Analysis

  • max time kernel
    140s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 16:58

General

  • Target

    2c58b5f29c9b9ad9638cc55b66d0c4503eaa3ef9b6c786182d939d99fefb8d40.dll

  • Size

    123KB

  • MD5

    4504aadb29c0e296ca92ed44db78e014

  • SHA1

    0acc2e46bd1b7be7c3b88702fd46c01aa285946d

  • SHA256

    2c58b5f29c9b9ad9638cc55b66d0c4503eaa3ef9b6c786182d939d99fefb8d40

  • SHA512

    54d13dde80db82fe76c4af36171c8b4b6589cd5037a5335aa78ea8fb5235cab254d7c5682e96b3d23b0afe71ebb8d3e84cdff29e875e2bc516678c735019044b

  • SSDEEP

    3072:CuevieaLqpG59j6kb9K5Yrwj7rfNmtOSL6+3XxCh:CuEivDqD5Yrc8OSL73Xxs

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c58b5f29c9b9ad9638cc55b66d0c4503eaa3ef9b6c786182d939d99fefb8d40.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c58b5f29c9b9ad9638cc55b66d0c4503eaa3ef9b6c786182d939d99fefb8d40.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2348
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4700
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 204
                6⤵
                • Program crash
                PID:5044
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3480
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2280
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3052
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1124
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4700 -ip 4700
      1⤵
        PID:3008

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        59KB

        MD5

        aea1462e5f1f31dd74df7833b5a07305

        SHA1

        cea53b9b3311f1003df5d9266f9e3fbd5c971f28

        SHA256

        62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

        SHA512

        776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        59KB

        MD5

        aea1462e5f1f31dd74df7833b5a07305

        SHA1

        cea53b9b3311f1003df5d9266f9e3fbd5c971f28

        SHA256

        62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

        SHA512

        776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        e32d02ce684c01ef3af05fae9066160e

        SHA1

        29c7a6e8ed553ac2765634265d1db041d6d422ec

        SHA256

        b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

        SHA512

        e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        434B

        MD5

        63317d2753c6656844df106a81c1dd39

        SHA1

        dc92d7514ff0f466271e8e61ed1e077a4ae28113

        SHA256

        b775e80983a2ef44e526e341247b1f2f6dd4e756de988489e0407962dc63e40d

        SHA512

        bd1114e2a32d147816ef14c982a606e8ae105aa4836bc83eca5d973997e8d4bab968e5080e3dffe13ad651791723600fe727abcd663a4cb28d1ef9f9db09117e

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C019E556-6B67-11ED-89AC-72E5C3FA065D}.dat

        Filesize

        5KB

        MD5

        3c29c13f5613497a0a4ebb0251387c55

        SHA1

        5d4053583db716545c138cddb09b655b42c584fd

        SHA256

        576ab95df611f082d740c7090e7514debcbc6c22c4a1d8f9eb56cb512d9af2f1

        SHA512

        2624639e0b13e84d5bcf111a202385fc13b6a6e771c3c960e359bcdd86378aa3fe70506fdbb2c921e4b385766938d448b93bac05166b4a092a1c3cf6bd9f8226

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C01EA8CC-6B67-11ED-89AC-72E5C3FA065D}.dat

        Filesize

        3KB

        MD5

        35bf7db6cfafad3ed1e45ff3cbd25553

        SHA1

        56fff0e47c9a6a5e4098a160e384487973e238f4

        SHA256

        9aff72514eceae105c3da121bee9538a0e5dec74b749537ac8fead3b87d0722f

        SHA512

        64f4713dd61dcb5337308d9f132e861d92d7480cd1d50c8b97dd5a372aaf176dcaa3650fb4231cee4081f2872fd6592a398488c753b4afebef16049b33da392d

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        59KB

        MD5

        aea1462e5f1f31dd74df7833b5a07305

        SHA1

        cea53b9b3311f1003df5d9266f9e3fbd5c971f28

        SHA256

        62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

        SHA512

        776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        59KB

        MD5

        aea1462e5f1f31dd74df7833b5a07305

        SHA1

        cea53b9b3311f1003df5d9266f9e3fbd5c971f28

        SHA256

        62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

        SHA512

        776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

      • memory/2348-152-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2348-142-0x0000000000000000-mapping.dmp

      • memory/2348-155-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2348-156-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3596-137-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3596-140-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3596-141-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3596-145-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3596-133-0x0000000000000000-mapping.dmp

      • memory/3596-136-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3596-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4700-151-0x0000000000000000-mapping.dmp

      • memory/4728-139-0x0000000010000000-0x0000000010025000-memory.dmp

        Filesize

        148KB

      • memory/4728-132-0x0000000000000000-mapping.dmp