c60104503496d9e95231e1655

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0797cbe012b2c835520b5a209f60a45d

    SHA1

    61e7cdf49c24a8605fc706f7f293a17a16e998d9

    SHA256

    0f9518c60f815a3f4423102ec1ab9a46f682580cca1d248877669351733683fc

    SHA512

    84346d17d12fbf763c13fe4c7507fd83bbebde15ff599ca26c4215ee3632d9b9003de85a52b2834ee69adb9f7b4a917096b4ef8030bd7a4e77c25b4bb8612155

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d61e722f6b81390415de15224043dff6

    SHA1

    859036c9b6ee27767828740d7db881ce429de294

    SHA256

    f7f2d935e1d8c1377f7d4a67c1962a87061b4341a360307b3cfe8b26888f2fd8

    SHA512

    d9a1b36ff6a266d9c295efa447b68e05665fabd9424c0b9996526531d656e15decbc359744b62bad5193046d532ba5718cb2982979094829202923b0da787ac9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cf0a5cf1036713a39d80e01e5a850df6

    SHA1

    fc48e6a1eea145024ece375df56aff5c56f45c1e

    SHA256

    5d3610d61d0ff3312f7815bcf3470042f33e359c06f2027fa3a855b5ea2917e0

    SHA512

    2be44271bce15c318650e90c2181f37a8c84a0c097e363d409720d267adf5dff1adfad12fa3993731445f0b217d304ca2ac875cc2696105cbe708e8da149a6d5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7c5fe292735a31ef4e66af1d9e42b92c

    SHA1

    34bd551b33b3d7235b94386e5cc630b6f40e5b99

    SHA256

    fed6002732d9dc73f842c3e2a2d56ee4df0f6029df545c0332cbe8ac05802004

    SHA512

    756c42aeac61d44746263f135c32aa3dc72d173f92618a5da07f1984856248856e74c1ef6195a4f24e0bd41bf3e3aeed562ef86f1d55a21488c1eb29a66d80bc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ba54c2099913213373c8468d4dc76e85

    SHA1

    331231c055e662ca995f3e8d6d4a3fd097aaed0a

    SHA256

    fc4af27cf8e71d8cfcc53ea7c8f2d81a151c8d07068c2031eb746a8bc1577062

    SHA512

    0ae3b271c9e65a4510837a6bc690cf7d8ad6f21c42e7417cce5b8737171744015b80e00fab0832358cd4582b51c9412a227d5ddd6bb387367b98b0b3ee22a72c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8f79854cf55eca703d86c168a97c703c

    SHA1

    3e1c7a1b89b79ecd5cc5513d22c7203b09bef1a6

    SHA256

    02722ff81020e92e4563d309190b1d461f99128080cf749b29203343d0de0474

    SHA512

    bd9d274a66b768ed5ac05dcbf88e9e93d39649f0511eb043cd73c48a088230dc252f4e70716fe28e9a0ad39b6952ea4b9c57bc05829c47294ea8ed329926e729

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    68efa05efbe3d4cec7b2f6c39b580431

    SHA1

    3efb2ac9e4e719a048f5bd9ccabae7d84ea4285e

    SHA256

    77c61e11a0b884b9d38b89211d87e6b5f4e9b201be02191e27555fa2e1024692

    SHA512

    bfabedf3f48d565b80390294506841d7c91de6b8ca64162e7565f7ed9992da4e46a8c04a8c9f1791ef4a494318aec70ce12ee83b44a00c3a9a14f74295d04d6b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    da6c4013afd177f4d1f6174e0e85721f

    SHA1

    9611eb49141bfafec18626f4b86df9a2eabf9e09

    SHA256

    705e5b3316b871bc03ba07b25e6ba7ab142202a76d44d39dbb848d560ebe0934

    SHA512

    d712a847d6973ec2f40e09a08f11f97d2a51584e9c1ad02365958aa545175d4c215b44447ce5a00cafa3f9ca0631f6721d7a13f399cda7d1bdb01462175d4225

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    725a903314848e8bc121b1d10efb3841

    SHA1

    06b95f924313e3ad38ad46e160beb02eb41c5375

    SHA256

    63c007e15f525349fc421f402a85741240ea217d329007c7f792851e4c9686cc

    SHA512

    1b20015c119a697d4bd3edb9b5140d84f0fb623916f1934e4809a859fc15f4747a24f6eeadd4dc18d57fa40dcfd0d20626bad1c32cb8ce187155a7ddc9414bf7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    24f25911d3240527d6754ecd974e5be9

    SHA1

    c372a95859b20be220a3b8aa321b90b1a2629eb3

    SHA256

    539b2465a464f5b18eb7feec5224360aa958737fa20e07806aff90cecafcc0f4

    SHA512

    33518c4eabb6e9130e654205ce3dd5b96b6c9d4d10168db1954d11c1a148f48cfd8f5b29b54251f4219cc015f77c335a3fe8431adc4a356cc4800a26ac0ff49f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d93898e1189dfd61baf1a8612828fb94

    SHA1

    19bc496f73b9b9d430c686289a7f17cecf971e20

    SHA256

    fec84e8e1a32a5f98c6e9b293c9c674e2ac04c2e88dad8ee8af4b4c3a29585d9

    SHA512

    39a364bae8139e4818f7d9bae3f40bdc6179e94120b4012462a12e0619ea20e0962456e9ff4f11950ef74c11da313dd8739779241bf09d6b8da41190975e2c24

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cf61a4db49e13615824bd35fb9fd6911

    SHA1

    11571c481af16f3dc9697cae918f34bccf5ff818

    SHA256

    88724a0f8ea431f74e073d948b1718ea5125bea1ae66eb765498d5a13accacba

    SHA512

    c20c3c867bc89672950949a3ea6734c0e4b0dac4dd2d7aa8920cf6468e6eb2d28443a61612bf49377b2f160d74505a5dc323111229fb5b0771769826c1c44b40

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f5b50ca050b24bebf44ea1a1e2894dfb

    SHA1

    1a613154083ee7f591db754f8e012d70b8f34d68

    SHA256

    f6ae89f078d1bc40c71017c1d0ff791de963e80cf7688477344514b9818663ed

    SHA512

    32b5bdec599aec6770020655ad98eca65b38403599dc095f6236dd850d8629435b820088b6257796fa69db3153e60d06627818070d85b094f3f81f80b56f5a6f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    085f606473844f03eb43f60f0c67da4f

    SHA1

    7802e101c321428d05e56bf3c8863de27399612d

    SHA256

    4f5776d7644426df550866ca3ffee23deabd419720e92f68ec5e943d138196c2

    SHA512

    8f6e215076a4e6b2c95e8ab07be0ecba222642723ed53befaa049850cc78f4de08b6355f4600fc613ad690a7e948720ebc3d18b76d1d2b3e1cb404b09624d68c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    500469bbf324ac64962321ec03516965

    SHA1

    10b23a13d7790430a39f13d8342ffa2ab806bbfe

    SHA256

    045ef2952bdda18e40a9822a2db65863fb541e890c4e2fadc0e1ee4020d91739

    SHA512

    3c7535aa5419d8b27605e36cf54e5a095f4dbd6dff270a8f872a48a435cbbc55f30088e477c57bbe691986ac9c0563b8f39f358e8f3123a9ccb007b52da1da6c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1ea0ea6caec0337c919fae66c80c5f9e

    SHA1

    fc6d14cc7a4608bfda1bd09c9bfd4ad67c0f804b

    SHA256

    6dbb74832f266b092a2d10a79a5a14c06882d4a27dc156f20b68ab5e6b9ffa29

    SHA512

    7c5a33a0541f61c87f0d497c997d35e1e9d293bcffa59ed734d8d3b23453d92d0e168be53900e9926624b4258f92579869a932b7cadf25f31451480a72c8bf31

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    814fbac2541fef10c0a234841c79f6e5

    SHA1

    81d24968740a479b6d9476194646db7bdf8a3f05

    SHA256

    3afe3cac8dd5b6e133ba1142211f4ec36be8085a58a01f619e0bc7a852cbe0b6

    SHA512

    e122c43f01cf7afaeb8ff6a3ca4a56a990b57f93895c810e470e08b1ea428571de20ad5916d0982b9a40406a9b01c34c7c3c061387b6c92590f13a5a1b1d9b27

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    06e54dc616ff340177bce3d8e767fcf4

    SHA1

    8f85a2c68da059adfa39c59ece34d377d21326f8

    SHA256

    80e634f2b1a827cacbf100373577dfded1c13bba61c34c209b2bd4cdefa95d87

    SHA512

    02a9ff74623287232c1e78cb48a1f3b29e2d0a4d8f39b40c946cbce28e52b45f4ef7a3f04bfb001d0859afc42cabd635a51d46d4c7c70cd4c9a356dd60721f56

  • C:\Users\Admin\AppData\Local\Temp\Cab59F.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar64E.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32Srv.exe

    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

  • memory/2228-6-0x0000000024600000-0x00000000246C4000-memory.dmp

    Filesize

    784KB

  • memory/2228-2-0x0000000024600000-0x00000000246C4000-memory.dmp

    Filesize

    784KB

  • memory/2228-10-0x00000000001F0000-0x000000000021E000-memory.dmp

    Filesize

    184KB

  • memory/2628-9-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2792-23-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2792-16-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2792-17-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2792-19-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2792-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2792-20-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.