Overview

overview

10

Static

static

e6b5e84fff...e0.dll

windows7-x64

8

e6b5e84fff...e0.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6b5e84fff32d8098ff04bc94d9f085c3036e2d9033ec0b45d379dbd5caac5e0.dll

  • Size

    108KB

  • MD5

    0eeb631f0aac87236a90e58f7d7d5e67

  • SHA1

    647c505928c81e16072f513904ef451a6662cb54

  • SHA256

    e6b5e84fff32d8098ff04bc94d9f085c3036e2d9033ec0b45d379dbd5caac5e0

  • SHA512

    59c86e099259f1333cbfa3aeaeb5f7772ab811752a70e281b88649b2f8e49a3a7c32b14fd5b43a350cb7008e39f8ba0e03ce4cbebb1d4e64f2e3a805d912147a

  • SSDEEP

    3072:1NEqkap78EbQUxto1w5+ynDFSUR0kURmt3/:fEqkE4Ocih8JRml/

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6b5e84fff32d8098ff04bc94d9f085c3036e2d9033ec0b45d379dbd5caac5e0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6b5e84fff32d8098ff04bc94d9f085c3036e2d9033ec0b45d379dbd5caac5e0.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4860
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:5012
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 204
                6⤵
                • Program crash
                PID:788
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1560
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2108
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4864
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5012 -ip 5012
      1⤵
        PID:5008

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        0ef90204485649be625ea2be1b9018fb

        SHA1

        28fbc0852140ec51d0c097a4962a160afa4d754b

        SHA256

        c8028acd9a8c8c795b87cf835fc3182d003264608f161baa0ca020711b22bca0

        SHA512

        b8bbba0dcc6cb6f87efb47a605953c93fcf93c5a65520b822ebfee25754632d6bb66c2a946f457e1e40a92556683ddb9d14f2703782833e12d7e37bb3b7fcec5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        6acdbb763e7d8fba68db8890846d0e21

        SHA1

        1695e92cd2f5035fe35913a68a215da39cf4e624

        SHA256

        3bff0319384ab543c50b257a282a3a5b4eae714189f8549360fde38de7d3fdab

        SHA512

        62fec58adeb77be8c330cf1d4dd3a397664cf4bbe540ee1272ef99d4cd72a96f41a3b29fbe8153b446df2cbe3550edb6754537da8d89cea5ee7f2f9e44608126

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E50D86CC-5E4D-11ED-A0EE-6E8F4548B5DC}.dat
        Filesize

        5KB

        MD5

        2c4528b3c6b077811fdf148953aa9ab9

        SHA1

        e96eb7a80e2cd0cc08e72de119453fc53b5ef7e7

        SHA256

        b45dfeb3568ea96f1bb0fc17592310bbf5b72c11a32c82c7977fc95944043798

        SHA512

        ae2016c351fa20efb89edfd9590846d63b2f291b9582eab4dbf4d5f0350bb8288c55e541490a56deb732a02dc72c6808c4583d2bbdd8a33f047809d901b66737

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E50DADDC-5E4D-11ED-A0EE-6E8F4548B5DC}.dat
        Filesize

        3KB

        MD5

        a1607813705f3963b0b00fb334f8b884

        SHA1

        db069bce53e0a003c0495ebbdfccdb241da2d252

        SHA256

        00fe7f4b85fe8cfd26d3dd56235b12f95ea2c67a33186eac1ebe834d3a1405d6

        SHA512

        0276d72a95f0735c7b113636bf24be511e01e733b8b5ec7d09d2d0556053b8ed2f4f9c7f20e39e75d8c96c741cc18f3cad313b9dfdf51e9ab26f225b8121bf4e

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit

      • memory/4860-156-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4860-157-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4860-150-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4860-151-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4860-152-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4860-158-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4860-155-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4964-139-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4964-142-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4964-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download