Analysis

  • max time kernel
    134s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 22:35

General

  • Target

    18be43becefc38bafaa3cfa4000a6f5e389c04f71d379f46771670de4c83bc15.dll

  • Size

    751KB

  • MD5

    b10e084cfe45ff07876489cdb0d550ee

  • SHA1

    c730b32a90464a382c85a4cad18e722cb1e692f1

  • SHA256

    18be43becefc38bafaa3cfa4000a6f5e389c04f71d379f46771670de4c83bc15

  • SHA512

    5e13f9e6754ec22fd42924cbc1a10952adc16ada4eb5c7693d9a5c079f4697ca912f34d05ab46ef22e50e97954f819731618f0c42f1b8e007a21749de0f25f5d

  • SSDEEP

    12288:G8Uq3+xvCXcJUNi7Q7HnvvRowFQrDs6rSnmMP7R3M:G8UquxvCXYUo7OHnvJvUrmnmMP7JM

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\18be43becefc38bafaa3cfa4000a6f5e389c04f71d379f46771670de4c83bc15.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\18be43becefc38bafaa3cfa4000a6f5e389c04f71d379f46771670de4c83bc15.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2408
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2044
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3170d164872be9f53f1d44335bb8e827

    SHA1

    bfb2192b420f9ef602e196d4f678d572a6d16b32

    SHA256

    a1280e9c85ce1e842e5afdf2d4d56378e7bf484be5e819f062e0cad8b266cdb6

    SHA512

    572b027b4235d86e71b1cd685b95c24d492078d51198961f6afbfd5209b08f9fd8447819dc4e5f48c5f9f6b31150bbc4c198f4c32789b95983b799c6a6882320

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1b3487b49e3394d563dfd2109c6d8733

    SHA1

    a59a4db6ba9a17f9eca66a5f50a569aefcae7444

    SHA256

    df52d7ab3109e16b6453a3f4c5aed3f3e0357dae0b665c0426be0ce11b11b9d6

    SHA512

    9243d5cee695a8785f613e986a1fd91d51fbb4878bb43944b9df414b67d973f557dc495b29e65b86e5cc9d378dd9f4175a7e8c072501d64f2f06ccdff0751e7b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6a559c8ea4db9694815e165dfef5668d

    SHA1

    e98096ce1c9bc0405ba169ba323399456b591c7b

    SHA256

    545e15e15b979a21bb56e2271a493a67f0ca27d6385937157160f4c944af5be5

    SHA512

    d01f19369da4422ed78c8cc1dbcd6361a720322c024bcfe20d3caa6ec0b9e474ed051feeb131abe0039f2afb6d9fff7a7280e2c64ec18c8be945b759f5bad4e1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5de932af6476b99e18f60a49988c94f5

    SHA1

    08bcf6f4bfefff0bf2d75d579cd0e7fe71ad6cd6

    SHA256

    5de003e0bc5fb7b3537eb5fbd5adcd37a4cf193c536ba1487c8fdb92ed94ec0f

    SHA512

    97cc8e33b94c96098db19f484fe859437e0868020e3144c2af3dbfff8d9080b65a00b18d4592cff94dfc6fa105e2a60ecad74fad7cf06e6daf02f71970ca5df6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    73c3f16ec921045d0b15e66837254782

    SHA1

    017e40795f9a5abda864d2926968176dd9ed9ed0

    SHA256

    05fee83624dfd741bb4e3f142c425307cf7b299aad74be1836a1389fb324720c

    SHA512

    4f54c5f373fc0edda03b0fd624ef676bb52336f4516d408a1e11d51d10633fb9ea9e5ad9c81ae03b8826f8a85e5e1bd10bfa570fc1d2b8c402c9ebac35531e1c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3fc1f867e5721ee5c87fbc228e644ad2

    SHA1

    b9e7b37c5a9ee859eef1fce3b4c420bb5873ee70

    SHA256

    66964ad76dae94aae7a33bc0f674192a72c95e3872a1bf67f53a9aac92dc7259

    SHA512

    be3f19837bd3bee937c6557db630bf2479a0b5ecb4fe1866d2fbd6332ae82a3b94f8c71c3b9bab1c7ea4b2398b64ddce830313a8ffe41ea93753afbe7c8746bb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2b44673612656d5a0599d2f1faf2c127

    SHA1

    21008c83b43ebdf0efeb2b3e43088a9cbea7c6bf

    SHA256

    cf10bcba5b03d6af9218eb682cf080c9a76776015083ec9edb5fadee4f65341e

    SHA512

    696771e4178a78f84307abfbe3f9f68624fedc76c39441e28b0fd6cd067f39cdaab153ca9fc7242bfef1b0c2f2bb6288ba69e687bcf200377adce93fbae2c216

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1229c3ddaa6bf3b0d7f380ba7a86a58b

    SHA1

    db32ceb031acf46cdd584c829841f32c81e51af0

    SHA256

    5b46d840b45e98c604d09ad21ac336ed435e212a7bfa4dbadb667ee0e5b4020d

    SHA512

    554d02d4196e8fd112ed7289a69f843c273783ffe4cb82752da5deac718387eb10ddb20a26fd8671cdf9ecc078a4bc254f505aa4b16145246855f0186a2e5698

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ad8251341afd49396037087376ab6974

    SHA1

    6322e52ebb7d79152be5ceaf218caf93d0770a75

    SHA256

    05c399244765b27e66935bafe73c6bbf47ddf90d2d98d359b6f0d54809126f25

    SHA512

    caf8c5507f408e5a36ac9cdff985d194d777f5babd7b8b920d90c0830bdc465d95875e5d648fed45b0af97335eaa37edfc47cc4e11df2e59db5dbae6ba984033

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    031eff96b676b640310de3f0999f2ed4

    SHA1

    ae151085dea5c43263c030ee6b088f3fd3a86449

    SHA256

    f713d5630de04085576c12c9b624a1c1efd6436acdc8945437fed21cc862f170

    SHA512

    891572c726c054fc9c5560e63af0c5e78b6cae29b8e0e10ab33030525606858ed1ac5ab21cbffe082373457b2fa5e34c390358c311d66d004204b799197ab60d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a975a8663cf30f0fa5714b8c24ad6696

    SHA1

    7a1bb4b1565a9164016318a715ae4f22851b4caf

    SHA256

    b633bbbbeed9d45729f0756d10f5fa990ae35e407a0028446550919e4e03a078

    SHA512

    8dc4ca117962b3cfd243b28118f10a97029918f5b294b24f4db6db1dadeddf4b55f07eb9d838b8d1d45884f63cb9d20fabd157f4b54386b036e90ad31b29a55e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b164f6ad2de4df0e795f33f7c65093eb

    SHA1

    6775a4622e3bd842e4faaddefdfe5c8ae613c45d

    SHA256

    ac10c3aff61abb79e218a7211fd6e6f7872911546df8925b364c53fd26ab2121

    SHA512

    a1e0f0701e52c9bc3ba846e72b352a0f11561e3f776bb674d6d2e45247d54787715350bb6dca96aeecf430e457f49cb1be171118722aed59fe6f85363e611959

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    53aa8bd300274c35cef809fcc39bc974

    SHA1

    9a22a34d20f8a0efd05484fed791326168a2cd85

    SHA256

    998bc1a491cfd9b21d57653a60828199c6783b3b414c44591ac705b508ff802d

    SHA512

    3b37f937a745322a83762a84466b0d64db38d0b5f133a81bb28b3481ce748e7903160ce5676890ccfd6c5ec9df37be401ce600d69727cbf878ec1b2065a61beb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    33df42382196a93d321034c7389a343b

    SHA1

    a28680549e99218cfcdd114982d0c2b23d5982ba

    SHA256

    e57210b1a7dc307920da1f67086f4ec4bed0f03f7aca772335d0e8773499d44d

    SHA512

    731435d43e9c3c4e2bb799d265b7bab67c0513a0310ffeabf1d57e37825c67a9697a27a56fba56f1979887ac1912932267c3fedc92f01899427f660f9e04b7ac

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    599c5e94e4ecef707d608bbe9ea1f151

    SHA1

    47e2ded4e8fc0c013b0e7a8f5bf5e9033a883999

    SHA256

    cdd0d148e5174c6f372f2190aac894fb11f8de579d002dd057ebb8dcd671cdfd

    SHA512

    f990dd762eae6f24c3c1e99b5502ec59aa9ef278a5fa05f2704777530ccbb99b67519769d078194eb99334537c059da2d6fbb11b43f44fcac5b7297b7d606fcc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    605ea97a034da8d456cad14fff378cbc

    SHA1

    1c2dae90f37bfd2ae9ca667ce02ec5c1cea210d9

    SHA256

    e4d31d02cd95fff15acceaf32c23007df374a7ef0cd552e025358aff9090b898

    SHA512

    a0da546e2ac29c38a2f8bf564c7cd64081dc374ea2cbadf46c1de2fe36983e97687695bd5b36acc296dd672bebf91ee06e35e084a97b89b21b02349ddda43f44

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c5d5edf7847182cde6d21cbb4632de0d

    SHA1

    81a50bf14363d2664d32e43fb1d64c42b52dba38

    SHA256

    9d11df8e489e5260b680875fa87d808668a35e6231d108769249bad42f32baf3

    SHA512

    9758eb4f5493f1f7f88f0166d3c6330248e67dabe754f726b682ca42661c912fd9d707e85e53e253dbcd4e544df46f188bfa8e17ca1532c7327f5f02e108dacb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    628516576deb553f57191d74beee7e03

    SHA1

    2f085122993ad1f48c72cac0824791c4c54b64b5

    SHA256

    6551da6924a438176932aac195985447fccfefa56a6ce76bd761d59f8b94920f

    SHA512

    ce0803c1aa4f18f26aaf48fc21c2c4bb52e86fbbc6d4a33c3b16706c6958c80fdaf67e7079090b1b7538b2476d5115e325806d59af489092afecd5f27f8d5e7a

  • C:\Users\Admin\AppData\Local\Temp\CabB5D9.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarB6A8.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\SysWOW64\rundll32Srv.exe

    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

  • memory/1224-10-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1224-11-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2408-19-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2408-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2432-6-0x0000000024600000-0x00000000246C4000-memory.dmp

    Filesize

    784KB

  • memory/2432-7-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2432-1-0x0000000024600000-0x00000000246C4000-memory.dmp

    Filesize

    784KB

  • memory/2432-4-0x0000000024600000-0x00000000246C4000-memory.dmp

    Filesize

    784KB