Overview

overview

10

Static

static

76870fd991...26.dll

windows7-x64

10

76870fd991...26.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76870fd9910067e9938152dd5071d70346466f62228f0458122f55918dbe0726.dll

  • Size

    216KB

  • MD5

    0e35d3cef9a0eb713973219c47e64ac1

  • SHA1

    1c88f8a4513420659d3df10db6eb0369235f8ce3

  • SHA256

    76870fd9910067e9938152dd5071d70346466f62228f0458122f55918dbe0726

  • SHA512

    c8c124645563ad1c641b8a0808bce5c2ab55773ccc5e30e81aa20f2d6e6db5a7bd2f385ab16d043a6ad92807bafd841b369e7f0644a6d0638b7131622b556296

  • SSDEEP

    3072:un4cV8gf2u41Z5tKlwF+yooPdW3WGaJxK:84y8gOl2aq3dqs

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\76870fd9910067e9938152dd5071d70346466f62228f0458122f55918dbe0726.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\76870fd9910067e9938152dd5071d70346466f62228f0458122f55918dbe0726.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1120
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2396
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 212
                6⤵
                • Program crash
                PID:2900
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:336
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:212
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:212 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2396 -ip 2396
      1⤵
        PID:2992

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        123KB

        MD5

        41cdf1d40aff3f71114ea210307b6a1c

        SHA1

        8d5237ed7a29003af5b857edd85f7f54a91f600c

        SHA256

        00ba79fa51af9b735ebbded72313232d83956c922e206362f9b71411772162b7

        SHA512

        fdcba01191a345416f17fb4024255f97af135824f1ce57bb8456d74fbfd0e37f89500aeb92c19c4add62e6cb416c57cd06b2aee310fabb91e468852ca062ff0e

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        123KB

        MD5

        41cdf1d40aff3f71114ea210307b6a1c

        SHA1

        8d5237ed7a29003af5b857edd85f7f54a91f600c

        SHA256

        00ba79fa51af9b735ebbded72313232d83956c922e206362f9b71411772162b7

        SHA512

        fdcba01191a345416f17fb4024255f97af135824f1ce57bb8456d74fbfd0e37f89500aeb92c19c4add62e6cb416c57cd06b2aee310fabb91e468852ca062ff0e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        5f49b65bdc1713b58ed97d0e9625a968

        SHA1

        84b74e55478c9abb163aa6629e3fd3b91bed4806

        SHA256

        a681ab9abc281fd12a7bd06f56e36a21e8ee28b5294815c5e07b781e324a32f9

        SHA512

        4b502288bef324db8ad33e63c7b6f242ef7954a6fbec3ed012530044c82fee3ad1158febe088bc0deea67ac35646a0a1bd6d961c0f67b11fee584e4f1abd753a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        e0abf3aa66a174ba0a6336e26abb3e4a

        SHA1

        cd1fd1b83151ab8df6865f6e8b5541b0340412b6

        SHA256

        b0f4dda6f37d977901614ef3299206d3bc421d07e687df656d810d8502a04859

        SHA512

        7d96a81ccf3e1343d70e6c00f3dac242fa2521e7fb31ec0d4fd73635fad8214f8974ded9cc3a8f5472424da544625445eb7247923906fbf7fa10eca8bd32d0e2

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        123KB

        MD5

        41cdf1d40aff3f71114ea210307b6a1c

        SHA1

        8d5237ed7a29003af5b857edd85f7f54a91f600c

        SHA256

        00ba79fa51af9b735ebbded72313232d83956c922e206362f9b71411772162b7

        SHA512

        fdcba01191a345416f17fb4024255f97af135824f1ce57bb8456d74fbfd0e37f89500aeb92c19c4add62e6cb416c57cd06b2aee310fabb91e468852ca062ff0e

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        123KB

        MD5

        41cdf1d40aff3f71114ea210307b6a1c

        SHA1

        8d5237ed7a29003af5b857edd85f7f54a91f600c

        SHA256

        00ba79fa51af9b735ebbded72313232d83956c922e206362f9b71411772162b7

        SHA512

        fdcba01191a345416f17fb4024255f97af135824f1ce57bb8456d74fbfd0e37f89500aeb92c19c4add62e6cb416c57cd06b2aee310fabb91e468852ca062ff0e

        Download Submit

      • memory/1120-140-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1120-141-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1120-137-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/1120-149-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1728-136-0x0000000010000000-0x0000000010037000-memory.dmp

        Filesize

        220KB

        Download

      • memory/2020-153-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2020-152-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2020-154-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2020-155-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2020-156-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2020-157-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2020-158-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2020-159-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download