Overview

overview

10

Static

static

8

5f3a8fb712...1f.dll

windows7-x64

8

5f3a8fb712...1f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f3a8fb712dbdf218be6e8f27793d38fc478c3ab1093611ee2e2fb83e77f071f.dll

  • Size

    592KB

  • MD5

    440dbfa1e015df5e19fbe780dbd15dc1

  • SHA1

    96e7a86082ae7689cb162c62fd15df75cc608871

  • SHA256

    5f3a8fb712dbdf218be6e8f27793d38fc478c3ab1093611ee2e2fb83e77f071f

  • SHA512

    a49ca3e4f593cd509755de7e47ec75efca11f23800c36342a20d32e210ec964c6368edd76cf25d7d5ae22ae24f3c9194c6fefca6aef4ab74671f955409883ec5

  • SSDEEP

    12288:MgUYcOj5s7qoYnw3uXa5tTuUFupP6+Zp4zz:MmVoqeuXa5txGPPOz

Score
10/10
ramnitbankerspywarestealertrojanupxvmprotectworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f3a8fb712dbdf218be6e8f27793d38fc478c3ab1093611ee2e2fb83e77f071f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f3a8fb712dbdf218be6e8f27793d38fc478c3ab1093611ee2e2fb83e77f071f.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4776
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1560
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 212
                6⤵
                • Program crash
                PID:3776
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3592
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3592 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3548
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1936
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:564
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1560 -ip 1560
      1⤵
        PID:444

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DDD68E8E-6B97-11ED-BF5F-FAE5CAF4041A}.dat
        Filesize

        5KB

        MD5

        73db546c34ebf5f50a10d3e173cb88aa

        SHA1

        ee524f959003d8081691d073d78dd20c79e371e1

        SHA256

        4cef0d57bbb9b4b40beaba2003272547f26d03237168c8a05f7da627bdcc3856

        SHA512

        ecbd310ef3de59a32196461b0c60e08e418f82083ceee8ac336828baafffe46648f7b74aa8bba0abe9080e767dd5072ed59e71ec270272af2c9748ad344e8585

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DDD6B59E-6B97-11ED-BF5F-FAE5CAF4041A}.dat
        Filesize

        5KB

        MD5

        cc9e5d3668eadacd7163cf5dc53199d2

        SHA1

        f72fe5c517be0211970d5678c925c7891371fa41

        SHA256

        76f72a13e4e406db53d909649766fac083a1256c10468b399ebc0e336b60473a

        SHA512

        96a6c25546e40f3d8ae0a925427edd13c0ef86e3e5e5cd3e6eebb678219869792802b1b4b244dbbbaad702900ad9cc9f99e5ff5b692b0900d6d30eaa1c36b74b

        Download Submit
      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit
      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit
      • memory/1560-154-0x0000000000000000-mapping.dmp
        Download
      • memory/2180-143-0x0000000000000000-mapping.dmp
        Download
      • memory/2180-158-0x0000000000400000-0x0000000000423000-memory.dmp
        Filesize

        140KB

        Download
      • memory/2180-159-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2180-148-0x0000000000400000-0x0000000000423000-memory.dmp
        Filesize

        140KB

        Download
      • memory/2180-150-0x0000000000400000-0x0000000000423000-memory.dmp
        Filesize

        140KB

        Download
      • memory/2180-155-0x0000000000400000-0x0000000000423000-memory.dmp
        Filesize

        140KB

        Download
      • memory/2180-156-0x0000000000400000-0x0000000000423000-memory.dmp
        Filesize

        140KB

        Download
      • memory/2180-157-0x0000000000400000-0x0000000000423000-memory.dmp
        Filesize

        140KB

        Download
      • memory/2628-132-0x0000000000000000-mapping.dmp
        Download
      • memory/2628-133-0x00000000749B0000-0x0000000074A50000-memory.dmp
        Filesize

        640KB

        Download
      • memory/4776-141-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4776-146-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4776-142-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4776-136-0x0000000000000000-mapping.dmp
        Download