Overview

overview

10

Static

static

1f8e7a3d08...39.dll

windows7-x64

10

1f8e7a3d08...39.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f8e7a3d086ee4ac7f7da5d5b5a00d00403375d8ae50401a171369daffd24539.dll

  • Size

    232KB

  • MD5

    a153e3e8064116d535c1fe9459bd0790

  • SHA1

    07b4820f286577aafdad80155622e270d73f5f59

  • SHA256

    1f8e7a3d086ee4ac7f7da5d5b5a00d00403375d8ae50401a171369daffd24539

  • SHA512

    dda2bc910da78227252c07b384415a96e434de43342a1b0a5c0ab539be3e1bc8efa8918222d6b7930fe80e427972ff206cd1b11dae03ae2eb5ba11efc40fc8b3

  • SSDEEP

    3072:TCuuNCRs/Pj03pJEEC9ti9pocimFFVW6E1fZim4v5TRRJBYeBTg4vRPW9vc/Bm6d:TCIGPj038tAgFMldWNX+9pLNg4nQdGd

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f8e7a3d086ee4ac7f7da5d5b5a00d00403375d8ae50401a171369daffd24539.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f8e7a3d086ee4ac7f7da5d5b5a00d00403375d8ae50401a171369daffd24539.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 612
        3⤵
        • Program crash
        PID:3436
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:5088
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5012 -ip 5012
    1⤵
      PID:1276
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      1⤵
        PID:1308
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 204
          2⤵
          • Program crash
          PID:2160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1308 -ip 1308
        1⤵
          PID:4236
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2220
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1112
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:17410 /prefetch:2
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:332
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4468
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:17410 /prefetch:2
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1676

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          65KB

          MD5

          849ef19ec0155d79d4fa5bfb5657b106

          SHA1

          eb7e7ff208ecb40d35755d8f36e31e2482166299

          SHA256

          8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

          SHA512

          30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

          Download Submit

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          65KB

          MD5

          849ef19ec0155d79d4fa5bfb5657b106

          SHA1

          eb7e7ff208ecb40d35755d8f36e31e2482166299

          SHA256

          8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

          SHA512

          30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          deabbdcb221537d48aed54816739f367

          SHA1

          9ce0f0d21d9bd08823732047e19edbbd909396bc

          SHA256

          494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

          SHA512

          95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          434B

          MD5

          6be08670dcd5fcba416fbeb2caa52a06

          SHA1

          01759f8fd05d55dd9b59573563e9a43deb68bd86

          SHA256

          f91196f971b5e2a8472803f5792a6d02cc63a939a2b19af6df37a29edb7629da

          SHA512

          bdd8a91a3a9ffc8d3c44545ddfb5d90fa693d09766f36051ee9d21f3e8badc4a175ee9f4e2e6879bba2b33209121e4fb5ff457aae1a90597fdc2abaa2b387210

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{485B3DE4-594B-11ED-89AC-F22D08015D11}.dat
          Filesize

          3KB

          MD5

          6a2e0984d51d3bb57e823b2b4cd6ef09

          SHA1

          f8c6d50b35b142720bdbfb86bd2e89df3c82cee6

          SHA256

          9adefdd799f6f8875c549dfe6508a926689963bb0f91f3805e20681081837db4

          SHA512

          8dc9747cb8e02c6998849fdc72486b3bc6653b36a2c9917841f489d22491cbd5a34e208897d2fce4936c65751fa6173fc2238a8f11c65c9201a9fa6387e942b2

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{485B64F4-594B-11ED-89AC-F22D08015D11}.dat
          Filesize

          3KB

          MD5

          b0d77d3576a83a802ae8716a3bd42734

          SHA1

          c2c03dc4a3221bd39b37361dab81473e3382150a

          SHA256

          1d10b799f301d625f156cace5b3b2adf666f51e45b70318bdc85444313dd25b5

          SHA512

          2ab15dd00722e3f969382949dbc53a8abfd8962287497a9b7d0e64321e467d28ab59c957be55d6841a962da1e25fa378dae218bddf46274d4e128bb84e43822a

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          65KB

          MD5

          849ef19ec0155d79d4fa5bfb5657b106

          SHA1

          eb7e7ff208ecb40d35755d8f36e31e2482166299

          SHA256

          8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

          SHA512

          30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          65KB

          MD5

          849ef19ec0155d79d4fa5bfb5657b106

          SHA1

          eb7e7ff208ecb40d35755d8f36e31e2482166299

          SHA256

          8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

          SHA512

          30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

          Download Submit

        • memory/2220-145-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2220-146-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2220-144-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/5012-143-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/5088-138-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/5088-140-0x0000000000460000-0x0000000000481000-memory.dmp

          Filesize

          132KB

          Download