Analysis

  • max time kernel
    67s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 10:23

General

  • Target

    01a488fab72eb83b57323b7aeeb8a7989a20975bb7cc035f8d84dd14ac349541N.exe

  • Size

    350KB

  • MD5

    0e1092371876b363945a914731d9ab70

  • SHA1

    3d9fc87f11fb3b44e469886e03c8b210e05e3ef4

  • SHA256

    01a488fab72eb83b57323b7aeeb8a7989a20975bb7cc035f8d84dd14ac349541

  • SHA512

    5c0dd2b734ae26f89300047cfe148d98e24ece0b00adfb8b17f20e05ff06ea275714acac670ead13ebd0afbfa1a5622bc69580c6fc984c6f7f52d102c2c1bbd8

  • SSDEEP

    6144:loGhpuBMG29Gt6I/pPo486MAwA3l1AiE56:lppu6G29Gt62PoKRl1456

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01a488fab72eb83b57323b7aeeb8a7989a20975bb7cc035f8d84dd14ac349541N.exe
    "C:\Users\Admin\AppData\Local\Temp\01a488fab72eb83b57323b7aeeb8a7989a20975bb7cc035f8d84dd14ac349541N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Users\Admin\AppData\Local\Temp\01a488fab72eb83b57323b7aeeb8a7989a20975bb7cc035f8d84dd14ac349541Nmgr.exe
      C:\Users\Admin\AppData\Local\Temp\01a488fab72eb83b57323b7aeeb8a7989a20975bb7cc035f8d84dd14ac349541Nmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:612 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2724
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    262c75a2b1205ea16c2529bc6db2584c

    SHA1

    ea266fd24a5ece9e6d0d139928f59e877b174a57

    SHA256

    9f59d6eda5f5778a59c81afc251d5dd7eb74d2e8c0d57f4439646db552b0b83d

    SHA512

    dcbada1c2ff615ee205a5febe42e39c02436b9b2e9b90fa607ffdb968eb4c6f795ea652acaea3e16d4e2139fdaebec0a99644c521190c0abdd9b1747f8fbc456

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6867394140b27ba25e54b6a514e3f3b1

    SHA1

    90443b4a2aab8e385004c7c2b96b6530411ed425

    SHA256

    1d67470d4a08c9990f590b6bdfbd6d888996eed1dd0d0f1d6d9801cbd50483d5

    SHA512

    a7ee72161f4fc4b452bece20557046c3f3f7fc6174f44bfc8cf36bba1f9d2ad59faa93d409773e4294f9056bf0fa3015fc1e60fb8b0b03b9faccefc51a24156e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d329cc06ec34593c0b952ef2e6541841

    SHA1

    99dee39333fded66168c2ea8cf55a6b9a522a760

    SHA256

    76c602ac7559dd20e219ef5ca41db50715d2a506ab3eab21079665d802f824e5

    SHA512

    f9c38c134daba4e98563a6cef44affa8baf82d7727dffa0c38608d57b4c5b27037642c867c1b581b0a7f7327c689f6f2253d16fca7c8c4804050b45856b985a4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7d4c34d80f94d8f65cb2f0b814beb8dd

    SHA1

    fed17d49705bad3215f84b080f1cee08a7aba3e0

    SHA256

    935b5a03410216b4d0e290a58274c1240c4283f4ebaacff5a22783db68ae0729

    SHA512

    c90d3c92c5a287b32b8b06ac1ad393f379e1f4788171be701ba05557555c446d5f4b9134a55e9c2578284e0df5587bffcc2aa3c28791761bc14005fdb33dbcd1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e9cd10105328020e0ff55d5737a066d7

    SHA1

    9b58dee457c38bf0bda16a1cb6709189d4df27f3

    SHA256

    a44def5e8333832e30dfb34c8df25a1a48a73bce8806a62e499ab75fd23175c7

    SHA512

    a9899d3cde1e67ce68e911a09afe4bec0764c0fc06424f45de76ece2d2f6f65d8091f6b52d201d09d23ff16f96f02e3d35d5b5a2b0dbdc8959796387f1780423

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    97c4db9ff4019ff190c0693b77cae868

    SHA1

    f90b5cc6d9238561f585187d9c50f781200e1919

    SHA256

    914147a3445371ef9f2042e627b914e0cd95a0eaf556e3f59c115e222b269b6c

    SHA512

    2788aa78fa15d7a589c3cb9a76994a058d07735e24aa5e9bfb32d3e8136bd024043e1e50599b96b3cd0f908395d09adbfc6983c76f4a9a49dcabdaad8e815bbc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b6dc8413b00858c1c215349d57ff6d83

    SHA1

    1c123ca853e529e4e1affa27d21291ad803942cc

    SHA256

    1389a7d5d73d263a98ea62f30e42d913dc8168200425292e153d9344321d3490

    SHA512

    70165ff1179d9c6976cc439532591b92cfacd52690b8a156da5822be4188a0437471b199f217b2182bfa68a8ff95f05b976dbe202b9f212ae9d1d8b4027f9990

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    344c6c105aadacdb52b635c8e531209e

    SHA1

    fea2619e1099c55362e715f7d268ee389e6f2aca

    SHA256

    530fb04c914b22bd05dee72f89af40a810ef795a8516ca2dc62d51ce459b77ee

    SHA512

    235032dc56f7daabbbd602447eda3d97d649228bf643ca1604a2628a163ab4beea4d3516c09a6369f593445b5de1892af416d441f1efd93e30e973d63b7a619e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    744831c769b0c93ade3b9678f7526aa2

    SHA1

    62ba23468ecd00627c2f8385119f7b9356417b89

    SHA256

    c86a8c7a1edc33d75f490bb403e1365b8c6770a2a02aa8a80fda82cc692e6111

    SHA512

    d316ea0006569f5c4b404ab6e39a10e08805376fded403c7868bc62a97a759adcf57b0ee034d935c5b819ce7de1162d07eeab7d23a533dbaccfe98bb2da06442

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f015e41480e7ad97c6cca327691d9718

    SHA1

    5a557175740b9ad28c962c416a0e8492034e5b2c

    SHA256

    bfdba226b54ea19ca72bceb135e7807a09736f9cdb00aa88428cbc50037bea25

    SHA512

    66e711df27d3d0bcadd71d93bfc53a36a12ba3abab2384cff30cc91393cc80c204bbfbd3967f364b005c4deaf43a6ea0cbd001a670b86a19e64b96e4fff8f16c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    956cf9c32cc1138053078c08cee719e0

    SHA1

    8fc9d2e1a94b8b3e1f6cfa3a44a8993fd0caf33e

    SHA256

    9b4b6d4d4e842c9bc16556de4508fe21a5f1870cf56002d33e17a83438a2b2a6

    SHA512

    25519f8d705cae5d00db9b15da565b0fef330c36de33ef4ac3b71257cd13e2fd7a3c5cae4e161d13a0c7ef322ca069c39980f90d20034fc4730e946caf49d2e4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    36325db5769c2b6e2f8d3a32599c90bb

    SHA1

    645d1b0e1564e6fd4a32a8921374d69798d73011

    SHA256

    aa23fba88c33a1f1fa6c2d9e3b071d92ff1196ac12dac1ada0f45618f5b4922a

    SHA512

    d1b141ef4652f9cd1b04e75032cdbbac9c7998db7afe4fe0ae7ff51924df897a77cc2dd7c6c70b546f7e2dee50e4f536305c2a7e64587955710ac57c6d3baa5a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    56d1f9c02fa7efe3e2d9ab9d389c3384

    SHA1

    e88f7cab1147366223ba4f714d6ccc5aa0a56e1c

    SHA256

    5f88ef449c61095eadf810daf47bb60b563c833ee0ee2127701c7ab28a5cda83

    SHA512

    0d145cc70ffb1d79ad7c694d640e7856bf1cac92fd6a99d74e5f501aa528a8d68e6964a3969880cd63ac22dc3ed94af50c6ba41cd845af44ec1f96c6dce61842

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2da1d9b595fb08ffa3fa0a2983a8119f

    SHA1

    82874556771b2818ac431f808c60e2587b0aed17

    SHA256

    81c2954ec80275b49ba5813ec4b0b1f31fac658a9ecaf37804dbd02d260411fe

    SHA512

    8befc97adec63e2277668a057f01a199883d2e99e71dd0ea8c830f5665f363a8d43454d534e2730e509062fc8f8aca47030f36dcf0b9d5a830947a97a77d1a0b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0a6a433020099f8857f60168d94a1183

    SHA1

    c8ee068409e7346515f8df284ae505d3af70709b

    SHA256

    aceb4703f6e78ada44eca13f443c263885e935bca6ecaba53eba373899c14ace

    SHA512

    76da4f0e5f896102b0497f7db5b3f89afcd693fd7e15a361955ca913c2e4a72af1b736f66e5a4436b5b9d3b2232de9505a38f4c5f6b0ef32767712dfe3ee7e20

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    02eae99da5faf89770b04a1cf310e350

    SHA1

    3b744a81695ca9ba30c29e7b97f7ac3b4a12ffd0

    SHA256

    b6e3ebe9d97a3d0860d55b77c61ffffdab50b1fd0a5b66892d85905f5c94b149

    SHA512

    7d6aae98504d23c4bbeca14c6401cf407193aaff41a0ee2864403dcd6c5e03f0b399f995130fc8dceb83ca36a1bbacf2620fc5fb48291218cdba221a3df74ce2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dda5cc0ad14c40f5584827082956dd9c

    SHA1

    15433b44d94f38ca44f19ecc69be245cda0f9a69

    SHA256

    2d6c8bb3caf4cb827f2ddd235c84bca881531b9f9f2d84eb93714dca0a187d85

    SHA512

    7b0e6d7a9b0b816db833239b2af507a775fb63157b0504a09242b114ba8d2c240308c6e185b809da7ccac8805dc8ebd63b1bb7e6530ee45515b1a31db6270d2d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f93e083079a8f77fd13f5db3a52af371

    SHA1

    55bdfafbd98be2b4e8e31876c25fda66e35a9c18

    SHA256

    7909ec89fef2bb9ec86a16db3258f6a284721d873e03b4479ab688f4cc262672

    SHA512

    ecd99fb8dce5fde0a131f10dfd6ddf0784e811807519fe09be903d2bd005293857473d2d492a5f0e41cba749cc249855d5dde998d454e4640e45cdbf3d94c7ad

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    73f187d1ac47a737c71c5b14248f3766

    SHA1

    bcbb75095732f4a32eecfd3fe3d4bf7890627174

    SHA256

    ff225bc67fda5b4a86abf9ed98cf694a7804e73c2fe3d28714aafcd2119ec931

    SHA512

    510ee2c827f82dfa60b56e474492509399d0385a7dc61570888d3caf107df984eb92d196e4d916d789951270761ff9369aed87e0754a04e912b7a6296d45ed16

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{02208D01-BC61-11EF-A5E9-FE7389BE724D}.dat

    Filesize

    5KB

    MD5

    8c68fff293731d5b2345abf2d01203cb

    SHA1

    82ef3ba904d1f8df9d17c07510ae08d1d0335936

    SHA256

    c1e6ce8f65ca1190391de0464ed0e2ac7dd64cd887d01d0324d1ae3774726c6f

    SHA512

    1dcac7561faead7c5b0763895ceb07d62291a3ee5cb8ece851f4b891a9bdac5a5fc339d7afefabd55c1c26691f518b1f66b75fe963de53809d4ae085f5ea96f3

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0220B411-BC61-11EF-A5E9-FE7389BE724D}.dat

    Filesize

    4KB

    MD5

    51ed777aa03716aca7946bddab3521f2

    SHA1

    5a6790776c0a9d2ed11b5295245370120a60c108

    SHA256

    1e5bfa7f38e203dc097e8e7621984853ca781beb02452642708b6492bc76f884

    SHA512

    b44cd78cb05a01012f3a968087bf34fcfba8b891b583216921b404ffe273ca4e7bdc14a570c25afc40de182944d0099e15aae6472a453fa9cd3b0ba093a26a91

  • C:\Users\Admin\AppData\Local\Temp\CabBEEF.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarBF4F.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Local\Temp\01a488fab72eb83b57323b7aeeb8a7989a20975bb7cc035f8d84dd14ac349541Nmgr.exe

    Filesize

    201KB

    MD5

    30fb1fab26c96c5c6a94718688a8afbb

    SHA1

    bad03303e55d34ddd113a4f7e40959c3762891d3

    SHA256

    d6d96beed3a218938fb65ba9ae32634334eb8a1ca47243aad4027c712741cc3c

    SHA512

    75e67329f3643dbc6106d227469ab5f2ebe072782c2a0a17328d37f549136410d54e3bab650f00741075a54eee6d6079a627f69f5921e4b658cc4e6f76b95e61

  • memory/2312-9-0x0000000000170000-0x00000000001DE000-memory.dmp

    Filesize

    440KB

  • memory/2312-4-0x0000000000170000-0x00000000001DE000-memory.dmp

    Filesize

    440KB

  • memory/2312-0-0x00000000013C0000-0x000000000141C000-memory.dmp

    Filesize

    368KB

  • memory/2312-11-0x00000000013C0000-0x000000000141C000-memory.dmp

    Filesize

    368KB

  • memory/2628-13-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/2628-15-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/2628-17-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/2628-12-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2628-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

  • memory/2628-20-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/2628-16-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB