Analysis

  • max time kernel
    75s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 12:03

General

  • Target

    c9349e3cde70a1566d8df4c42e6a6b01a1189f6b4f25c7d7ffd692759a9cad76.dll

  • Size

    136KB

  • MD5

    a08fb5ca6d167095035a559c5f80a73c

  • SHA1

    1e85d9e06b2e5e09fd41ef3448fd873b1005d592

  • SHA256

    c9349e3cde70a1566d8df4c42e6a6b01a1189f6b4f25c7d7ffd692759a9cad76

  • SHA512

    07d2e7e250224ab0effdbcc9a39379c126e9cd050cbb1013dda6f924fd87a26e5f20c6442e01b19a712bc601889c81c7541e1b4df1e2e5df8739d0f9cf7f5324

  • SSDEEP

    1536:1gmf5TfxYPfpoT/7ivK6Fr/E0odbbb2inHetkc5cqvnMg/WpRh70qQ4SDMTTtFVz:1rEnpofGTuXHHetkqcqvnhzduB

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9349e3cde70a1566d8df4c42e6a6b01a1189f6b4f25c7d7ffd692759a9cad76.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9349e3cde70a1566d8df4c42e6a6b01a1189f6b4f25c7d7ffd692759a9cad76.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2312
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2300
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2972
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    627f9d77a7f0d02fe33b80f8c8b09dc7

    SHA1

    df2753f1fbc31f0dc81834479463caf8f94641ad

    SHA256

    47ec26cbfe54a44caec2a4978adc9f88a4b7a34fe0f901e042e7461e1c34c54e

    SHA512

    2e88ceb03ac0bd6c6eb58bf00bb6f29414226115710b6f00557322e6ded5662d28f996d0211a7ffea869d45570ab3c695ece33148941a84e1ce2f690cf4160e2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2c6116f5d356a54f266896e79fb0215a

    SHA1

    56bf250fdcbeb7a86fc0df44a4911e7e774bf438

    SHA256

    753bd4b89cf8e72745394a5f621e92a24b6c7e7707c6e1d03437d082f3a0f1fc

    SHA512

    d20c130330509b12bbe20e2946cf6a792544028c732f491b6a9028539a62d943ac93f3a92be872c1bb5bcbe7b8830424711b4b1a18247690d44d9615762219d4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4fafde9287e5e4c0ec6b343b7846e352

    SHA1

    78ba7ca6d4ab4a6c0bb76ae22f711a194c829598

    SHA256

    8805f7a922912c4572527573bdc44b4c6197a2b9b891ae8049ff1da92037dc07

    SHA512

    8cacb494a1b1008cab08fba30b1e4488379c08d49c1eab4151972d5f13e421aefb00b41b1ee9853ca81a9bb9abd8496671e095f94749a50058acbd567ed8e238

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4ee058e7a002b6b11770adb811a5bfe1

    SHA1

    8b4afc102bb4408a87adc0a952a65644828ae66b

    SHA256

    fd8f99c4ca7ea741035953c9de2bcdc323f62deab5f9602c42e2b6467520637b

    SHA512

    ac31dd292e72b2fd8b869d3afca70f229e528d01ef7966726ce7948e2a6782969595e7c997ee7103150cd1fd4b64345ddab5460ce56cd5cd17210dcdc61fef79

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d80e5c3738dd6e48c72f2387b44cf8f5

    SHA1

    043201aaa2e6f42774d38ab970d001601e9e3943

    SHA256

    a60a827bdb8f3bc9d31523bbff75b78ad74300901e01abf84265b66159a83df0

    SHA512

    4583737fa89937b5474f0755be0227266e4d33a4f2705175e69df53831ab745cd9d7a1b8d7241095805e60dc740a81f70f71a30d00c51b84a7a534faa419ebdf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7d4d6ad1675332042a97a846a0db24df

    SHA1

    9df59e10adc65d2fef30a029db391f7455698667

    SHA256

    f390a9949f9d081532651c0ac1b0852a77ae00deea31100eee918efa46a58749

    SHA512

    f80f59952f340b9bbeae6fcd1276d79fdb28f7c44baf2461056e13db2b47d0c5fde6748c878c6bc6a8ea86cf2e92440a8f3f9d93e4f5e4ff7b9b601c0d03de97

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    da8f7a8f662bea824b84ae3dfaf981cb

    SHA1

    0bb51b8d89d9fb36e0a86fa7378fea71b9a70239

    SHA256

    014dcc004984acd1e40f6410a532af8bbcfdf2f3a96c9ccc7a3cea7f9e08d8d3

    SHA512

    52e3215fdb45323a7601844f8994ac87a20da7921f2791fa7d53aad02636ee9babbf225a9cd757bee5258df85848b9b2495f128ff26edbbf254b5e0c04057b34

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e3035d8ca83786bdd4efcf02d4fe1280

    SHA1

    a234e623c533084fe3897e03c0cbe783fa2bfa29

    SHA256

    7193f8518320550e7216b95b1398772628c5bd3e68fd15fb9f2074bfd2bf7d15

    SHA512

    38b22a64e902c1a54b68566a112f6800bcda5d943b7b7a3210abafe72ee74877f9dbc381525cc51e830d6fd3c5b8c193d6cf17885fb11c6980fbff06523154b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4b749717cde2ed07d408379c5961d437

    SHA1

    2bf96a9fcd2e2814ae7fb49972e3329a9729668d

    SHA256

    d78583c43a4f3fbcdec69fd2082d603b46280c147d83bfa1c7e126c608748020

    SHA512

    943bb6f1b56593ad1036131a462dfb6a7bf885cd58c442b9a6555bd4d9b3180d6e47ad1e50002bab72e54a6b3f2c77227c7df28ed0a9911456c3b24c08c127af

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1c6332756af81686585fe860029ff4c1

    SHA1

    9173807d86319633503316d6934eb8f3ce3373e1

    SHA256

    3ac911cee1ad9ee54efa5b729da71662463bc722435c1f8b06a513c39a884351

    SHA512

    0e6ea8050b0b39627b3c1a58cb5e8d0d97b6d5a7bfb782968c4f46a5f84c4ceaf42a707f095df1e9b04f9e0855f3c4abde89fb587cdf1d535b4c99074b7612c4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1dd646ae3f8d6bab2eddbfae504cdb0a

    SHA1

    07eeca49dee73df285479c308e35dacc4b6586cd

    SHA256

    b37e9cee1e1c844ad858eebd31fdac2a98888ba5b1d1d610634ce15d28984e19

    SHA512

    e0a0f14dcf9fe81656c784a194283375598f0bdf1317b9d908cc3e060579dd17342ed998a632bbf9e728dae743a8c6b798b9d09efa473828b95e6a573fd3ef31

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4872b1a563aad31bb1dd5a0d20fadd54

    SHA1

    e502ff201124ccc820d78335b867855da3fbb427

    SHA256

    0ed25ec1cc546f2d3f0ea7979a462ef2bc5693bff7cb6c6d861ba06730f21f1f

    SHA512

    879c9f93f3e17a926e3f6e61061989dcc003db3841ea4d6ca8f1df14632f78f5c28ba1168806985796241868a058aad144fb45033ea6389911b17af8f98e4355

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    93dca89ae5a3ac513c9f329619d9442e

    SHA1

    0036c40e2031bde2d2340c7439a7d85e219e3a8a

    SHA256

    324828286248d6f8eb311ec62992bdb5ef572253df7bd472d89d0d0616e755c4

    SHA512

    2fb2bc63d946836ea236dc92959196c703eee2f2afab2a7a18fc0db61156a95bd58f886b78c643802e4bff150ef442fedc74e2503dc616e248d7b52fa112471f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    569ebe89074c23761a22af68f93e5a75

    SHA1

    8484626a3caa4f30d1426c2bf5ba4a512d87c04c

    SHA256

    4a6c0f4c9aa2010d6265caf0604619e1d06766b1693fd88802f391bf57ca187b

    SHA512

    5ce978aae32cd506313d42c1c57d4084c1ae78a91b2990410a40d74d4fb6411e5acc2c3c5c1bd6559c31ea74e27447a61c0f23e543d10f4436ddd0aae24b0288

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dec2e972e9ac70e0f876cf62683925b4

    SHA1

    9ff69f6871d80c047105c7b3af9c6dc6a922bf06

    SHA256

    9a721d6dd6afa42204837884cc4130cd085fc5df4dec7b473063e7ff55485bdb

    SHA512

    fce83fe591b5ac67a75a3f5cc951d509d270c8f3f32e6795b390d554b8d2fb7732c1a2c1c079f51c8fd485143c2241b45387fb86337bc41b2efc44020151f780

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F594B9E1-BC6E-11EF-BF23-EE33E2B06AA8}.dat

    Filesize

    5KB

    MD5

    9706033173d1919b56a651537681bd6f

    SHA1

    f6da83240180fa0e15b2b3dc6f3579a87820d59e

    SHA256

    98c73a63a710e7347b24695ce077f93a098b76b12926f1c7ea8370e802b9819f

    SHA512

    908da910d4f39d9b5e2c9a8caeb751c4b84cabffd11e98aac8086d5be3be0541083a6c753c0d4a54e826fe21eb70ed5f57d470a95bad41039b0ae37279e066ef

  • C:\Users\Admin\AppData\Local\Temp\CabCF23.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarCFD3.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    dfb5daabb95dcfad1a5faf9ab1437076

    SHA1

    4a199569a9b52911bee7fb19ab80570cc5ff9ed1

    SHA256

    54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

    SHA512

    5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

  • memory/592-16-0x0000000000330000-0x0000000000331000-memory.dmp

    Filesize

    4KB

  • memory/592-17-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/592-11-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/592-15-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/592-14-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

  • memory/592-13-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/592-12-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/592-19-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2408-2-0x0000000010000000-0x0000000010022000-memory.dmp

    Filesize

    136KB

  • memory/2408-0-0x0000000010000000-0x0000000010022000-memory.dmp

    Filesize

    136KB

  • memory/2408-1-0x0000000010000000-0x0000000010022000-memory.dmp

    Filesize

    136KB

  • memory/2408-880-0x0000000010000000-0x0000000010022000-memory.dmp

    Filesize

    136KB