Overview

overview

10

Static

static

7041941484...ff.dll

windows7-x64

10

7041941484...ff.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 23:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7041941484f517309d9a45b5802f9eba98dca7cc7fa683956f1e54e5b26b9bff.dll

  • Size

    228KB

  • MD5

    a1bc29caf8de504555234f97661f4170

  • SHA1

    a49cb51bf5109897b4374a373e39f2c1364514d1

  • SHA256

    7041941484f517309d9a45b5802f9eba98dca7cc7fa683956f1e54e5b26b9bff

  • SHA512

    ae79bc6e7f9e785c2c47c3ea0c3b3c836ef9c5af24c4ef934d58e7b467a21580d518c2eac6d1f7b4ef0e97ea2770ad5fee357c51858ebc2ed715766863831630

  • SSDEEP

    3072:wgKKuiX63bw5dNjDh8pWVgTlFIYn7mkxOcTEddW5qJ4duzP:hKZp3KNjVGv7TEcodLouzP

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7041941484f517309d9a45b5802f9eba98dca7cc7fa683956f1e54e5b26b9bff.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7041941484f517309d9a45b5802f9eba98dca7cc7fa683956f1e54e5b26b9bff.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3900
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4744
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 204
                6⤵
                • Program crash
                PID:1580
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4568
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4568 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1836
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4400
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:360
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4744 -ip 4744
      1⤵
        PID:4936

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              Filesize

              112KB

              MD5

              f892632efdb93da698d372533261b2b8

              SHA1

              a2941fd2eaa53a87ea3a525b985bf962613fde9c

              SHA256

              82cec44ec16306f37f887bca4642e66a41dc60662f9d0021301b30bf9b8b15ed

              SHA512

              0fcc32d3ee681df973ba36d31ccf7553158babb77d12560230c13b0463c57980686b7c4b640534c68071624451406759071d3cf6fb1da9e306b1b09fef4a7689

              Download Submit

            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              Filesize

              112KB

              MD5

              f892632efdb93da698d372533261b2b8

              SHA1

              a2941fd2eaa53a87ea3a525b985bf962613fde9c

              SHA256

              82cec44ec16306f37f887bca4642e66a41dc60662f9d0021301b30bf9b8b15ed

              SHA512

              0fcc32d3ee681df973ba36d31ccf7553158babb77d12560230c13b0463c57980686b7c4b640534c68071624451406759071d3cf6fb1da9e306b1b09fef4a7689

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              deabbdcb221537d48aed54816739f367

              SHA1

              9ce0f0d21d9bd08823732047e19edbbd909396bc

              SHA256

              494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

              SHA512

              95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
              Filesize

              340B

              MD5

              3d7f35b4661f5ad1d8b40142720c0c58

              SHA1

              682a11549aa182e6ed6f295c7d9d665a043feb4e

              SHA256

              b957560ab8cc5d3b95cfe8f2c138be9e2feaac99f713a2de59c1ea9098023fc3

              SHA512

              eb668e496e2c984015f3b722bb3ece1e00c9c2b6762cc36cd95daa357ee75357471a63c1033509c122669501e68578a81923e293a326668fb78c75f9a84e67af

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              434B

              MD5

              fda3ec6932758c505e0c3dd756649b94

              SHA1

              5936487f0ccb2782bf12f7d66a94d35cec24750e

              SHA256

              2ab3712d248c0d9d09a773de6008a5e24a5747e8c0bf6ce61df6c5fcbffca73e

              SHA512

              583d5376124a19789ceb07a3cd04e2373571304c4eb8fdd0483052e9926fe6f93881bbf94899802524477bbb93249ec02d0de504c900dc30fd101bd862bf0815

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2F6750DE-594B-11ED-B696-C264E7FE3618}.dat
              Filesize

              4KB

              MD5

              6888c847bc8b29ce19ebe643f12fdacf

              SHA1

              6864ece2455589920beb17624e534500f3b4e35d

              SHA256

              1b7240577d72c19aeed4ce665ff8464919dab2bb6df466be7fa5bee958ece49d

              SHA512

              4d1a474ad27cac32e732364cbf8071a28bf95a854980d64930f902e91c1f09a23682185b79032408f2e25465760b1f2d5620b0137bf7326fbd63811296c052fe

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2F6E6344-594B-11ED-B696-C264E7FE3618}.dat
              Filesize

              5KB

              MD5

              4cef1c388a536db624f7dad15f84c729

              SHA1

              bb6ef9b082f2e728062e76fc2ea0184cad2f9a12

              SHA256

              1f5ce8781293ac74787835f6d80128449ebe603a410cf41abad36f9d697051ff

              SHA512

              61c8ed00bf3f7e0339755931e63e8819bd872a91f86e51410f3ddffdad2b5829aa193ecc1e29f4c06b6e257376c94f572167af5f0fe227392ac3b66fc100ce7b

              Download Submit

            • C:\Windows\SysWOW64\rundll32mgr.exe
              Filesize

              112KB

              MD5

              f892632efdb93da698d372533261b2b8

              SHA1

              a2941fd2eaa53a87ea3a525b985bf962613fde9c

              SHA256

              82cec44ec16306f37f887bca4642e66a41dc60662f9d0021301b30bf9b8b15ed

              SHA512

              0fcc32d3ee681df973ba36d31ccf7553158babb77d12560230c13b0463c57980686b7c4b640534c68071624451406759071d3cf6fb1da9e306b1b09fef4a7689

              Download Submit

            • C:\Windows\SysWOW64\rundll32mgr.exe
              Filesize

              112KB

              MD5

              f892632efdb93da698d372533261b2b8

              SHA1

              a2941fd2eaa53a87ea3a525b985bf962613fde9c

              SHA256

              82cec44ec16306f37f887bca4642e66a41dc60662f9d0021301b30bf9b8b15ed

              SHA512

              0fcc32d3ee681df973ba36d31ccf7553158babb77d12560230c13b0463c57980686b7c4b640534c68071624451406759071d3cf6fb1da9e306b1b09fef4a7689

              Download Submit

            • memory/2888-151-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2888-156-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2888-159-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/2888-152-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2888-153-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2888-158-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2888-150-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2888-157-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/3900-143-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/3900-139-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/3900-138-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download