Analysis

  • max time kernel
    67s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 04:31

General

  • Target

    72279f86e98945ff89a73901fb8a601b1fbac3ebb7f45bd29cda970210ce92d1N.dll

  • Size

    751KB

  • MD5

    0a1ff7a02c3a03668e9216b367fb9dc0

  • SHA1

    3da6b600af74eca50ec71ebea4efefe1821aab38

  • SHA256

    72279f86e98945ff89a73901fb8a601b1fbac3ebb7f45bd29cda970210ce92d1

  • SHA512

    a434e4ed2b48692668c6912aa6e2b1d1887fe0904cb5210b7967bd0057999382ac181c481b08fe67bef3ddb37ec1d8e4b278ea357705b4f49ead302de390db98

  • SSDEEP

    12288:G8Uq3+xvCXcJUNi7Q7HnvvRowFQrDs6rSnmMP7R3:G8UquxvCXYUo7OHnvJvUrmnmMP7J

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\72279f86e98945ff89a73901fb8a601b1fbac3ebb7f45bd29cda970210ce92d1N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\72279f86e98945ff89a73901fb8a601b1fbac3ebb7f45bd29cda970210ce92d1N.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fe5bece8094885ae3a805ee633ddbcc1

    SHA1

    4e8ba5cf0b36d7f6227ec7a01d0c1b7662cd032e

    SHA256

    c55f473d411f7541190e4b2869d438582c3c2573732791d6588b9c4f18817914

    SHA512

    9a8f825820e4f144a52f2b56195f774be8f1d91d08047fbf1d5592540782c0bf2297c878ec2e845e77ffbae361d8112af0fa909101ea40ae60d048506e6517b6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    27d960140d67318f67458d25057f64a9

    SHA1

    9339a5fd2d1bf87baa91b48b2e93e2f0c0d0c67a

    SHA256

    b25ed29f2d59fca8b1de37f4e889bf30f7ecf90eaab71071ebdfd4c14e11a679

    SHA512

    1ca06141d86f32406f809b1accaf26849eec787ec59248be6204e3069df198b72488822ce5e09a84dd1afea9d3774c08523bde35ea20a9380c035c858ac2a3c1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    abed92ebe8886c73cde55b23862a983f

    SHA1

    05e3e87faefcbb2d016ab6d97234fdc7723c7936

    SHA256

    9003e0c7403b98da192629232a6506f734fcfcc04622d78c7c51ad4c20199293

    SHA512

    8f766f6b7e798fd1e679be8997e1ea5dd8f7e379e1204ad6a8a3e23fac841e7e814b0dd928ba94961e22cca72dd6578223f9df168f85def7509d42119fa635dd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cb3fef1a26f538853642d9ff976ad25b

    SHA1

    2df6080518ec23e2626b5b12a7ea2ccab872f7dd

    SHA256

    e988101c84f5a602586b8456113cd9b4879ab077d09313d0728474569a343051

    SHA512

    6b680ce396cd31a7b3add8418f1b3028946a0f1935e5f3feb812365b5bcb48dcdfd7bf84ab1e11faefa952635d8444dae0aacf11a5cefbf00e552ffa13cee6e7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e9c4f7e06ca59e8c1e20a8e22cf0d12d

    SHA1

    3cc9372eea802c02a8e97fd1c89dbfdcc0a6a3e4

    SHA256

    f44b30f12137ea36f0988a34f764baec4d9596d1561d91dc4ed90411d48d5167

    SHA512

    0fa7b61b8b8d70586683132c2cd0907894cf3f75d21bb40d4b972929775e4f896f9512bb36d0a058d15acec0716995d83b7526888eb509e9b2c7b004b4e18bbe

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6ae1a91c943d3658c161f8ec92c8dceb

    SHA1

    dd03e619474f08ed1421b85e487653b1ce8f0422

    SHA256

    cd01f41f0dd9248b23e295d6da0e61bae5b103c78b50f5e3ca35ce5a39587db1

    SHA512

    539008b0367a2eb79d273b6944341274e7bc21071b6d5b2f06fbf5ca88d65b29468677b97be96b564d745d42be1f13ff15a7e10c33d9868502e8bf7d5ce0d3d1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    decea12e55fdbef67aa35f6735490f94

    SHA1

    4b32d45de0970c8a017c3237dceef19eaee5055c

    SHA256

    dff7d7e9917489db86d8b0ab23f33dd6a2416988f2d59668340e910856810147

    SHA512

    a5e1ebed3e6c91a946fcdbc57f970ee3b825ebf1e326bb6486cfe219978e52657c0cbbc5a3c473f3ee02e3d10ec6fba6ce8ddd6d2df329ca576505676526fa87

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    07a6b8abba324dc2dd89fc517c0de080

    SHA1

    5b9a322ff247f9fb9e5cacb499102795912ca73f

    SHA256

    3cf00d1c02fb443009c56833911229a957b0a2ab043178bb57e4fa16205839ad

    SHA512

    d9b03eaf1fda35bbbb8d2de9d5f0c515b48924e00ef84bf4d60191c36f61319ac7cec86afaf9e8db93294ffc81b5cf5a4923bebdccbb02969353d8885affff43

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    95aa7e045d836e17f1dc01a69e500909

    SHA1

    c36158420ba903da8c4da00e615fd96b8e474838

    SHA256

    5f0b39cb72df953b3db4cd00539a6114122414b9749ee29a44bb45d9172c1205

    SHA512

    c53f00877b939a22510352b4e4baef855f89fbfa24b504421673c5b631987bf0f6d4d8f290c42522e6badc5bac15751f61647ccdb4ec1cf122678283836a5095

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b80317b97be65c2c440895ea3f91f5e4

    SHA1

    5fbedfb9bb2c13bf1d5783d156c5ab3d91e0bd94

    SHA256

    e9e1e05d17b1b870529d23cf7b2f30c50db984d49193ae2127d07fdff947a289

    SHA512

    f307b33b5129282e9adebb7ac27ecbb06609446bb45244633185ddba8818f08f71689b1b3e772f3069f185702a154e3b8042b9e93a91d2862f48c9c13b6ed219

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3e70103c6f26e6dd7d35f6d27260eed5

    SHA1

    7cfdaa6518d2ddb6e49f328e94e17d86071ec5da

    SHA256

    17e3bc45d765200152fd95abbb2ec309eb789b4be142af83e63dabb35f0ec54c

    SHA512

    7dcfc406526f2024628273f7708495b4f92dd405e76583b616cd0c6a6ceaa91407e780207fb0e4454a3e84755fe4551701490744b20946dbe954ff2bf0113f1f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b0664b5f7e0958e6b027ae55bc32d949

    SHA1

    6792658319948168f9b0047554fdfcac22252a85

    SHA256

    2a8ea0b6b1c489827e58e0f3a10e709b326dd1c1aa68fb44d51984f2608f7742

    SHA512

    fba2518d7cd2e7f84c11df089a39a17d72ee78667c17cf520eb5ae60fb91e3ba8e027ffb48a761e9edcbeb710b0f3015668b6a13c4e1e4fca9c99378ddd6f74f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2cb23f3e1f67ac9630583f070b5b8707

    SHA1

    46fd6d6eebe1d46566a676fb414df623c7cffc4a

    SHA256

    ae7e05dfd998a7a77580e6339ac22afe48d4283e4cb9674bd01fd9703392fd76

    SHA512

    44bcd6de050b6e46a736cbe3b9a09ab7d5bff490513429a11ef0cb7419afe58fb39c74767ccf528f711960f8fc18bb442f55c8e2a2905492577b92ce9097153b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7e1b6de49b73ebd3464a5f3554801d9d

    SHA1

    ec7253610fa681ad92b54f0306b3fc2734c4b911

    SHA256

    4f2430af025228898107b0933804070c9644eeddf765be5259381c4c797ce237

    SHA512

    d0bed2fcd1c6edc5af8e79ff34011a439486028e6cd59c049214a95284f09240f329da11178f5f109f53ffd30ec2697799cbb188d2af3666469a3dd5218338aa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    42629cab1c9b109cd5ed579ed68f61ce

    SHA1

    9e000e94331415e9f175ba60f0dcf69607a1cf57

    SHA256

    11da8c3fe779004012ad29233029425752e7eec59ea3e95b05141314c514bdb5

    SHA512

    023a160778a36843d0dacb43af9961da0b3fa0d23c213b78aa65a76193ed60819d178c63193d4f74265556c283e21d5d2fa9956ff3001128672f8869ea3a5bc5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    78b75bc01ea000f2320b712581bd0b05

    SHA1

    62a4e6896dba482c03b626c8cb7ac1ae1978c1bb

    SHA256

    f40f33781dd8124cabd26203c36a1fc1c9e03c536393f71c3e4cc96fbc8389aa

    SHA512

    ac1b8ac1c195b562d175c4d2387c094847f899c0f2b7a7eaa8c1104d75c173639cb2e8de1147e2436668861088ee80d28b603139845cb94361586e7e48497063

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8ee9c3e1500d12f3714b2344b1710441

    SHA1

    b24de8c9e6ca5797b8de0f5d5b9fedcb2f96ab8d

    SHA256

    e2ccfd316d9775dedf8f73f10526b8a210d0a52b42e0031081035bbb0807dcb9

    SHA512

    79613ce052a0694af0f75fbed08f54ca2c432c5c7eb33e3255fea5f8efdcafb78d0d991efce7e88e9c2a9d09c8b445c1315ecbd33b164ec681ea9c4efa37f6cd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1cb34ae20b94a4ebec59a6c0a6bea0c9

    SHA1

    d3903c551772b5bb1e328a85cdbf03d8cef31144

    SHA256

    60e5caafe6bb0d48550d2c2806bb5e7f610f2e30b4b0f0f38faf11687ded5898

    SHA512

    8086e1c5aa2f9d762657d7321331cde6d8dca15153bdea16c7c4d2428e31a05c6b89bc649cf0a9c773f4450e5311086eb23dc32263adc74d000d33f29859acea

  • C:\Users\Admin\AppData\Local\Temp\Cab7A22.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar7AD1.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\SysWOW64\rundll32Srv.exe

    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

  • memory/2036-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2036-9-0x0000000024600000-0x00000000246C4000-memory.dmp

    Filesize

    784KB

  • memory/2036-7-0x0000000024600000-0x00000000246C4000-memory.dmp

    Filesize

    784KB

  • memory/2872-11-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2872-14-0x0000000000240000-0x000000000026E000-memory.dmp

    Filesize

    184KB

  • memory/2872-13-0x0000000000230000-0x000000000023F000-memory.dmp

    Filesize

    60KB

  • memory/2948-20-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2948-18-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2948-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2948-22-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2948-23-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB