Analysis

  • max time kernel
    133s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 10:54

General

  • Target

    23315a333d0870f3afda57524ecc286b04905a59c54c3bf8673e964aeb446e93.dll

  • Size

    92KB

  • MD5

    b295b905a240e5ed1ecf784097770661

  • SHA1

    86da494e46938fb94c225e4d30bb329aa84b30d0

  • SHA256

    23315a333d0870f3afda57524ecc286b04905a59c54c3bf8673e964aeb446e93

  • SHA512

    f31d145049ae75383ed4f1dc69f0b8b50a422522c833c166f0761e96c875b34406653f304142961ccd2ae1875163764ed1cf8a4494f3af124ab5bd4c1eaa56bd

  • SSDEEP

    1536:w4+1pTaZPWXlMbBUILfnMBi3T5vNE/j19dbxIO1d5/Oo:tjulMbBUGPYgTPE/x9dbxIi5/Oo

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\23315a333d0870f3afda57524ecc286b04905a59c54c3bf8673e964aeb446e93.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\23315a333d0870f3afda57524ecc286b04905a59c54c3bf8673e964aeb446e93.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2312
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2000
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    02e0eda95304ca8ed2709766370dde1a

    SHA1

    88f204641bfcd6a0eda47b32b51d23076cbad8e1

    SHA256

    51e282dda36999dc9d781f7f34ef2d62c432d149727b1581cb16b0566cb17bc8

    SHA512

    ca65923b9218b8b59b9ce7c4e20153f98547b7e936efc82822ce6634e9db2f0b5dda41dbbb8e4acd8a58f16e2e62ed8a1fc98e119633d4d6f0ddccaa4e5f4227

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ed17885c7308554acadfaf7dd57548e8

    SHA1

    6f36ef9db7c242f5ffee50eb16592d6ca938f624

    SHA256

    09ca20193077022f165ada5b9bc775f0b38773f818df859af6b73eb57deae5c9

    SHA512

    3899b8cbe7f9a232011d9f6fb18d966453e54afb3625c2209dab47f09a5f0540d9c022e72d4b9701692ff20b387902c92b5f4f1a1c07fbc2d14e2523c8c3635f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e4e9df2a86c9b8d97c11b7f8f2ce4517

    SHA1

    fa67e4a19cbf6a1915b8530d6986f22a117e92b9

    SHA256

    d21db80b09ccb547d2c40352651371f5a3ec960be67cce214f0b45eb58aee29d

    SHA512

    db81114f4b2bbaf1bd4d4cc86fb0f5b7c6fa5e28c7e61a252d8bd66f59f89cc9fbbf02c51e42f7d2e958fe33d5fdf7e6f462a93e73bf36d0d25c6ea7110b57b3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b2f758f38706be7798d656c52b8b145b

    SHA1

    4739f28bdd919849848692f9bfafb268d626284b

    SHA256

    b5e4dfbaad6aa1ab96768eaa885d351f78fc590f68078bb41cbf842d3faac5be

    SHA512

    1ab33dd4bc2f51eaae33dd56a2bfba45ba07a66c7815f5280e8c37b583bb5fb9ecf9afd75b307e73ae72efc50d1f5b38815f542c68e5922c7b9a44f00838ce36

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    51b9e817131e2e96442e89abddf3fa17

    SHA1

    2085e1bca26e8e7e935c1927a86078db83505b3c

    SHA256

    61ff11dd08e058e9d311b1ce02e192a7792fce6619b74424f4b8aa764f839cfb

    SHA512

    b47d44441c9752dfe228e417886a60f145e0ab619a128796c8cc89aa23e64a9f35df094abb540aba63372d2ffa90a453e9128b104c49a9fdbb141d62c5cdfd0c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    317f47557c5688f7feb809466482c10e

    SHA1

    ddf395b7052bc068e5424e68ac8ed9caea92bae3

    SHA256

    399a7e3a49b609d13d1942042436e7616dd05e8d5bbbf68ea252e1bf24e9964e

    SHA512

    de663b90f9cba1a5ed565f20f72e6df9cb8d49b5703572f4fd9d1c038fd7f854a93e80bf82553bdaf260acd3b5491bfdc726a2d909c10877dcb0a812218f6e99

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a5a4e4549d48e266df6b09465d3e2f12

    SHA1

    54264c65f248806e7d128a09ad659b909eef889d

    SHA256

    6531e866c37970aed499c7a6fee0332e188f0f8b6e3e5a4830f2162c331bf321

    SHA512

    89e075efc059c3c02eaf639045443eb169316e6d0970a0b5da5e9161e6d49c6c3b13a41d0a77f579e4dc4de6c08e5c722a45d4d5237c08c49558a9d08debb27b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c80b3eb18cb234d1f16571f985852714

    SHA1

    34ec8cf7059018a0d297e9462bb42a130fcf869c

    SHA256

    9ac563439afb745ff51e7f9c3a649db239379efbe5cfd604bf25ef34dc012f9f

    SHA512

    c619be2824dac25ec5c99a5fde65bd064ec59f7b3ef709672904071b6b9d5e2dec2585959eee1e11360f8b23b816f8d574d1a4a199ab9a05676c119886ace72f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2d760a117b3d04eac87c1b57cd375078

    SHA1

    bad78de90a78fe0d858ef715b40eafb271c1baba

    SHA256

    1c180b61f6eefdcc3af563e8a1d24da91df0b4e651a7cd722cacf008eb8aed94

    SHA512

    eb162bfa1d9d9817e1801b8869d80c18ab06a197294720829893f4fd77f069f0efe3e0318d370845d076ca2de4fb167ff304bb77ca20fa5fad3270a294d41022

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8aa371c5c6150115de681d8e81932365

    SHA1

    bcc94975f7f3b9492f79712970f2dc4e8dc16d81

    SHA256

    b3fcbe324031b8d49e082cbde47aa4ef5e8a1d8bed710ac32c23c196b1d4fc16

    SHA512

    f0efffd41772d9b65ad1186d817014de0e39bfdfb03acab38f4bc915ffe619b4d960aef8514d7e1b149d7c4b60bf4eb459321d76e5a4833eaf74cb35fa69aedf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b3e489ec3ce9e9fc88b5f4be042eb417

    SHA1

    be1c89a72e1c72bdd48b4866a3541221b542ea03

    SHA256

    49b0f75c184da81e1db43a16c9527eb552aa45dd4b48d6eee178f44fedc238a7

    SHA512

    c230ca7c8d6b401a9103f8ffa5a246e64dbe9509d6fc73f17b60cf5c7f94bfef39de6b6c840f7e23f33f36befad5e3f12eb5176a2902b38dae2184226d4e0814

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    56eec90c7fe9ec779abe70e63707821c

    SHA1

    fd6d668c518ccb8a4cc6af128a782a597f21114a

    SHA256

    5d7de0ee708fb59c907a88ce9cb5aaaa07d5e2254a45bbbfc44cd479f6f13243

    SHA512

    0b74fd24b6903721282e9fc5419fd08b5b813403af41a5e94e712c6a37ef9052925100d6029e7bc12c653ab4331ff51f8bd19a701517fd4aa76e81d20f02f7fa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f781f9b68b6f0a8213b3897677dffc62

    SHA1

    53f6731d7baf2fb9f30d677095afadaff31fafd5

    SHA256

    38ea3d8c17f02a51a54c6f11f6109737827a98b09f2bfc497a788e063bd19bdf

    SHA512

    80e01ebbf05925bedeaffcddc884ee9c0a2b77c105b8a5a01804d82ce413ca8d2f25eed7b7120d8b443ed842a9ef94c7eb236102c445c13c25891ab091ebc423

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a2e240a00c4211b2dfd2e0e7780deab3

    SHA1

    efe5c634ccda4a2a6bdc7248a2cde4b4221fee81

    SHA256

    837a074d3c278e13d028d0365062ba5ae373791cf0f3d60714e7568c1d34b966

    SHA512

    413a15c0b7eafab0eb46a24837462a4cb57f24e75de1af4336eccc14c84a2429dbaf6f50937595234f9bd398ea2b295e178b85ae36b64ba675221b10624a3d0c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    53cf1bab1426d7a425bf5a9aeae52fc3

    SHA1

    f87ef60617c5db0f7bea2a07e6dd08065f64481c

    SHA256

    eba7f3f2e1c1729e5ab9697e8d315578c49b8cdf71b9d8fce7f895926988503d

    SHA512

    13a00d5fce7cc732ab18fcfa5c97768541cbc29139f897a3bbc622d546512b2cb1533f86ff8508ef82d29354d101e89ab9dd6ca32da6a85acfc2af0568b8ea87

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fc4fb1845b992ee0e3d6781f08a50788

    SHA1

    23dc4284fbec465d3ae59742c12e5d0eab7b8078

    SHA256

    936e686c3979b6d58ec0472e60555982d06a141825f207c103213f579512a52c

    SHA512

    43a98767c1af16eca48c630cbc474a6f5507a83629e4a637fb06491c932d5dbbc855a5448abc200e4827b96c613c2f72f57383b6c6c53ce106d9f56204cdf92b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bd28087e5ba52f53858724006b3f1576

    SHA1

    5572be568341b73cdfd437e00989fdbb20f81d93

    SHA256

    fdc2f924a322555de776ac80aec671481c269454a125616c994970a127d02566

    SHA512

    b06147ea607275ad37bedbefd53b5a4997becdf37cede4207a4d8e6e63e4b0205ac5c2582189b00533c3c5d2ceda13c701227f5f41c17a28c5f75e0df7c7efd1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bef7ee9e265fd5a78621e3e61e449341

    SHA1

    98c940afdf1de40f5b9d1fb5eda403793c045f70

    SHA256

    e91733a841447b2564ea6ecb36259eebae31cb9fbac1f06e3a07d8eb51b406c7

    SHA512

    6053626d83bc0a4e92b67d08570823066878e12ec62445022a0f032b4a987e1241a8e2edd5801c4619b866d61fde0532a0674144eb6a73c8d5d05d110245ec2f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c313e7652e732e21d11ae0506be4cf24

    SHA1

    61b600c79681a0c59ccc46ce408c87d5763edf98

    SHA256

    ecb42d8566a5858913d5dfb7386bdb4e9f4832447f955b01c4d49893b67de450

    SHA512

    7ebb54d78fe2abd85eb6ee15ecbd819a69a6f9164d5f27d6019030a0d556b523863ed19c7b844e97419a1f53c5b697fe1b1fb4069488c7af2ab24db43687117e

  • C:\Users\Admin\AppData\Local\Temp\CabC998.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarCA09.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\SysWOW64\rundll32Srv.exe

    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

  • memory/2312-27-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2312-22-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2312-19-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2312-23-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2312-20-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2312-25-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2372-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2372-13-0x0000000000230000-0x000000000023F000-memory.dmp

    Filesize

    60KB

  • memory/2372-28-0x0000000000240000-0x000000000026E000-memory.dmp

    Filesize

    184KB

  • memory/2564-8-0x0000000000100000-0x000000000012E000-memory.dmp

    Filesize

    184KB

  • memory/2564-3-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

  • memory/2564-1-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

  • memory/2564-0-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

  • memory/2564-24-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

  • memory/2564-4-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB