Overview

overview

10

Static

static

f5c09ed070...66.dll

windows7-x64

10

f5c09ed070...66.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5c09ed0703b3d8d3d72c7b0bb812be89a532d5b0e6b901f766cc9b3d656fb66.dll

  • Size

    224KB

  • MD5

    2789b7c7e26a77a55a442b318dd4e9ff

  • SHA1

    50a1991c969c5c7670df9f38c3aba38f0f5c46a2

  • SHA256

    f5c09ed0703b3d8d3d72c7b0bb812be89a532d5b0e6b901f766cc9b3d656fb66

  • SHA512

    aafe723b242446de7efaaac247dc67b104a3dd8844ee74297eb69c544414249c14b84692f03f229acfb20c1bd0dbda7b31e32dc59ee86cf6bb719d699f2aa87d

  • SSDEEP

    3072:wh0xWbpiLItpMGuFD9lTc3hcoeSwItEL+0PhnL:whjpi8tGftLxItELD

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f5c09ed0703b3d8d3d72c7b0bb812be89a532d5b0e6b901f766cc9b3d656fb66.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\f5c09ed0703b3d8d3d72c7b0bb812be89a532d5b0e6b901f766cc9b3d656fb66.dll
      2⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4028
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4364
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 204
                6⤵
                • Program crash
                PID:5052
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4524
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4524 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1324
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4724
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4724 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1452
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4364 -ip 4364
      1⤵
        PID:4888

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        95KB

        MD5

        2da1d4c1a963fda73c91764e047da0aa

        SHA1

        96f15afa84829555dfc5d890b2882ade25eb6ebd

        SHA256

        665ea468657539ca49a4f1cfdb95431f667a7e145ce7c23cfa3c1aad049d10b5

        SHA512

        b32a9739d889866f913c841f243800f5aa95f1adf60f8b02eac19457e5c28e830eb1908d212dc25a893026d55ca5d273ad6e9acf733cbef4ab492a29d284af63

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        95KB

        MD5

        2da1d4c1a963fda73c91764e047da0aa

        SHA1

        96f15afa84829555dfc5d890b2882ade25eb6ebd

        SHA256

        665ea468657539ca49a4f1cfdb95431f667a7e145ce7c23cfa3c1aad049d10b5

        SHA512

        b32a9739d889866f913c841f243800f5aa95f1adf60f8b02eac19457e5c28e830eb1908d212dc25a893026d55ca5d273ad6e9acf733cbef4ab492a29d284af63

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0EF6AFFE-6B7D-11ED-89AC-E62D9FD3CB0B}.dat
        Filesize

        3KB

        MD5

        24be5c66b2b57446db6d751e70b8a824

        SHA1

        8864860f2110acb86aeb18a6e1d6c110f0cd94b6

        SHA256

        46549d6eac40462bd6454693004c0d97f285bce2f2fb249cd3d27c2ac5dcbeb0

        SHA512

        b0d066f79792f71ba25c94d671aa0d3b7c19b9fbca6257427ee75584dd04d90400c18993b2040942128a2710b95bfbb5b63652e5ca98185f334381cd1426dd51

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0EF9101D-6B7D-11ED-89AC-E62D9FD3CB0B}.dat
        Filesize

        5KB

        MD5

        d61e7276be1f5ddd90f7ba66f28e46d3

        SHA1

        1457550c1e7ecd4d9835c4c71067d754feeb8c7f

        SHA256

        1680349c490903d6f8ba9c9e3d3843755c7dbf5a5bdd3b24233cd05d6e9a9170

        SHA512

        6252a595f8cc6fdf137ebb744fa6db0e2b8cc652fc73abc07c4ccdce81d8ab3c9443d780a285cb611654a4e04876f45b785663485352fe66ac768a36ebbc3ade

        Download Submit

      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        95KB

        MD5

        2da1d4c1a963fda73c91764e047da0aa

        SHA1

        96f15afa84829555dfc5d890b2882ade25eb6ebd

        SHA256

        665ea468657539ca49a4f1cfdb95431f667a7e145ce7c23cfa3c1aad049d10b5

        SHA512

        b32a9739d889866f913c841f243800f5aa95f1adf60f8b02eac19457e5c28e830eb1908d212dc25a893026d55ca5d273ad6e9acf733cbef4ab492a29d284af63

        Download Submit

      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        95KB

        MD5

        2da1d4c1a963fda73c91764e047da0aa

        SHA1

        96f15afa84829555dfc5d890b2882ade25eb6ebd

        SHA256

        665ea468657539ca49a4f1cfdb95431f667a7e145ce7c23cfa3c1aad049d10b5

        SHA512

        b32a9739d889866f913c841f243800f5aa95f1adf60f8b02eac19457e5c28e830eb1908d212dc25a893026d55ca5d273ad6e9acf733cbef4ab492a29d284af63

        Download Submit

      • memory/856-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/856-139-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/856-159-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/856-133-0x0000000000000000-mapping.dmp

        Download

      • memory/856-148-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/856-150-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/856-149-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4028-161-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4028-155-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4028-164-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4028-156-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4028-140-0x0000000000000000-mapping.dmp

        Download

      • memory/4028-160-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4028-162-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4028-152-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4028-154-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4364-153-0x0000000000000000-mapping.dmp

        Download

      • memory/4852-132-0x0000000000000000-mapping.dmp

        Download

      • memory/4852-147-0x000000006D630000-0x000000006D66A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/4852-163-0x000000006D630000-0x000000006D66A000-memory.dmp

        Filesize

        232KB

        Download