Overview

overview

10

Static

static

73e529c3e1...8f.dll

windows7-x64

10

73e529c3e1...8f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73e529c3e1192fc1a487b6064dbd0e6cb8b0086808bf771b39f8520669ae388f.dll

  • Size

    144KB

  • MD5

    259c8e3668a6bbe348afaf426fca0930

  • SHA1

    e2ae0c8e9b5a43eca42735251ea35d3bfff2b71f

  • SHA256

    73e529c3e1192fc1a487b6064dbd0e6cb8b0086808bf771b39f8520669ae388f

  • SHA512

    0cbc094dd6136a1b9dcf1ea06002bb13136202c0bff38389e1ae0005f4bf2b88367af01210c569bed3f255707a6b454a1266b06adcd2582b9d0781379a9b26e0

  • SSDEEP

    3072:1NEqkap78EbW7N1jv1VEfiZ4k/MGjYWL3aeX8:fEqkE4txv8iZlkGzms8

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\73e529c3e1192fc1a487b6064dbd0e6cb8b0086808bf771b39f8520669ae388f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\73e529c3e1192fc1a487b6064dbd0e6cb8b0086808bf771b39f8520669ae388f.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3492
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4280
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4872
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 208
                6⤵
                • Program crash
                PID:1744
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1608
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4464
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4284
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4284 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4872 -ip 4872
      1⤵
        PID:2248

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        96KB

        MD5

        617f9327ee304a9db6bb3a8a5dccfefc

        SHA1

        fc6b07010521d72f1ea20978bb3a98b15cf07d0e

        SHA256

        fb0d039f3bb02f9976395bd44364114ade00c9b55d5850bf1d420f1eca509661

        SHA512

        cef1f5a310b61822a9d59e8a8f6995473711e28151f821f732da3e6669de8644305718d9f79eaa6dd9326a5fe2b349524b88c9151eca52e6336bb553b7920f90

        Download Submit
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        96KB

        MD5

        617f9327ee304a9db6bb3a8a5dccfefc

        SHA1

        fc6b07010521d72f1ea20978bb3a98b15cf07d0e

        SHA256

        fb0d039f3bb02f9976395bd44364114ade00c9b55d5850bf1d420f1eca509661

        SHA512

        cef1f5a310b61822a9d59e8a8f6995473711e28151f821f732da3e6669de8644305718d9f79eaa6dd9326a5fe2b349524b88c9151eca52e6336bb553b7920f90

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CEE5D9BF-7401-11ED-BF5F-5695DBFAB5D8}.dat
        Filesize

        3KB

        MD5

        6965fa0037082fc2808eacd93bf3763b

        SHA1

        a62374653ac116f1102a934f260121a7b01842db

        SHA256

        4adb67e28641b307b22557e72e06e7826afc8b224f933c2e4d5d4b067fb92f23

        SHA512

        bd5e633b7f491cbec2d3bae6e8b354f5ef5377ca6796d3692e0dde5fc8dccc5b85de30c09f625f63751192353ef8358b2284e56c3e4b375f59096d3a861ed674

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CEEAA124-7401-11ED-BF5F-5695DBFAB5D8}.dat
        Filesize

        5KB

        MD5

        45b226b76f4fa6f46a656974804250fa

        SHA1

        c587aaa6dd5cd2bffa7b2cdec534132d751faf9d

        SHA256

        6b1fbc72f728fd1d7fe2d9c69eb8fab109aac392ff426ed51baef0fbd95c4b69

        SHA512

        50f5a70233ee221f0ca8ed3a6cc16176a96e8cc561467ead26769665d9d84c2089a8a1ab293d1a330b5b965e8fa3e2313597483a47ca40145780f7fb642ee1a6

        Download Submit
      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        96KB

        MD5

        617f9327ee304a9db6bb3a8a5dccfefc

        SHA1

        fc6b07010521d72f1ea20978bb3a98b15cf07d0e

        SHA256

        fb0d039f3bb02f9976395bd44364114ade00c9b55d5850bf1d420f1eca509661

        SHA512

        cef1f5a310b61822a9d59e8a8f6995473711e28151f821f732da3e6669de8644305718d9f79eaa6dd9326a5fe2b349524b88c9151eca52e6336bb553b7920f90

        Download Submit
      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        96KB

        MD5

        617f9327ee304a9db6bb3a8a5dccfefc

        SHA1

        fc6b07010521d72f1ea20978bb3a98b15cf07d0e

        SHA256

        fb0d039f3bb02f9976395bd44364114ade00c9b55d5850bf1d420f1eca509661

        SHA512

        cef1f5a310b61822a9d59e8a8f6995473711e28151f821f732da3e6669de8644305718d9f79eaa6dd9326a5fe2b349524b88c9151eca52e6336bb553b7920f90

        Download Submit
      • memory/1996-150-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1996-142-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1996-143-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1996-144-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1996-145-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1996-146-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1996-147-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1996-140-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1996-137-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1996-141-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1996-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3492-136-0x000000006D040000-0x000000006D064000-memory.dmp
        Filesize

        144KB

        Download
      • memory/3492-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4280-148-0x0000000000000000-mapping.dmp
        Download
      • memory/4280-158-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4280-159-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4280-162-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4280-163-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4280-164-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4280-165-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4280-157-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4280-156-0x0000000000400000-0x0000000000436000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4872-161-0x0000000000000000-mapping.dmp
        Download