Analysis

  • max time kernel
    120s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 02:02

General

  • Target

    bcc0e25e99fef425b80189244f5e8f3fcad0b39dfe693d95e9fbd1338a686edfN.dll

  • Size

    124KB

  • MD5

    cbf01a34c16952167fd25fa16a4e5fb0

  • SHA1

    37a0c9d82d3fbc7e8088c72af06a9ef49fb2ef0a

  • SHA256

    bcc0e25e99fef425b80189244f5e8f3fcad0b39dfe693d95e9fbd1338a686edf

  • SHA512

    a3b2627053b341e4813b76a33626763f42b18206e5939fc6304b1756de941a0603cbfc09151153b37d612845d0a9b289200b20d3eea2be2541b86f06bc7ecb96

  • SSDEEP

    3072:jjulFr5M7VmKeZ88Dkj7oR2SqwKJXtf5DGyVBQwIY6X4+:jHcvZNDkYR2SqwK/AyVBQ9RI+

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bcc0e25e99fef425b80189244f5e8f3fcad0b39dfe693d95e9fbd1338a686edfN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bcc0e25e99fef425b80189244f5e8f3fcad0b39dfe693d95e9fbd1338a686edfN.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d36980b7c23426b5dc6b0aaaff02fe6a

    SHA1

    53ded96c19d32f0b168f059983286cf393f4ea0c

    SHA256

    c8fa520838e15c6f8fd21693652d4faa2feae14a5c771bf4a5224d75f0fbab72

    SHA512

    a7fb665e1f719a8af69497b00733b2cae821fda6b3676e701a3f6e70406a9a4cf6cc12a88982965a65e1f46e3c4da8ca2a744ba8530eac85c80ae556a747f178

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c6d5a4f83090b4bee62bf35b898e2e2b

    SHA1

    e06cda56d12b8bce70628f9d80db8282501e66de

    SHA256

    f0f0018e9dd121a7b388cc494431ba95e3a83755a5921892c76b664e94a2d624

    SHA512

    668bc7b0470043b8825dc5dbdab3ca7d61ae428be805b7867daca4fb0748d1712c72e474b32675c37e1aa1b38a2bdfab979313ee0c496305a1ea52bfaac35bae

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f27f58d01a041e59c7cb6fa3cf4a90c6

    SHA1

    58a6a5871afbcbc3f1c8938f01542c17ade571e2

    SHA256

    dce55923a282899b689fa8585da1a725b7e2437a54640622544f594c0fd2449c

    SHA512

    8082f93e9bdb2ebd162f39362b6dca1d50aae2cd6b535f8c71d292669791aa65a29e336d40d9ed1cc144ba8c2fa59f6bce646039426719a32187e57bcc8b6ef0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1b52b3991de5de3082fadff4664ebb75

    SHA1

    80a1616b314d8f7b24d8e15a65e30af3e547ddf5

    SHA256

    cf68b3738edf1daf37619fa69e981273415d32ff33624a18ce7becba6ae18d29

    SHA512

    a5bc4a85242b1f1191482bf569539c15058646e7505d2895c1d076a5ffd27a0c8e5730f639b2ba0520d9902e22561459a0611436af26b9b8d4466f58add43669

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4b6cfe1f3f7d60f09c3db12ba35ba9f4

    SHA1

    ba792fac0ffc87029162cca5d1ad799d16c0650a

    SHA256

    b9bd957456038dba873a5ae49ca4cae01829aefc576fc5a385dc192c0128f60e

    SHA512

    075f3d409ffc410a69ce08f56dee5184dee0b58d22bbfec698564f22e4261a753ee8818a0b024cca2b2ba1345bc0b538e16cd6886551eff9cedc27ecd4c7f8c7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    eda23f0469799c9fed3ec06317d2e798

    SHA1

    107cdf0008bcdb255f4a73bdb6ab43e77f5c1759

    SHA256

    27211a924359bd534d869a32f912ed22b68898dd7e673c627262b462fd7ea0b8

    SHA512

    28ae869732d6e30ac35b5f7eca940de0833780ab5ef2a3ffa41f0da7cca8a7ac0c746da9dd9716305b45d9d392e693c5825bffcec799339823ee86a9c7feed17

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    eb3cbfd2e3ff3fc1c7dc84fd0c61da59

    SHA1

    43c3c4ac96089f986c6553b60c4d660110bf371a

    SHA256

    7c1f52c5bf858bbd4cb62f34167797145528e83c5cb88087673e8417039afb7e

    SHA512

    4104759c0446eba1c854fe89fe51a672cdba91fd340b4e8eb205117254c2fb5360f4acddbc9f0277d052e755d00b045690c2fc8b9c450d06460e1d2d59c4a2d0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fc96c2522e664629858bcd542ddfe84b

    SHA1

    17d724bf6e52f91542ca4278e8a977b4a908d650

    SHA256

    0812280c7e4fde360fce559e9706630e5fa5f959646e3e30e9f40fa4cbcb3322

    SHA512

    415a945788fabc65c641ef827afdfed0c753f01b14d752ad3110105f5f16a26c641740247fa656e6c84072123bc2edbbde2fb4e177607d478c4d5adc0110778f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7a50a0104af8c97e4010c6a499986e2e

    SHA1

    8dc28587c098b7105dac61e40c1df7022c7dd396

    SHA256

    18fe4a57aa1e0712b07bd22aa0a180d1f3247f4be33e64a71faf4a291c49836e

    SHA512

    c503c20633d32894faa768df75cb64c4519cb449a874e7429f4ed4c5e25780653e09911bb6607de68947ee5b5cc86e0327b3f58c4c939d7e34151c7963acef85

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8fb3182eb1543af63ef8d39be580d1be

    SHA1

    9c3be2c5ef533c5a098c160108bfbe07e0f00d00

    SHA256

    a5991e930a3d1e6a96036741f303139d5b91220c3b303eb23b291f28fc39a8e3

    SHA512

    5095c50676dd8d5878b7d0e0467065b8a90e77894a67c3b12fe2c7875f253b6e6c95029b246de8dbf6c97a188346407c613b8058b3fae71426323923759b5bb2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fc50671f9e7b25bb07d0575428dfc72a

    SHA1

    16b319303013cc95508997e290eed45724ea24b6

    SHA256

    909f85bfbf986e925822290cd62c8edc25189895b45768339e301e441c7205af

    SHA512

    a2d31b0cbc593040e2250da4d9d31e92b949f2ee65e27eb391e5751f838dc8e2b75242369a4872b518ca5ba42343040185100e405cd4dc2d45f3e72641b9631a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e10c40e0df441c0ad2446281913ad3f8

    SHA1

    fb714c542ee2865567398315739aca96fc95c383

    SHA256

    a743bd83391b69a47b03db53fcfcdf0d9ae7857b6ab4856c0d5417a1c029a5ca

    SHA512

    e94ea923c8405d0abb8061de2dbecfe79767b34ebca97456bb1af40418ddac1add9469e9ba3f81353255a68375798192311fad6daf5a9fcbfc01a27fecae56b6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    619d36796da301c754c632871db84193

    SHA1

    77982089ed11952b2db905f9a94b547f6122a6b7

    SHA256

    e274e97df154255611d9a374ea6e1fd00cb96b1018f74f055917d98616e0070d

    SHA512

    1d5d55d9a18c00c746f629e9f091106f201e6319c142cb252cf7a4687a95ddfd7bccb581f206c6fcf1b912c1dffebe6f0f13f1630632c0d64e5779ede313cf8b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4f1baeff8552cf8b6fe54fe311bb273a

    SHA1

    5ea406266099a55227da726f9eeaf0f7641cdb99

    SHA256

    aa16fef0dda54d23729fafb3880df7065e222e19b46220ca20fca63904e52b09

    SHA512

    d80b131db2cfd0781efe7bacf27801ddb572101afbd5ff080f4f31dd4ab03a8ef3d72cb7ce0b526cf8229af1f53a8b9c78a2deb4ad4bd80c004936c7eb708f88

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c25a6bb763ae6b36622077520d7a5026

    SHA1

    ea4d69bd4c091e64f0cfa3e5244898c533a2aac6

    SHA256

    0988ef715e6c140a9e6c7ce08191ac1ec16db172d190be399ab8e47019a60d2d

    SHA512

    0a4d4a1b749ffffa88b72322ec996dac172500adf7950383bd5426e6fe2cb772fb82b3ac42c1e6bf54d34dd4dc40d441d45a79112e04192e441ca61081681ce9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6b22f0ac9637fd506cdab67a3a2aabab

    SHA1

    a445b164fec83205778cb9f560a8d7073885e7bd

    SHA256

    486bad1684e6b4746dbd39973f15c7d280ba917d59bdcb01db9f1880b5ff701a

    SHA512

    8d8f02b3ddbb2f350ff800d685326f8250cd973e22af53324fb2031279601e398a8b63c9f74de4a91de9db252a22c8f269240d331317dbfa37c924e5ad28938d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    168d2bd9e9e03dcbd116582fb836da00

    SHA1

    e45a43c0c25e49755f36f60678afa29b51e9b6f7

    SHA256

    6d0ab832c98afbfbaef6722681707cf961605bffaf84134925d6163b5a90e158

    SHA512

    5be3e53b11a386a4673034caf42cad4e71059198caea08580c55419ef4b045f4590e57f7a08244fc0febac24d4cc7d0948c412e2e9810ff653556e22890436f3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6e12d7b4fa2a25ad1876aa65442aaba7

    SHA1

    aa7cc05db84684e9e0da2357dedf2465ed382ab2

    SHA256

    ce43da657028a8ee4b6aab424145ed72f0fd41577504223d199663de79139b5b

    SHA512

    2297de6a47153f4aeb0ee9ba796771d11f878a1a67aa952e5a9a411a50d0204490db4f44eddabdcd1b1d8a848b8315312a357a933cbf7796924e3f14d7209595

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2750010e81b37954e1557d2632e92372

    SHA1

    3d49cdc8f7d597a49c0a9144f95e6b2767bd10ab

    SHA256

    f3d975cd1f2a5a2b88260ea0813a9dee6ee43d0d61c574981cd689431189d3bc

    SHA512

    48a5e3876d56968017dc308f5fe974e71da1f68646d6570b56d638e4a69afad756e6feff1530c10178b023a8c40abcc7517fb7e4345db8051deb4462b0798cd8

  • C:\Users\Admin\AppData\Local\Temp\CabF0E7.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF196.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    88KB

    MD5

    fe76e62c9c90a4bea8f2c464dc867719

    SHA1

    f0935e8b6c22dea5c6e9d4127f5c10363deba541

    SHA256

    5705c47b229c893f67741480ed5e3bce60597b2bb0dd755fb1f499a23888d7d6

    SHA512

    7d6d5bfb10df493ffea7132807be417b5a283d34a1cd49042390b2b927691fd53ecf8eee459c727844395f34e4230b2cd85b38b7fb7df0a3638b244d0c3f6394

  • memory/1560-452-0x0000000000120000-0x0000000000126000-memory.dmp

    Filesize

    24KB

  • memory/1560-2-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

  • memory/1560-1-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

  • memory/1560-10-0x0000000000120000-0x0000000000140000-memory.dmp

    Filesize

    128KB

  • memory/2580-17-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2580-15-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2580-16-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

  • memory/2580-12-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2580-18-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2580-19-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2580-21-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

  • memory/2580-23-0x000000007799F000-0x00000000779A0000-memory.dmp

    Filesize

    4KB

  • memory/2580-20-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2580-11-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2580-14-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2580-13-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB