Overview

overview

10

Static

static

0ba769bdf9...43.dll

windows7-x64

1

0ba769bdf9...43.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ba769bdf9fd673b46a6b8174bfef97dbac3d9912811662f07dfc38085d19943.dll

  • Size

    345KB

  • MD5

    09a7bf5f41b4e8239501157ac037467d

  • SHA1

    fb4a06d98c001bebbbac2611fbca463bb738e223

  • SHA256

    0ba769bdf9fd673b46a6b8174bfef97dbac3d9912811662f07dfc38085d19943

  • SHA512

    afbc910cdde6ece3b3762c5a0aa825e4d1371ad1cafb3b98653ffec68de80f448f6e6a23d5ef42d26d1b1ff80e50e7d5110dc074f34454be511361045be3d8b1

  • SSDEEP

    6144:eMJOWK4l0wqOVq1cC3dqzKIQ8v7Aw81Ztq:e2OWK4ll7lmIQCn8s

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 3 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ba769bdf9fd673b46a6b8174bfef97dbac3d9912811662f07dfc38085d19943.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ba769bdf9fd673b46a6b8174bfef97dbac3d9912811662f07dfc38085d19943.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3960
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:1776
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:2432
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 208
                  7⤵
                  • Program crash
                  PID:176
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4916
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4916 CREDAT:17410 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:428
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4612
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4612 CREDAT:17410 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2432 -ip 2432
      1⤵
        PID:4940

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        95KB

        MD5

        77b3198beb32d317a1e1fe0377105f13

        SHA1

        0851b5e1ba631a3e609b21d4e731054b119588f9

        SHA256

        c6eddbbd6ac5d62e57662187eff027b97afd275e80ff0d6c1dde880406ac50fa

        SHA512

        eaae564563ac61f291c675c3b9353739c66200c05ea630f75298de0af243aff063a23fce3938e477dcfcaf0446c4aaf69f1f83a25aa9a031ceeb0617222327b8

        Download Submit
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        95KB

        MD5

        77b3198beb32d317a1e1fe0377105f13

        SHA1

        0851b5e1ba631a3e609b21d4e731054b119588f9

        SHA256

        c6eddbbd6ac5d62e57662187eff027b97afd275e80ff0d6c1dde880406ac50fa

        SHA512

        eaae564563ac61f291c675c3b9353739c66200c05ea630f75298de0af243aff063a23fce3938e477dcfcaf0446c4aaf69f1f83a25aa9a031ceeb0617222327b8

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{83162DA3-6B66-11ED-BF5F-6EDF9685419A}.dat
        Filesize

        4KB

        MD5

        2f8e71f5a5108ab1c83f5852412fdde2

        SHA1

        c7dc04c9ce990c38b173c0a200d6d6fa52cbcc99

        SHA256

        5958aaa9a1dd1b04c6b5287c318c8f23c0c629e154983dcbcb2166df8bee18cf

        SHA512

        60773213b16d2516fa870280b7717e74c8be44dbb12bd97809fed90ff318f298d012197d34746fc96a4dc28434ebd6d08bde5600b32d9aadc6bddd4ec906659a

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{831AF0B3-6B66-11ED-BF5F-6EDF9685419A}.dat
        Filesize

        5KB

        MD5

        38c5987db3685bde54f619a344158c91

        SHA1

        901fef1a27ca2567423ffec112aff0b6a28b3989

        SHA256

        d7872625c21a1d223aec06e731afa73a475c00b243ae12f31f5658eacfdbfb08

        SHA512

        60060e77e901c8f5ba39f5254038ae67721025c9389c70578f93518aa61dc10301f9f9b143cd720043a2c4a39dfcbaefe7b7cfea0504881b34f1502af455602a

        Download Submit
      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        193KB

        MD5

        71d005c3e3650430cde76b1ad3b88640

        SHA1

        2371bf5566d607685605ca8909b1c4195b9fb9e7

        SHA256

        6fc70b46729c3fd595371f5996cea4df00fdd9e0c12190ae7d6f22e7f47f81e5

        SHA512

        bffb39484790b958ee68674f4c1418417b9321a212e99ccf462e86b0347c5e9c8430154c237377a5f833be66a4432a669eac8b85e7d64e480ee30c4376b3d8af

        Download Submit
      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        193KB

        MD5

        71d005c3e3650430cde76b1ad3b88640

        SHA1

        2371bf5566d607685605ca8909b1c4195b9fb9e7

        SHA256

        6fc70b46729c3fd595371f5996cea4df00fdd9e0c12190ae7d6f22e7f47f81e5

        SHA512

        bffb39484790b958ee68674f4c1418417b9321a212e99ccf462e86b0347c5e9c8430154c237377a5f833be66a4432a669eac8b85e7d64e480ee30c4376b3d8af

        Download Submit
      • C:\Windows\SysWOW64\rundll32mgrmgr.exe
        Filesize

        95KB

        MD5

        77b3198beb32d317a1e1fe0377105f13

        SHA1

        0851b5e1ba631a3e609b21d4e731054b119588f9

        SHA256

        c6eddbbd6ac5d62e57662187eff027b97afd275e80ff0d6c1dde880406ac50fa

        SHA512

        eaae564563ac61f291c675c3b9353739c66200c05ea630f75298de0af243aff063a23fce3938e477dcfcaf0446c4aaf69f1f83a25aa9a031ceeb0617222327b8

        Download Submit
      • C:\Windows\SysWOW64\rundll32mgrmgr.exe
        Filesize

        95KB

        MD5

        77b3198beb32d317a1e1fe0377105f13

        SHA1

        0851b5e1ba631a3e609b21d4e731054b119588f9

        SHA256

        c6eddbbd6ac5d62e57662187eff027b97afd275e80ff0d6c1dde880406ac50fa

        SHA512

        eaae564563ac61f291c675c3b9353739c66200c05ea630f75298de0af243aff063a23fce3938e477dcfcaf0446c4aaf69f1f83a25aa9a031ceeb0617222327b8

        Download Submit
      • memory/1776-167-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1776-170-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1776-173-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1776-172-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1776-171-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1776-169-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1776-166-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1776-165-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1776-164-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1776-150-0x0000000000000000-mapping.dmp
        Download
      • memory/1944-137-0x0000000000400000-0x0000000000464000-memory.dmp
        Filesize

        400KB

        Download
      • memory/1944-133-0x0000000000000000-mapping.dmp
        Download
      • memory/1944-151-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1944-146-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1944-152-0x0000000000400000-0x0000000000464000-memory.dmp
        Filesize

        400KB

        Download
      • memory/2432-163-0x0000000000000000-mapping.dmp
        Download
      • memory/3960-141-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3960-168-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3960-155-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3960-154-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3960-148-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3960-138-0x0000000000000000-mapping.dmp
        Download
      • memory/3960-158-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/4360-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4360-136-0x0000000010000000-0x000000001005B000-memory.dmp
        Filesize

        364KB

        Download