Overview

overview

10

Static

static

7636fcdd3f...34.dll

windows7-x64

10

7636fcdd3f...34.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 23:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7636fcdd3f40e7407ed00e00f9ca3f329abba64eb461c38873a4610dae34f334.dll

  • Size

    240KB

  • MD5

    a10b05144aa44c696ddd051e3bf9f180

  • SHA1

    24a39bb841865cd4b597098fc9c7749309b6fe37

  • SHA256

    7636fcdd3f40e7407ed00e00f9ca3f329abba64eb461c38873a4610dae34f334

  • SHA512

    84e5a9f2ea47f989f036d397f27f148731e69191f6f9081096f1da5ad8bfc3698627ceacff68a6beda389aa3206b3192e3032a0413878b49597d1bdf414b3b68

  • SSDEEP

    3072:Zn4cV8gf2u41Z5tKlwqudua6aRVoFktlmRoUhD:N4y8gOl25Edkkt2oUhD

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7636fcdd3f40e7407ed00e00f9ca3f329abba64eb461c38873a4610dae34f334.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7636fcdd3f40e7407ed00e00f9ca3f329abba64eb461c38873a4610dae34f334.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4928
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:444
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 204
                6⤵
                • Program crash
                PID:4832
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2176
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3968
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3916
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 444 -ip 444
      1⤵
        PID:3332

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        148KB

        MD5

        6ef826e85bf6d60539fa8fea1207c60f

        SHA1

        cd2ac10720d245997b3a9e9eaa8d527d06dec02a

        SHA256

        671133f733c22443400b08440c43d474c3c2064754c31da51bf68929216a1bb9

        SHA512

        25a931328f203f3387d0c72ef38de3ccbc30010c726d18e9fd605921e131b2c490135a593a77440ead7ec1bcfcb7f352920eaa79ebbd1ca7adb58141aa873fb9

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        148KB

        MD5

        6ef826e85bf6d60539fa8fea1207c60f

        SHA1

        cd2ac10720d245997b3a9e9eaa8d527d06dec02a

        SHA256

        671133f733c22443400b08440c43d474c3c2064754c31da51bf68929216a1bb9

        SHA512

        25a931328f203f3387d0c72ef38de3ccbc30010c726d18e9fd605921e131b2c490135a593a77440ead7ec1bcfcb7f352920eaa79ebbd1ca7adb58141aa873fb9

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        deabbdcb221537d48aed54816739f367

        SHA1

        9ce0f0d21d9bd08823732047e19edbbd909396bc

        SHA256

        494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

        SHA512

        95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        deabbdcb221537d48aed54816739f367

        SHA1

        9ce0f0d21d9bd08823732047e19edbbd909396bc

        SHA256

        494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

        SHA512

        95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        a530178d1f26b332d5a7dc59a0880c57

        SHA1

        1a7b74c3b659deb5662cab5c29536f77e8564950

        SHA256

        3630e7ee427cd7ea2e623bfced258c6b915b6186c1edcddd9fce3d5bfef7126b

        SHA512

        976b59c5957171757fa281ba32d8cd9b9a5a151a5011fda84a3d3e66423fe38953b0f278e79176e6d067f3fd96a1031dd46a8de415c761d84ae13b79a2467457

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        f023802025c029973c0778ed95ba73d4

        SHA1

        c0b3452d4d51df496af992ce03fa5c6e10031243

        SHA256

        f552cf00586493350857abf681f058064888353a60305d02e99c78fb376dea68

        SHA512

        c371423c2f81868a1cbc91fad5c2d6a0e50547fa03e7fbebd21e99b92554965990922640275095c02def67e3efaaf95a4a68648467cb76c2ebe14916caac3b83

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0192436-5942-11ED-A0EE-7ADCB3813C8F}.dat
        Filesize

        5KB

        MD5

        d18c1ffabef6057ce67e66b91e3120a9

        SHA1

        e4e13d84c17129082021fe09b1426cbda85a10f1

        SHA256

        a1431aefed2fef3a177ad8ad77800214bfc32baca72b70c59ef8d7a26cd8cd82

        SHA512

        fad84586ac16765e00c4093c7db70655a2fe54db2e27d70b3f584e70ffb3093596b957cd17bab890cf48d5eff71246a560df377f0f08612a5605121cdd8742c8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B022AC6F-5942-11ED-A0EE-7ADCB3813C8F}.dat
        Filesize

        3KB

        MD5

        96b22fe297bc2b9c4cf1ab60d55cdd40

        SHA1

        ea86a3cd50b9e4d113a17504d39a34dbd9e14325

        SHA256

        2db3c6e19f31c3e01b727a58e9abc9dcf43461d0152c386ef50286d9a11abb06

        SHA512

        4431ebe42c07f93d53114981adaa78e365bc4a5ab851fa47a5116881775c768a9052ec29eb71530f5d8b1ffefebc862ea94d627e06a6814efe535ae3a2ef5e06

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        148KB

        MD5

        6ef826e85bf6d60539fa8fea1207c60f

        SHA1

        cd2ac10720d245997b3a9e9eaa8d527d06dec02a

        SHA256

        671133f733c22443400b08440c43d474c3c2064754c31da51bf68929216a1bb9

        SHA512

        25a931328f203f3387d0c72ef38de3ccbc30010c726d18e9fd605921e131b2c490135a593a77440ead7ec1bcfcb7f352920eaa79ebbd1ca7adb58141aa873fb9

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        148KB

        MD5

        6ef826e85bf6d60539fa8fea1207c60f

        SHA1

        cd2ac10720d245997b3a9e9eaa8d527d06dec02a

        SHA256

        671133f733c22443400b08440c43d474c3c2064754c31da51bf68929216a1bb9

        SHA512

        25a931328f203f3387d0c72ef38de3ccbc30010c726d18e9fd605921e131b2c490135a593a77440ead7ec1bcfcb7f352920eaa79ebbd1ca7adb58141aa873fb9

        Download Submit

      • memory/444-152-0x0000000000000000-mapping.dmp

        Download

      • memory/2308-132-0x0000000000000000-mapping.dmp

        Download

      • memory/4528-142-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-139-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-133-0x0000000000000000-mapping.dmp

        Download

      • memory/4928-150-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4928-156-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4928-157-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4928-158-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4928-155-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4928-149-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4928-148-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4928-140-0x0000000000000000-mapping.dmp

        Download