Overview

overview

10

Static

static

ramest.dll

windows7_x64

10

ramest.dll

windows10-2004_x64

9

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    09-05-2022 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ramest.dll

  • Size

    1.3MB

  • MD5

    485b65ea3f28d1cd17cd4339662e048a

  • SHA1

    13da23476ed7c8211fa49380176eabb17c1a9408

  • SHA256

    4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe

  • SHA512

    5a7ec093b452a26755b5a64b5606a9ae05710199a23d63cdde571d5c00a80efd8646d35c5775a8234f155ee011ef8c3a12a3c64669525d6397f200d5fef961f0

Score
9/10
evasion

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ramest.dll,#1
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious behavior: EnumeratesProcesses
    PID:1288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1288-130-0x00007FFEEAF20000-0x00007FFEEAF30000-memory.dmp

    Filesize

    64KB

    Download