Overview

overview

10

Static

static

9eba80753a...2b.dll

windows7-x64

10

9eba80753a...2b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2022 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9eba80753a0f851470c6b67cc7941b07642acc1eabe43643ad1233bf4697a52b.dll

  • Size

    232KB

  • MD5

    49f6f48b6439f2ba94b4523a3421b2d0

  • SHA1

    30d68a62a65a73a8690f473e2abadd6646a77652

  • SHA256

    9eba80753a0f851470c6b67cc7941b07642acc1eabe43643ad1233bf4697a52b

  • SHA512

    a3231f99a4507d83dc79b575e1de51d76d84bc82a006e6c336fe1b98d41f56bc08c9f20bbfdeb3088ed6dd5114005741de57e388c732a8eb82ffa27396d97941

  • SSDEEP

    3072:SJ/bDvolYJ975jjHnNNHLwj5Hj59BjUY0quvirFHWMiA/HQ0P0CKKgiT4fUADtN2:SJ/8W2uvihHFHlTT4h55ZBXK

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
            PID:584
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k NetworkService
            2⤵
              PID:328
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
              2⤵
                PID:1036
              • C:\Windows\system32\taskhost.exe
                "taskhost.exe"
                2⤵
                  PID:1256
                • C:\Windows\system32\sppsvc.exe
                  C:\Windows\system32\sppsvc.exe
                  2⤵
                    PID:1812
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                    2⤵
                      PID:1756
                    • C:\Windows\System32\spoolsv.exe
                      C:\Windows\System32\spoolsv.exe
                      2⤵
                        PID:300
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:872
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:832
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            2⤵
                              PID:804
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                              2⤵
                                PID:732
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:664
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:376
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:484
                                      • C:\Windows\Explorer.EXE
                                        C:\Windows\Explorer.EXE
                                        1⤵
                                          PID:1412
                                          • C:\Windows\system32\rundll32.exe
                                            rundll32.exe C:\Users\Admin\AppData\Local\Temp\9eba80753a0f851470c6b67cc7941b07642acc1eabe43643ad1233bf4697a52b.dll,#1
                                            2⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1184
                                            • C:\Windows\SysWOW64\rundll32.exe
                                              rundll32.exe C:\Users\Admin\AppData\Local\Temp\9eba80753a0f851470c6b67cc7941b07642acc1eabe43643ad1233bf4697a52b.dll,#1
                                              3⤵
                                              • Loads dropped DLL
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:964
                                              • C:\Windows\SysWOW64\rundll32Srv.exe
                                                C:\Windows\SysWOW64\rundll32Srv.exe
                                                4⤵
                                                • Executes dropped EXE
                                                • Drops file in Program Files directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: MapViewOfSection
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1860
                                        • C:\Windows\system32\Dwm.exe
                                          "C:\Windows\system32\Dwm.exe"
                                          1⤵
                                            PID:1340

                                          Network

                                          MITRE ATT&CK Matrix

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\WINDOWS\SYSWOW64\RUNDLL32SRV.EXE
                                            Filesize

                                            170KB

                                            MD5

                                            675e06a8ef823be7b39d4fd7c5f4560d

                                            SHA1

                                            08cb14c576b35d0e79fcaf9674ebb4da598b8868

                                            SHA256

                                            67135fa98f6a5f7d2d888e959060cb81ef0ca22092e7ac36cf47bf3bb1ac935d

                                            SHA512

                                            1e720f76778092aaa949179daee88cfa64ce8b28cf5721f5609ed4f0d4e1e8d854261a47f0d0380c0d261ba74577295db5ee4c2c4c35ac32c0de2c191d96484b

                                            Download Submit

                                          • C:\Windows\SysWOW64\rundll32Srv.exe
                                            Filesize

                                            170KB

                                            MD5

                                            675e06a8ef823be7b39d4fd7c5f4560d

                                            SHA1

                                            08cb14c576b35d0e79fcaf9674ebb4da598b8868

                                            SHA256

                                            67135fa98f6a5f7d2d888e959060cb81ef0ca22092e7ac36cf47bf3bb1ac935d

                                            SHA512

                                            1e720f76778092aaa949179daee88cfa64ce8b28cf5721f5609ed4f0d4e1e8d854261a47f0d0380c0d261ba74577295db5ee4c2c4c35ac32c0de2c191d96484b

                                            Download Submit

                                          • \Windows\SysWOW64\rundll32Srv.exe
                                            Filesize

                                            170KB

                                            MD5

                                            675e06a8ef823be7b39d4fd7c5f4560d

                                            SHA1

                                            08cb14c576b35d0e79fcaf9674ebb4da598b8868

                                            SHA256

                                            67135fa98f6a5f7d2d888e959060cb81ef0ca22092e7ac36cf47bf3bb1ac935d

                                            SHA512

                                            1e720f76778092aaa949179daee88cfa64ce8b28cf5721f5609ed4f0d4e1e8d854261a47f0d0380c0d261ba74577295db5ee4c2c4c35ac32c0de2c191d96484b

                                            Download Submit

                                          • memory/964-57-0x0000000010000000-0x000000001003B000-memory.dmp

                                            Filesize

                                            236KB

                                            Download

                                          • memory/964-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/964-62-0x0000000000400000-0x0000000000436000-memory.dmp

                                            Filesize

                                            216KB

                                            Download

                                          • memory/964-65-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/964-66-0x0000000000400000-0x0000000000436000-memory.dmp

                                            Filesize

                                            216KB

                                            Download

                                          • memory/964-67-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/1860-64-0x00000000001D0000-0x00000000001DF000-memory.dmp

                                            Filesize

                                            60KB

                                            Download

                                          • memory/1860-63-0x0000000000400000-0x0000000000436000-memory.dmp

                                            Filesize

                                            216KB

                                            Download