Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 04:31

General

  • Target

    40652d1a579c2ac1b532f3db9bcc148d63ccf61eb50b7a879241cc6506d742b6N.dll

  • Size

    132KB

  • MD5

    f251b6be2f39e1c6bba1e8d71c164950

  • SHA1

    0cc420fcd31ba3c5025b84201d2b1d2b95888cff

  • SHA256

    40652d1a579c2ac1b532f3db9bcc148d63ccf61eb50b7a879241cc6506d742b6

  • SHA512

    88234a0640823a08bec4c1b394f6b6c277cda5b2a82bcb672ea5c52ee06f1215bd535895fd2879f3f1458b1d23d66c4797a0c82df27dd9a74bcc8d3c42c4997f

  • SSDEEP

    3072:an4cV8gf2u41Z5tKlm96oXewSNPJ/lVkLPy4:g4y8gOl2ILXejkt

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\40652d1a579c2ac1b532f3db9bcc148d63ccf61eb50b7a879241cc6506d742b6N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\40652d1a579c2ac1b532f3db9bcc148d63ccf61eb50b7a879241cc6506d742b6N.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0b9a555dc8239a1620817e2ea4272281

    SHA1

    b3ab109071b572ec136acc155694e260e4226c56

    SHA256

    14896b99358e88b9e39120d1591a6858ae91cd3abd846ef7c05f6dc0b3b2fa58

    SHA512

    a3752ee3836c5bbdf0f1419223e329edddfbd964edd27daedb8f26390d0012035e9dc148fe16ed9f0d18a4ba216de1a26fd78037ca67068412284e9e8d274f8e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b334fd4bdf0714591d4fef568fee0d16

    SHA1

    3d8b7fd8aaa651e7505c2db82b5d302933139a71

    SHA256

    583336f6db3d3414f3e1a9fcebd5ac0bcff308d8d2ef74ae79086ce8d235e3a4

    SHA512

    19fd0a5ba846c4c0c8c7ae0a5096e97614ef0f6eec84e7206f8e031a033bfd2f66c74d16830b2b5e3c09e56b276fb8a6533862a91233eaab3214b5d24c9af70b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3246f35748826930e0a474e46cae20e1

    SHA1

    05b98acb7bfad59a08d9f99c3dc8642da0117daf

    SHA256

    58e2988162ad512d42c81221ea40687858e571aba25046bd7dd1b2610ae1b2e9

    SHA512

    ec85a2f27971efa8718bae4797d51ae7b0b3baf4d102051675d95e355e9d872e5f468afea065379ba5fc09182c20de54e99a2f787c4cec676db5e886a6e2710f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a4dfad080810e6113e26e1672a02fb55

    SHA1

    ff989bc3760c7dbae290e20777a114652ce17406

    SHA256

    62c761121bea56a41217b6c5c19cd3d16b0656c5e0f7963c8d5d57a2580656d2

    SHA512

    4560cbff4641e78303cb833058b3ddb79451d555aac6471aa68d9a63434501a97bd2a3e84916a852d6ed694e14062fd6dbaa1bd70d0c0d939073e3f5a260c45a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c7dbd34089011aaa7b99ddfe35b78164

    SHA1

    ac70999d24192ebb60f72f0dcd4f0222a126e54d

    SHA256

    b8a7f880d372ecb3cd10eda55ec9a18e712e6cf1d60c123d82df3542303929a6

    SHA512

    a4adaaf061566632bfe50c6248c9b19c694110c6c407fab637e5838ff9e612fa7ead2824af6bd2bb8cecda2fb5bd62be93713cfdac2dec8658aa31dd9a43474a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    aac73da72d398d9db6d97959b1317ff0

    SHA1

    745e612a4b8a3ab0ec274e0e71f2885f8c7050ca

    SHA256

    ec5c057b6aac189391001be269f1c1c63af8529dc52eb39ea083f8987b90a7cd

    SHA512

    a48b7479c35e14074f3bcfbbe85d4e99669ff2d11d8547720d06faac8e160487a35a7994aaa592ea20224512d1f7dfe6d89e060309ee4ae1f268060a180ecc11

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f7b7e08b7615e5c94c9925cafbfe4be3

    SHA1

    596f313a1c15efae8ba63012a6ea891313c636a0

    SHA256

    0f951a8077918f9f6980fdb8bee783965d93877df4e94f9b2a025e0137b6c307

    SHA512

    add83f6377ae95456a7627cfd5b382ffced6b6d9b8eb33cbfca692a7d72c9c63f34dc349567313125bdde91e818cf8d5945c273201a5c0559c2c94fb7aaca20b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0363b9897cddac866e25509745dabf8d

    SHA1

    7212e97c1377229adca4d5533f0546dc92aa7532

    SHA256

    6ef257535bf24d4476780d677ef454eab1559ffab9cd8fdaf38876cac9739561

    SHA512

    c119a22974b5903a74a5119de0839c20ba11998e9a5ee90d785254470df8170a2a7ddb8c3e2d858caeb256e240890609f68600707d8f9fd1e98ae7fe76982efc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    af7b4e3ccf753995c651917075e88013

    SHA1

    63824ce5eb5b1e73bc20d68fecd4d1e360cff217

    SHA256

    89f6bd9ec492be7677c987894ae16c4e0a398afd36a3cdda2b5398e19dfde811

    SHA512

    56af94b4c6261ccf769d4d7872abba4e693611622ee0ae37557d69c5c3e23d5b04457cd2a76ba9a089e2ec12913cba8ef6b42d121deb0b54b40fd4844e2247af

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    693da4c6b0cb8554acd2ef2a518cc9b8

    SHA1

    073a94d714a1193e188de7ff0df94fca81892b3d

    SHA256

    38dc3a919e7016de633c507b929505f9e3d4d4a8bc7db46b5b9adc67209dd85d

    SHA512

    03090e4e65247d4d2cda8975df8d35f5fe562ee9e88f0480f2e5accbc2645eb7cf4b4f60833e4abd6910c75861eb101e20688f018eb4a7519214f0c2e4c2bed6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4cb70b4b7fad09642fc184beac0a6de0

    SHA1

    16d7c59dbe7ab56b931a2bd6083bc50f95b4585c

    SHA256

    120985bc93cab9caca023fca99ab5b35fdab363d7a1e8f7494a8f2a69b29f2b0

    SHA512

    c389784a24c21430bca5144e7924eca484a77c94fbd97d1946b49e425870add47e359cdc0625f175038b8347c7e89709dbca836de3dcb8d5cc23914a8a6a7e9d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    86dba8a9a92adf6e899db50815072ce2

    SHA1

    60f1c3d90a42953345b0f869a56e2d94c535a90c

    SHA256

    add9fd956875f95fb752e1a47be648d464ebe34163cc06954a2f8302d7d36ee9

    SHA512

    7d903e994bdee366b32c502dd3f6a7773b4118d56b68bb3a01a94e68653b9a95308898d724ba1afe3b66aa30c995bd9e26da10c18d27ad531d263aa647a051c6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    95553e74a6328875c0c7f964fd8a5a7f

    SHA1

    c142053d8ee51b91d28b83779b8a13b5f3824c89

    SHA256

    161bedce6b0b275a94460eeae4001d3cc18b7b327eb066a0284d67f1c4d975e1

    SHA512

    7ab9bb90d16af5a9660543d8390b4a506f1d565e2b8931179261c2018dc9ed82009989c87bdf0210469eb82fb3963df9a66a59a8bcb4d5f984fc70a107180cf2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    92187ebd03ca294e24decb06fcc88f81

    SHA1

    f47ffed71a98ba58dc26d0cbb84bedebb9b6e837

    SHA256

    227342ac45ac07147cfc31de12704b1cf1a6070226c886de90dbce626ad16947

    SHA512

    fddbe93868659268320616ba71f31f390e144794c2828472ec4019c6ccf2eb8a52be8ac6047bd0846c5025090f66eb1e012793409613378655ab9f9c88e3b7ed

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a491b8401c7bf06e6eaee553dae42873

    SHA1

    92f1f5b6b98c36afee551aba7c075749e5f3d169

    SHA256

    e226f6d4f73ea6267a8714c7e357d2ad6fba731f8c2728a12f318b04cae6ebe4

    SHA512

    3554295d442b36af4f80ec940630057430329bd72ab50f573fe9c56d0dce902ba920a607e577ad2e7c6ff538c0e8cb7ee0d5d6691c49b869ca8226d1374c0af4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5d6bca554040c0d57a584feda8d4eef8

    SHA1

    9d51e0be5dba254315588134460b1ae713849d09

    SHA256

    4a765a7724c507186584bc2554b00bfd3f50328dd754eb428563812c318433e2

    SHA512

    9559d4e059b2df393c97074caa3ab30d65299cc4b4e6eb8a290d3536450d0ef50e64512b730d95f326baa82a35467211856f9bb239d3f83684a08b4fa9ad3b14

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3b3ba16f197cf88c7716520e2004ea00

    SHA1

    70662677a723959017e16d6203d9af1bcb1ea820

    SHA256

    09c0d2ef8d797b27dd97d04054dfac9085c9251d3840c6dc2fa6d478c8ecb21d

    SHA512

    731cdb66a5511450c794ac7fdb6a46a45884c0c6eb1fc3dae004f9b0fcba3cd8cf39a3b25e4422855a4cb9e2db90a8e43948f7de6a54a38bbf41f0f7e0653458

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    108f091fa3ab3f1bd9b67d71f48e95b9

    SHA1

    4b6197952931c827c3898b94da62780dd78f44e3

    SHA256

    68a2f179f6216abe3082e8da71b7116fd91a819f0027e0893c7c14b184448c88

    SHA512

    555178fe2db3780f022dd0ddf0cd875e799c2975b5c0a5ccd7c22ac91b37f5a628385213d1ecb6f334158516efdac2748959eea0ae08aa81fdd90bdcd5f0c15f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7b94112a4ab86024dcad92e61e3b7c30

    SHA1

    c0a43817ae153dd36c590455218c819002ecc6f5

    SHA256

    f372a8289ae44048d6a3ba3cb91ca1afc15e1e1f53ee459a24a81007a24f1eef

    SHA512

    57e7f395ffa40de2bd9066ad04f53a3f03e37bcb45fc4d6ffe2e37996d08afeef527a80b0215c72079d76591064516d8dbdb91e95e04024bf545c574f0e1bd82

  • C:\Users\Admin\AppData\Local\Temp\Cab8AD3.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar8B93.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32Srv.exe

    Filesize

    39KB

    MD5

    7b9c72733b615919a28f1011958b818f

    SHA1

    de615eab8b5e75719cb4054c61fe32413a1d33b9

    SHA256

    c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

    SHA512

    ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

  • memory/584-0-0x0000000010000000-0x0000000010022000-memory.dmp

    Filesize

    136KB

  • memory/584-1-0x0000000010000000-0x0000000010022000-memory.dmp

    Filesize

    136KB

  • memory/2832-26-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2832-22-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2832-23-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

  • memory/2832-24-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2872-12-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB