Analysis
-
max time kernel
38s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
23-11-2022 17:13
General
-
Target
5e2d1f6f2603fc4d102b0851cd5a80b05e124a73bf551214b92a940e6204927f.dll
-
Size
876KB
-
MD5
57c9d8fe23f8940f2adf63544e5cab34
-
SHA1
15a8a06fb1f753f090eb3863f931ffd3c5d78daf
-
SHA256
5e2d1f6f2603fc4d102b0851cd5a80b05e124a73bf551214b92a940e6204927f
-
SHA512
97f9a998901cc5dee1cb0735d0f46064dfd28297e9b1656708b10761aa82d3fc49892cc0c443450df481c3b1c952662cdf33c705d7bedfa306aeb85e6af48587
-
SSDEEP
12288:UPTv+CFW4hPdahP/RN2kU7fWS36pweWGJr619QV4qqxEnEk3D6qC5UjuEOTRPa94:UPSH4hQP/RN2fLqNK9QV4qBH1AM94
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e2d1f6f2603fc4d102b0851cd5a80b05e124a73bf551214b92a940e6204927f.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e2d1f6f2603fc4d102b0851cd5a80b05e124a73bf551214b92a940e6204927f.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\SYSWOW64\RUNDLL32MGR.EXEFilesize
211KB
MD5e1b0d496aa15f2189e5ecfad81d36456
SHA1a58707563d183c55d40f16e461cd0bbe8acca529
SHA25605690e8e01ff53f41cdb3e3043dedcded9b7306134c416ba2e11dc53e54e245d
SHA512eeb18da576574b296a077affa792554ed230ffc7fa2289e02f73f73d385d5f8dc37a9e3bc65d4643486be2e7b6243fc9ce798eb478c3e05fafa7932cb58a853a
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
211KB
MD5e1b0d496aa15f2189e5ecfad81d36456
SHA1a58707563d183c55d40f16e461cd0bbe8acca529
SHA25605690e8e01ff53f41cdb3e3043dedcded9b7306134c416ba2e11dc53e54e245d
SHA512eeb18da576574b296a077affa792554ed230ffc7fa2289e02f73f73d385d5f8dc37a9e3bc65d4643486be2e7b6243fc9ce798eb478c3e05fafa7932cb58a853a
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
211KB
MD5e1b0d496aa15f2189e5ecfad81d36456
SHA1a58707563d183c55d40f16e461cd0bbe8acca529
SHA25605690e8e01ff53f41cdb3e3043dedcded9b7306134c416ba2e11dc53e54e245d
SHA512eeb18da576574b296a077affa792554ed230ffc7fa2289e02f73f73d385d5f8dc37a9e3bc65d4643486be2e7b6243fc9ce798eb478c3e05fafa7932cb58a853a
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
211KB
MD5e1b0d496aa15f2189e5ecfad81d36456
SHA1a58707563d183c55d40f16e461cd0bbe8acca529
SHA25605690e8e01ff53f41cdb3e3043dedcded9b7306134c416ba2e11dc53e54e245d
SHA512eeb18da576574b296a077affa792554ed230ffc7fa2289e02f73f73d385d5f8dc37a9e3bc65d4643486be2e7b6243fc9ce798eb478c3e05fafa7932cb58a853a
-
memory/1064-54-0x0000000000000000-mapping.dmp
-
memory/1064-55-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/1064-63-0x000000007EFA0000-0x000000007EFAA000-memory.dmpFilesize
40KB
-
memory/1988-58-0x0000000000000000-mapping.dmp
-
memory/1988-62-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1988-64-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1988-66-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB