Analysis
-
max time kernel
85s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 14:08
Static task
static1
Behavioral task
behavioral1
Sample
40bee2d656d4e48eedbc5a80b5bf9bb935f76ca921c1827bfe0719b577593ce2.dll
Resource
win7-20240903-en
General
-
Target
40bee2d656d4e48eedbc5a80b5bf9bb935f76ca921c1827bfe0719b577593ce2.dll
-
Size
132KB
-
MD5
0241061c3d392e40f4f576aa3e651d2c
-
SHA1
11c1dc9ecfc6a34e6d8d3f2f261cec57182162c4
-
SHA256
40bee2d656d4e48eedbc5a80b5bf9bb935f76ca921c1827bfe0719b577593ce2
-
SHA512
0adf46951518af8b40e1769e955c4988b05f107fb27d05cd2371cc58534afc013e04fc15bf9699e9bf7f215460e1a0e28b02a5788ff3812557a8a9308d0b4197
-
SSDEEP
3072:an4cV8gf2u41Z5tKlm96oXewSNPJ/lVkLPy41:g4y8gOl2ILXejkt1
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 2068 rundll32Srv.exe 2492 DesktopLayer.exe -
Loads dropped DLL 4 IoCs
pid Process 1660 rundll32.exe 1660 rundll32.exe 2068 rundll32Srv.exe 2068 rundll32Srv.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
resource yara_rule behavioral1/memory/2068-10-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/2068-20-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/2492-22-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/2492-24-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/2492-26-0x0000000000400000-0x0000000000439000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxE0AE.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32Srv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{58EF6B01-BC80-11EF-9AA4-4E0B11BE40FD} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440606358" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2492 DesktopLayer.exe 2492 DesktopLayer.exe 2492 DesktopLayer.exe 2492 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3032 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3032 iexplore.exe 3032 iexplore.exe 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1660 2308 rundll32.exe 31 PID 2308 wrote to memory of 1660 2308 rundll32.exe 31 PID 2308 wrote to memory of 1660 2308 rundll32.exe 31 PID 2308 wrote to memory of 1660 2308 rundll32.exe 31 PID 2308 wrote to memory of 1660 2308 rundll32.exe 31 PID 2308 wrote to memory of 1660 2308 rundll32.exe 31 PID 2308 wrote to memory of 1660 2308 rundll32.exe 31 PID 1660 wrote to memory of 2068 1660 rundll32.exe 32 PID 1660 wrote to memory of 2068 1660 rundll32.exe 32 PID 1660 wrote to memory of 2068 1660 rundll32.exe 32 PID 1660 wrote to memory of 2068 1660 rundll32.exe 32 PID 2068 wrote to memory of 2492 2068 rundll32Srv.exe 33 PID 2068 wrote to memory of 2492 2068 rundll32Srv.exe 33 PID 2068 wrote to memory of 2492 2068 rundll32Srv.exe 33 PID 2068 wrote to memory of 2492 2068 rundll32Srv.exe 33 PID 2492 wrote to memory of 3032 2492 DesktopLayer.exe 34 PID 2492 wrote to memory of 3032 2492 DesktopLayer.exe 34 PID 2492 wrote to memory of 3032 2492 DesktopLayer.exe 34 PID 2492 wrote to memory of 3032 2492 DesktopLayer.exe 34 PID 3032 wrote to memory of 2708 3032 iexplore.exe 35 PID 3032 wrote to memory of 2708 3032 iexplore.exe 35 PID 3032 wrote to memory of 2708 3032 iexplore.exe 35 PID 3032 wrote to memory of 2708 3032 iexplore.exe 35
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\40bee2d656d4e48eedbc5a80b5bf9bb935f76ca921c1827bfe0719b577593ce2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\40bee2d656d4e48eedbc5a80b5bf9bb935f76ca921c1827bfe0719b577593ce2.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc9d5f4d63960b4d27fba1908e5052a1
SHA1e684c3794202f91bf678bb6f66beaf5d54a08aa4
SHA256484830ea0cdbbe5a44b93396a3ec23243878bd51f3ba1644e42ef05dad7159c1
SHA5124784619a16954f5136d04dd93b36190b714b66ac2426249bbd78ae9809010275b247f5e48dfc32baa3ce62b894af914d1d3809554e768dfc07573e13f46bd8c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c19e484082f5cff3ed8a96dbda9a7a7
SHA1e2171434d2ab39e2c05cae99dd60f84398f6d42f
SHA256758a8fbfd759b350ef2c34f4fb82fdb30e0ed29c40d9519cf16ff4a62c543302
SHA5122be90982df3207a551386e042acf9d8490131dedf85dc836cd25334d436548441370c006db7bf3a1f3c7fc2b446a6b29e88dbcfe44ebe3098e39ba1519962046
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a127c5fbf4bfd3295071adf78e60972c
SHA17b6eece091ec7565143791ae8c6c8cf5dec2f851
SHA256b362a8d8b066475bfc52e5d41b9b2542fbbbaf1362fc514e9efb0c9407a73020
SHA512c762ff74380d91769a076d7306343c1a0686424a5d3d6312a1c8c1aa44e5c386b6b6587f1ea57a9476b733efe5cc5669bfa669ae9b005d7e67942f5873c956ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50d4c2999c8b33102e3e194a53ddec2b5
SHA1ad295f8e16f9062a7f870c3b8ec2b50ac8f6a8e5
SHA2560613f38152d08e00e720e1572e5f93bbb20326185670b854db957e2d4048980e
SHA5126397ce6d7ca710e74c5f70a19d0eeb694e473d09b2bb37df2c88163c2552a38b6af1bc11e2405382b25614b7ec64023a09f0a42a9557747729a6b58f831ac50c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD503161a5bc81d73e552a54668e5b70807
SHA1fe052aacf82f0402761a29193ba5b218ee771b68
SHA256975e25d82d1635a5f2b5be7c8c80bc737fa006bdfbb0f6791874667faf6ba879
SHA512671492f23e6704d2f03dd86f88509d7cdedb2e573811c2116756827730bce157a28c27623dee59c74d97e6ede7d2aa772f1b47b3e952baaec45c696b8d52946f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD596b372f1843a33b8ce6b2ed5592f82da
SHA198a2db2fee1e3ae5c0eb38f8923ad9c4dc7bd0fa
SHA256bcdcc1043935c2230854b07cbb9d53f866b03f601eccc17b4aaee55b7d2bb048
SHA512a762dc9cf6a3f1f843792ed15e489c03103a29c76304615b6a9366bda6b5b853d790c21b1e8e23f3949aec330abdbc165579547b5352d9123de1d9f3febb6d56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af59571777f68899f847b034c9726957
SHA18557030c262f022c6542df475d6795986da5fb95
SHA25675fa58bed28883832abd3e8a0c99a60b1995af2019180e3cf6bc3784b76470f1
SHA51258fa7908e800902c3cb6b003113f92378262fbc04b59cfca0d4de59b5197fd5a266a61dce056994d4b4523ccd6d7cd15c7c0e86784359cfb9b9fd22933278b08
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e08a4b3dc9abc99eed188c5c3b7c43c
SHA129fc6ea7dcdbb69dcfc741c4d69fdc9f0aa83663
SHA25624e1f8d32275738035f945f357cdfd25cb720e71a91fa5b4df0c910e69bc2cb2
SHA51200181d0e47b76c2cec0bd3a2358a0a30792ad1560d8a99ea8b12b77373b6797f59d0f92127ca6d449b8ced3609466272e75d5e5323521d4a31006f5357b580a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f1af4286da613084f64dd6b9c12f2349
SHA1366857f5f4eb940f9cbd138a669211293d1433b2
SHA25670b5cc7a238a4140a981e37bf2a2bae04caf897a328ebdb5fac5ab659c651f29
SHA512ece31fb6c555f159da5f78b3ecb2bdb293664e9a7e1496068a6791b2303ea73ae659f9691754cd6bb013e30f65071fa46bea1286a24e2ce99ed1af9c0e087317
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f82acca2bff28f114cb36088a80712d5
SHA13e737479295bd6411910fde4a89d69c2ba4c3811
SHA2565b193ea1011c62cf5851c6efd3fe4f85c68a4d24a6e0bd90089a3ba45b704089
SHA5127ab73e671f34e80a9a9ce1177526f9737b896ec9395dc81320ff7824fbe23bdc5f0c32ba4e51ff8f4ef8b6b5e010fa88486c2ea0925bf75892ae187eec14aaea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e98cfb9731d3755dbaac5f4df30c04f
SHA12c1f5c0b61df5d85eaebac8b36d63a7fef641896
SHA256121e14f0eec4851fcad9424735963680df78f68519eaf76dc12e80696d91603c
SHA51245b7d167ad0743e0212c589a6061ad59ad27241b4f7dc150b7b42a46689b30db4e706500259ff3e7e185aebd20d09d40d28db2a7dea4dae32180e89ecc771096
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
39KB
MD57b9c72733b615919a28f1011958b818f
SHA1de615eab8b5e75719cb4054c61fe32413a1d33b9
SHA256c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b
SHA512ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f