Overview

overview

10

Static

static

e4a3e5ce9e...61.dll

windows7-x64

8

e4a3e5ce9e...61.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4a3e5ce9e0675235f733c9cf687cdc0d1f76de6f92c9b6844a845c76750ca61.dll

  • Size

    2.4MB

  • MD5

    f5767296fa1364afd6536822d07ffaa2

  • SHA1

    089a525adae971caec5ffb4159fb07484ad0f168

  • SHA256

    e4a3e5ce9e0675235f733c9cf687cdc0d1f76de6f92c9b6844a845c76750ca61

  • SHA512

    0350ad4547b107997f098bd6b05497c6143aafa3c69506d2ece7014050174e30dd52d65912fe4fd7337f5b6a3de7d66dd02df1a9f540f425bd6bc095b8d73f3f

  • SSDEEP

    49152:v3pp9ziy5bRCrEaoWzw7ai91wgvTBBsCkh9Sp3BVcmUG8lFN6ijGUKYsVMLz6onr:v3pv+y5dIVs7aWPvTBBKh9UBVc/ln16u

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4a3e5ce9e0675235f733c9cf687cdc0d1f76de6f92c9b6844a845c76750ca61.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4a3e5ce9e0675235f733c9cf687cdc0d1f76de6f92c9b6844a845c76750ca61.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:796
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1012
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 204
                6⤵
                • Program crash
                PID:5108
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3844
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3844 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4224
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4480
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4480 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4844
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 628
          3⤵
          • Program crash
          PID:4420
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4836 -ip 4836
      1⤵
        PID:3264
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1012 -ip 1012
        1⤵
          PID:1284

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          60KB

          MD5

          94f2f6ffbba8e7644668b51b39983916

          SHA1

          63357bbdf90101969117983dbc0d4ed0e713c4d7

          SHA256

          ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

          SHA512

          d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

          Download Submit

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          60KB

          MD5

          94f2f6ffbba8e7644668b51b39983916

          SHA1

          63357bbdf90101969117983dbc0d4ed0e713c4d7

          SHA256

          ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

          SHA512

          d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          f8f8086f87156d14091b152fcaadc3ce

          SHA1

          fe3cfbf9e2e871c948300473593dfcf189013386

          SHA256

          8d92f28b70ed5265fafad8b37ce049b0b8ecad038745173acc35a21b8222bf56

          SHA512

          1235be77513694a1478459e999631920be42183a6993dc1f93333831eaa54ea60c7d8617029289c95fed2f861fc7aa79da551c128df4428d23752044eb68ba7a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          f8f8086f87156d14091b152fcaadc3ce

          SHA1

          fe3cfbf9e2e871c948300473593dfcf189013386

          SHA256

          8d92f28b70ed5265fafad8b37ce049b0b8ecad038745173acc35a21b8222bf56

          SHA512

          1235be77513694a1478459e999631920be42183a6993dc1f93333831eaa54ea60c7d8617029289c95fed2f861fc7aa79da551c128df4428d23752044eb68ba7a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          434B

          MD5

          1f8a0b4a407f717aa6f7c6be9e1b4faf

          SHA1

          98018de9b35d467186aefafd88a19ee8ed97fa95

          SHA256

          aeb91e49b906d75deef097a9fc6df2acffdec0ce0cce49aa26f0b383e5b01643

          SHA512

          8080aa8b7a93453feedf0c94505fdaf4f1963eeafbd95178bf8f44e6980feca32fbf012a7562aec5655245b4ab70b4e6d4d30f4802e4bf2bc636575ef5596579

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          434B

          MD5

          3ce9611fb2b64b8e0f79afc04003242f

          SHA1

          0dedeff376d0bb25b3f4a2c300d91c03c146ac8b

          SHA256

          32648a9680dd7bb24570d08253da5c9f199153acbb0c13a7e015467427e5f01a

          SHA512

          2eb0c8e10b0fd3f40c3c2453f370bf52b847cd2b444769deb0eadea21ccb7860b919dfc6ca352bbc6d74554048e3e59d3b6c7aba56b0dce431d36691fde9da98

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A916BDEB-7565-11ED-A0EE-5ECEF326E858}.dat
          Filesize

          5KB

          MD5

          0ced6f9a981ae915879383e7e397d7fb

          SHA1

          32b1e43513c98c7b49ccb35c2512ed6f23aa405d

          SHA256

          f2e2e5127a2a30a271835be7661f6e0f08852c44417e673c6ea14f3460707666

          SHA512

          c6f7f2be2f4c88b09729acfdff13350c349ca7a0c0b388d05e9b81ae434e3cb555d555b48dd6f6b538215f1c55e88c63d814f560c6092c3f504b5175cce63ad3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A916E4FB-7565-11ED-A0EE-5ECEF326E858}.dat
          Filesize

          3KB

          MD5

          07ef2b727c2dbe2e05a2ad448f8aa0c2

          SHA1

          d9572bee7baf27a0f2fb89c5649d14d039e6927a

          SHA256

          659e41668c0e63ce20c2dbffe4f431c64b54eae3655823e41a16ddb2f4a4c4d4

          SHA512

          7efb7829e04c840da681532000dff86fca4bd8a5e29c913d5050778c7210637de1c34f859cfeccc43ef23eae86b7428f55931fce53eec15f1c0bbbfd5aba3d46

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          60KB

          MD5

          94f2f6ffbba8e7644668b51b39983916

          SHA1

          63357bbdf90101969117983dbc0d4ed0e713c4d7

          SHA256

          ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

          SHA512

          d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          60KB

          MD5

          94f2f6ffbba8e7644668b51b39983916

          SHA1

          63357bbdf90101969117983dbc0d4ed0e713c4d7

          SHA256

          ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

          SHA512

          d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

          Download Submit

        • memory/796-155-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/796-154-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/796-151-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1680-136-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1680-144-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1680-138-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1680-139-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1680-137-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4836-150-0x00000000755A0000-0x000000007580F000-memory.dmp

          Filesize

          2.4MB

          Download