Analysis

  • max time kernel
    84s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 08:06

General

  • Target

    0a38dbd78a6aceb3c5f344264189d0a2ecac5d8d1f8c4f570fde7aa886f4efb9.dll

  • Size

    165KB

  • MD5

    f0bea645dfe0b63cfcdf5c8f51bc44dd

  • SHA1

    82de8ce58da61c8dffff852c4447bf13c2b55216

  • SHA256

    0a38dbd78a6aceb3c5f344264189d0a2ecac5d8d1f8c4f570fde7aa886f4efb9

  • SHA512

    5035aa346c11e636c6a05ac0222d96bf9b8b1d761eca475f3650efe45b27c8f65f0506715158fd82b6e9cee0a7dd3ab2747452800c626a03a9c38e17fba181d5

  • SSDEEP

    3072:BsLXHHf0z4o++2dLy2aOtusyu/T3EcdDZBzgdPrNO/BQGmWsdgGal4:BUPy3Ot7br0cdXgBNO/Cjvau

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a38dbd78a6aceb3c5f344264189d0a2ecac5d8d1f8c4f570fde7aa886f4efb9.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a38dbd78a6aceb3c5f344264189d0a2ecac5d8d1f8c4f570fde7aa886f4efb9.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2740
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2bff95e070a47b5e60ec11315eaebb27

    SHA1

    0fbe9f4c0b0e4c1234a1f978b3147d418ee15e58

    SHA256

    e3a91b5026f55409cfa1bfd7f7a8f14ec3eb8d2e8244c60ba8e7fe81f5f47b03

    SHA512

    286fbf73e0cb30aeb23268bcb7bb6293ffa799318ac78c5ac0cacfa61fca457e4481241d9f0328c0ce1f452f1a304d9f0d565c695e30ca44d2b54b446662a9e6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    05288dcbdfe4930f60feebe2f31b1b05

    SHA1

    38d5fec1ebc1a9f971a295580d491202eedf38c5

    SHA256

    92d4021cb265d24c104622bea410e2e9c68a96492ef53c07a55658c6e2b30c31

    SHA512

    f5cf1154b715f2be554e1e454a1a5ff4baf36dc1ad1ab9b0397637c83540c527c105ab70992a82da90ea5ffc21f1c7c15eaadb2acb67e311558a24e566ce65f5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    58c598149cf37ae180c59e60c4d74352

    SHA1

    e67e5274434d7bb0b224bbce4d4db7806563b672

    SHA256

    98f90bc0857c98a5deb90d48ac22004fd239d109be7ae5cd58d31cb92b003393

    SHA512

    2383f2bf62044d73daf41e1351f462010f617d4afaa8dc4323f5a64df5c15abca4625ab18b0b3f898e0385936c384b962ed06cf048f882f256078a8b9f311546

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ebd37367df10b2602120b712b04625c8

    SHA1

    929c55ea5d0bfc2c4798f500b51802ae354480ef

    SHA256

    dbbdc64bf43b139e1129ed2dfdfe7c03582d5e096d5f99cae6557b77d9d32fa0

    SHA512

    ae7b35f6c19ea36e3924fdbb2aaba12e855b9f472b6fa927937a7b3b6524d2ae4724eb2c1aadb129a7a5f65d79cc109ead3d555c1fc42b91c57b761e573ec006

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    eb77dd98052a5fa701a2a152dc98c7e6

    SHA1

    9ac7f001ff60745b004145a3a3200760a74b23f9

    SHA256

    1fafc1044ee0c1b4c7ed93c37e36ac81c1258af1e527b1d5bdf7ca0c1ad2b0d0

    SHA512

    be8f2c37703f5a9bfd280331104806f8b9f810b3ea176343a8ce14fdb81fc5a6bde9f86341aac4011354aa7ed90c5ca1ee844e38f9500543bfce8a68b8eb04d4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2459b7e6ff23d72066bbf23746ba2b1f

    SHA1

    26ab73f87ed8c7072c534eda0d6f19c6392e4c70

    SHA256

    b3bb3b702bbc09d5e8d9ad9291685aff86d3dd04e76ffdabacd7e87c78f37cd1

    SHA512

    5f72a57e23e7a2254b673d811a15bc5cb9b117e38827e726db752120436bcb476ce8e7880a9bc6d563c7fcea507b6e58f7a7e5a0bab2a47b9a4ee8287c6c073c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b903c61691cf381fcdaed76befd29472

    SHA1

    255a041f3f8f8d4d705ca0891a1743809d791c29

    SHA256

    6aca34fb3500bb09d3e0a7940f9724daa94d27e0be562930a3a59a9dabd1ae98

    SHA512

    9b9355cb18f5767b3c170c5e99e1205032e9741ccdfdaaefd30ae8f2820300e344d897f18bbe6edd93e87583e202a2548928f4ff741b548607b6651adbdbcf2f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d332226b7afea657eca7438a3e2a4c62

    SHA1

    7cc4742a7ebc096636ec373c842f737be6a70f04

    SHA256

    1fd350172cfbf871a81caf26dd2c700eb622bc7396e9c7ae6b9694a256a98c8e

    SHA512

    63844c14c64f3dd35b632968fb416b645c60cc764a506e1fa319458409979237ddbbcc0db0d3f7d5fc0dea4485f4026919153fe2c7a80affd4c43fbf8876fec2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f463f1f00534e470c34fd4a1525ecd94

    SHA1

    c7ad0eb3ba21bc81fb4362ad102ba6607f20db75

    SHA256

    28d737a301249296c4eca2b32c5fca6fc7209dde745f670e1ebd448f15e5c617

    SHA512

    f88b70ac9c23f89e96404811eb99bca37d86cc49c544ea12eabdc44d3824e5fdfba02d73077da73e351987fa2fd78503857ea139cdab0ebdd184c1a8b59443c6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    eae590e7a3eee59d3d98b7f4de8a1628

    SHA1

    9cf8eb762a79ba8c3ae01b5362198d5cfc7ec915

    SHA256

    329721775cf46d06f8c30c3635b0aba051fee91af21b3f1d88780a1b9d8f0560

    SHA512

    0387ecd0a3069364a3f06e8a3ed04bc64a68cec42687f8f28c239167f082baa36ccab70fc2cb89d019ce33c2b759afe751e6c5165261edc8cb2131ac0887784e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fea4cccd2abf83d6bc6355a4aeae0517

    SHA1

    6e52df8859b9b3273519ba51e225ee458942695d

    SHA256

    17a371c4cbaa6bff0f06729a2b010841214f9239b5079a425428819223c2d8b4

    SHA512

    c8e216cbc27b628e365a7b955355ccdb12f9200c85f7a36af3fa4fa116a1cbd2baefa8fc5dbf14df9f6d6a56e303e0c1969ad41ef443a1965c1dc89e16ffe905

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1626c5efe14ef75788e1abf916c0c786

    SHA1

    b69c822a03fb62c1f426bef21773115cafce5e40

    SHA256

    e6da7fdb99576c0bb4ce9198073f751145d89608398baa8c4c88e6f23b18a9b2

    SHA512

    c554578842e7e15e31ba4f1bfa74f43fcfb8903904e7b22bca05a85b470155f129b3084a01aabd7714eb84271885621d3869143a8097ef85a829054428be0ab2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9d4ea54c06d06fe9b6bf37cb94843e66

    SHA1

    1314c43ff4f6b8c0b51e9a17e582ef2c64348ab6

    SHA256

    6cb55b05c299f9889c98b054495e2183aa34eddf1a454566c28c80ab8bb3d2b1

    SHA512

    463d61bbcd45c3c70464efb820851f30371ebb4c5a6ed8cfec20fcef5b954f0dc910c571b211ba87b29cbdfce3256ac1edb1d579e9fadfaee9357662062084c5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3edb51496317ff969be4d5638464c56d

    SHA1

    fee5945fd17ac9ba9f8e49bc50e80d5696057188

    SHA256

    0b42eb6d1803e2d323f733798bb9054b36b791c1c1be9bf81eeab33bc992d022

    SHA512

    06071ff8bcc583c038102201db3fbe9ea020c930a25d02ff1c9590f5ea00b7220ee23f982cb8cb473e2453e4a6734460fe64deef265e1ce9408f9ff9ec9a7ed2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0eaadcda0ed653fda8249bee16f79027

    SHA1

    59b5b919a8f592130d5747b182ae518d9837703d

    SHA256

    630c442c08e04f6ca38d00796bbc1261ecca962f8b972a738ae06468a2e4c27a

    SHA512

    1d5ebf1d64744ea29fe8acdccdb497cc4c3c190c11da40c0f71119e311f8cb2e879eb78ec832e529484c4691cc77baf65c018604fbeb93bf7d8fd782cb6521c6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f32dc2664f1f39840eaa483f33128c87

    SHA1

    b06f8cf28909e0e483dfee04bfe90abb88c1bc19

    SHA256

    ef2be37478ff3407f6716b6d42dd6504e2463e407f04574e2613c4469de332e2

    SHA512

    46a06ae5e111d2734d6c86588eccd92a027132aa7044e5045273c7c3949173546503ff00a100b513aef66d72bf024cbba71e59c09e5915591dd61232b8f8add1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7f52f51d81f6cfde39f0f5cb75c23e94

    SHA1

    d9524abc9cba1666128e6e5f6845cde8f0895d07

    SHA256

    589bcc77d3966dbc405896a7af79480db37d438308ade930947d90af111caf04

    SHA512

    63a23f4b962b05acf9c37de7aa567c69c45162240fa350f41db5e3d0f789164103857ef4b2ebdb2542ee547aeec3c5c633c323b989a8cff1d71b67cea1d66c9e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    21acd1ec12fe1fc0157c8f0b8fdb5e70

    SHA1

    165bae8ce6f9f5f5c9d647c9cc8a0a897c10b4e6

    SHA256

    4286fe5faa617eec55a3ef973353be715e079066a04fe303a75f4154664c2512

    SHA512

    c4e218610c6053439ef7cca8fb1dc3839c0ce2d1ad447f0763ebb8eb48b3313ed0d215fcc4c601639003de4bf37165fc14d30877be9bc98c22a81ffc4c941edc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    63e350e02f36e704bf8f0a21900682d5

    SHA1

    79e6b0a50e87dd27c18e1c809efdbb6de5c24c6b

    SHA256

    2812cfefd987384fea15de96bac3da8a3e4b0a11cd415a7e33895c9c6c6d5f37

    SHA512

    97229baede58a03540967793bb6f1d17762a05fd98c06422c49019c1f4292d593defd4449d6858b0c4ecddf6177feac84f8e2e625555a8840a42586f281b3f7e

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E35C4F21-BC4D-11EF-BB31-7694D31B45CA}.dat

    Filesize

    5KB

    MD5

    076e59f4cd8549933002a8e3dba3eef1

    SHA1

    cf947a974888d0def0423efa0960d8e0603a2d30

    SHA256

    fca19ac0f272c4cadfe5d1ec1d1821f34ac0fe56ba66656f08c22c95161093e2

    SHA512

    7d0c3ce05bd52c74d816c67ab838b5028a4c4fb180f2b9aee1186906423c0a539ee62af545a1a5ae062b9e14a99123091003b3f4c24fa499a115319e365ddd58

  • C:\Users\Admin\AppData\Local\Temp\CabF75D.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF7CD.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    122KB

    MD5

    b8e6f2753e6d6063d2ddbe2d0646da3a

    SHA1

    5ea3ef8fe2bde63b4489417a38985adaf2598ae2

    SHA256

    a2857d0f4628b42aa99a81cc1aeb7c9c14c5913c9c18f180aaae06a9ea979c12

    SHA512

    2a9069f8e2925ebc275f09c374b916d3917d6224f55345feb07a2424fc9764b49b5ef3d6ea4558e81d657dbe625c1622fd34041102ad1171901378548513a060

  • memory/2304-3-0x0000000010000000-0x000000001002D000-memory.dmp

    Filesize

    180KB

  • memory/2304-6-0x0000000000180000-0x00000000001EA000-memory.dmp

    Filesize

    424KB

  • memory/2304-2-0x0000000010000000-0x000000001002D000-memory.dmp

    Filesize

    180KB

  • memory/2304-0-0x0000000010000000-0x000000001002D000-memory.dmp

    Filesize

    180KB

  • memory/2504-15-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

  • memory/2504-14-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2504-13-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2504-12-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2504-16-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2504-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

  • memory/2504-20-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2504-18-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB