Overview

overview

10

Static

static

ffc961c731...06.dll

windows7-x64

10

ffc961c731...06.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406.dll

  • Size

    163KB

  • MD5

    2ad25d81e8d455471a4f9f803acd02ce

  • SHA1

    0580f084f662cf2b79896eceec2cc57e44e95507

  • SHA256

    ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406

  • SHA512

    56a5d0e48c49918130b173291d75f41c73f85e63615d11ad64bf25ee5fcb97404e8521253a097f7cffa8432693abb8b1394c04d1601f6e69066985cdb7709a77

  • SSDEEP

    3072:nv4tCk6tj9tnCRLMGbwQG52xKUgfyFRsxxulukd0pF:vMAtCRYGbG52gUHRU

Score
10/10
ramnitbankerspywarestealertrojanworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 19 IoCs
    adwarespyware
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Users\Admin\AppData\Local\Temp\qnOwJ23
        "qnOwJ23"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:648
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 208
              5⤵
              • Program crash
              PID:3596
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3784
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2008
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3264
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            4⤵
              PID:4728
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 204
                5⤵
                • Program crash
                PID:3228
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2636
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                5⤵
                • Modifies Internet Explorer settings
                PID:4400
            • C:\Users\Admin\AppData\Local\Temp\dmcmnsbgfflfgjrw.exe
              "C:\Users\Admin\AppData\Local\Temp\dmcmnsbgfflfgjrw.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4152
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 648 -ip 648
        1⤵
          PID:4996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4728 -ip 4728
          1⤵
            PID:3856

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\dmcmnsbgfflfgjrw.exe
            Filesize

            95KB

            MD5

            5b1a0c379ccc8cab0d06cbeb1338451b

            SHA1

            ae615e94824e0547027768d74d03af8b23fefd4d

            SHA256

            2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

            SHA512

            a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\dmcmnsbgfflfgjrw.exe
            Filesize

            95KB

            MD5

            5b1a0c379ccc8cab0d06cbeb1338451b

            SHA1

            ae615e94824e0547027768d74d03af8b23fefd4d

            SHA256

            2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

            SHA512

            a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\qnOwJ23
            Filesize

            95KB

            MD5

            5b1a0c379ccc8cab0d06cbeb1338451b

            SHA1

            ae615e94824e0547027768d74d03af8b23fefd4d

            SHA256

            2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

            SHA512

            a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\qnOwJ23
            Filesize

            95KB

            MD5

            5b1a0c379ccc8cab0d06cbeb1338451b

            SHA1

            ae615e94824e0547027768d74d03af8b23fefd4d

            SHA256

            2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

            SHA512

            a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

            Download Submit
          • memory/648-137-0x0000000000000000-mapping.dmp
            Download
          • memory/2056-139-0x0000000000400000-0x000000000043A0CC-memory.dmp
            Filesize

            232KB

            Download
          • memory/2056-133-0x0000000000000000-mapping.dmp
            Download
          • memory/2056-144-0x0000000000400000-0x000000000043A0CC-memory.dmp
            Filesize

            232KB

            Download
          • memory/4152-142-0x0000000000000000-mapping.dmp
            Download
          • memory/4152-146-0x0000000000400000-0x000000000043A0CC-memory.dmp
            Filesize

            232KB

            Download
          • memory/4728-141-0x0000000000000000-mapping.dmp
            Download
          • memory/4940-138-0x0000000050590000-0x00000000505BB000-memory.dmp
            Filesize

            172KB

            Download
          • memory/4940-132-0x0000000000000000-mapping.dmp
            Download