Overview

overview

10

Static

static

9a67ca9394...13.dll

windows7-x64

10

9a67ca9394...13.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 20:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9a67ca9394f49740940434eb6aec56e8d95e46fcba069b7a31266adb1ce6ec13.dll

  • Size

    408KB

  • MD5

    046e1550e3b43207ce668c406161164d

  • SHA1

    8b457ddda0da97f117a5ad55f76e8fa312e92e0c

  • SHA256

    9a67ca9394f49740940434eb6aec56e8d95e46fcba069b7a31266adb1ce6ec13

  • SHA512

    30c69ac88fd7baaa1ff7e6281b4960e01aef1de8d9915e607d0c03ec9bc5e2f038b7f9d115c50a02f4101202d0e9a14fbe3043038025476c31f79a67686608fa

  • SSDEEP

    12288:Loz83OtIEzW+/m/AyF7bCrO/E0McMxwFB:YbIEzW+/m/rF7kcRNXr

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a67ca9394f49740940434eb6aec56e8d95e46fcba069b7a31266adb1ce6ec13.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a67ca9394f49740940434eb6aec56e8d95e46fcba069b7a31266adb1ce6ec13.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1668
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 208
                6⤵
                • Program crash
                PID:1248
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4864
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4864 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4008
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4628
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4628 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 608
          3⤵
          • Program crash
          PID:512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1708 -ip 1708
      1⤵
        PID:436
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1668 -ip 1668
        1⤵
          PID:5052

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                Filesize

                65KB

                MD5

                849ef19ec0155d79d4fa5bfb5657b106

                SHA1

                eb7e7ff208ecb40d35755d8f36e31e2482166299

                SHA256

                8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

                SHA512

                30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

                Download Submit

              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                Filesize

                65KB

                MD5

                849ef19ec0155d79d4fa5bfb5657b106

                SHA1

                eb7e7ff208ecb40d35755d8f36e31e2482166299

                SHA256

                8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

                SHA512

                30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F621DB9-5E5A-11ED-B696-F22D08015D11}.dat
                Filesize

                5KB

                MD5

                cbe12a44f6139f081222d3904b77905b

                SHA1

                e245d0051670777a9d5cf8c75d40772f6099f75b

                SHA256

                90aaeb854034490502eecedcb15d6888eacc5478c6f8749d792530e77064266e

                SHA512

                60672ad5ab3f093ef120357a81bdd471b871eeef208993643ae565e6e9fee44aa7d0a00cdf0ce39031815fcca648d16209f68c7ef1a89641961b7834d24e308b

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7F6944FD-5E5A-11ED-B696-F22D08015D11}.dat
                Filesize

                4KB

                MD5

                1e75fea8b2599c8cbb9717aa82b082b5

                SHA1

                9604ebc2d43ef20c6ce12534c2a649bd17c7b7d6

                SHA256

                991858d02388d1bf35548abe6c82c33da2c0321e723c5a4e4a2ee0cd72e4b306

                SHA512

                e34dd5dfc266b18a0b79b232879f25fd22d1a6ed4ba0310a5137fe2da9db76216c8a35cf2d4a2569a724e241cdb1c2068c545cdf16d4609d293c9f6cac19286c

                Download Submit

              • C:\Windows\SysWOW64\rundll32mgr.exe
                Filesize

                65KB

                MD5

                849ef19ec0155d79d4fa5bfb5657b106

                SHA1

                eb7e7ff208ecb40d35755d8f36e31e2482166299

                SHA256

                8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

                SHA512

                30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

                Download Submit

              • C:\Windows\SysWOW64\rundll32mgr.exe
                Filesize

                65KB

                MD5

                849ef19ec0155d79d4fa5bfb5657b106

                SHA1

                eb7e7ff208ecb40d35755d8f36e31e2482166299

                SHA256

                8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

                SHA512

                30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

                Download Submit

              • memory/1708-143-0x000000007C340000-0x000000007C3A7000-memory.dmp

                Filesize

                412KB

                Download

              • memory/2228-140-0x0000000000460000-0x0000000000481000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2228-139-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2264-144-0x0000000001F00000-0x0000000001F21000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2264-145-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2264-148-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2264-149-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download