Overview

overview

10

Static

static

e9c8d9b4f4...4e.dll

windows7-x64

10

e9c8d9b4f4...4e.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    169s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 01:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e9c8d9b4f457ec13cae760743f1ffdc3b3536afdd684f0654111360f1655034e.dll

  • Size

    164KB

  • MD5

    a64533c99725bd1cc97366505cf9a0b0

  • SHA1

    2dfe060847ea269e7bb6d64cc6215a335199e444

  • SHA256

    e9c8d9b4f457ec13cae760743f1ffdc3b3536afdd684f0654111360f1655034e

  • SHA512

    35ef67c5f418cbcee3db86278c90d23f2021c08266a6df6c9da96f9f55c621c3bc3895c1d9bad82c4c0dd5ac99876dcbb379b963f29fc0c923617c6753824356

  • SSDEEP

    3072:an4cV8gf2u41Z5tKlhpjDoT5zByq57bUIw:g4y8gOl2doT715/UI

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    1⤵
      PID:1912
    • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      1⤵
        PID:1992
      • C:\Windows\system32\sppsvc.exe
        C:\Windows\system32\sppsvc.exe
        1⤵
          PID:1096
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
          1⤵
            PID:1768
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9c8d9b4f457ec13cae760743f1ffdc3b3536afdd684f0654111360f1655034e.dll,#1
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9c8d9b4f457ec13cae760743f1ffdc3b3536afdd684f0654111360f1655034e.dll,#1
              2⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:960
              • C:\Windows\SysWOW64\rundll32Srv.exe
                C:\Windows\SysWOW64\rundll32Srv.exe
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Suspicious use of WriteProcessMemory
                PID:948
                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:896
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\system32\svchost.exe
                    5⤵
                    • Modifies WinLogon for persistence
                    • Drops file in System32 directory
                    • Drops file in Program Files directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:520
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\system32\svchost.exe
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1556
          • C:\Windows\Explorer.EXE
            C:\Windows\Explorer.EXE
            1⤵
              PID:1312
            • C:\Windows\system32\Dwm.exe
              "C:\Windows\system32\Dwm.exe"
              1⤵
                PID:1276
              • C:\Windows\system32\taskhost.exe
                "taskhost.exe"
                1⤵
                  PID:1176
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  1⤵
                    PID:1060
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    1⤵
                      PID:108
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      1⤵
                        PID:296
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        1⤵
                          PID:876
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          1⤵
                            PID:852
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            1⤵
                              PID:804
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                              1⤵
                                PID:764
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                1⤵
                                  PID:680
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  1⤵
                                    PID:600
                                  • C:\Windows\system32\lsm.exe
                                    C:\Windows\system32\lsm.exe
                                    1⤵
                                      PID:484
                                    • C:\Windows\system32\lsass.exe
                                      C:\Windows\system32\lsass.exe
                                      1⤵
                                        PID:476
                                      • C:\Windows\system32\services.exe
                                        C:\Windows\system32\services.exe
                                        1⤵
                                          PID:460
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:416
                                          • C:\Windows\system32\csrss.exe
                                            %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                            1⤵
                                              PID:380
                                            • C:\Windows\system32\wininit.exe
                                              wininit.exe
                                              1⤵
                                                PID:368
                                              • C:\Windows\system32\csrss.exe
                                                %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                                1⤵
                                                  PID:332
                                                • C:\Windows\System32\smss.exe
                                                  \SystemRoot\System32\smss.exe
                                                  1⤵
                                                    PID:260

                                                  Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                          Filesize

                                                          73KB

                                                          MD5

                                                          181eb934177edfabbc1af33322d7e194

                                                          SHA1

                                                          52d113dc0ef1462dddb8e9e21d73e50856c28fd6

                                                          SHA256

                                                          207fb1bd8d3c387eb10dffb6db7cbd1c68e89356f7beedb7931f0b04ef3e1606

                                                          SHA512

                                                          4f3502b065772eb59365f19396e866c0d7f494b836bf7460cc43a5413e2aefd00e223b51c4d824246ca7dacfd4bc1c48ec30f4c0386aa30c72bb1ff0621874fb

                                                          Download Submit

                                                        • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                          Filesize

                                                          73KB

                                                          MD5

                                                          181eb934177edfabbc1af33322d7e194

                                                          SHA1

                                                          52d113dc0ef1462dddb8e9e21d73e50856c28fd6

                                                          SHA256

                                                          207fb1bd8d3c387eb10dffb6db7cbd1c68e89356f7beedb7931f0b04ef3e1606

                                                          SHA512

                                                          4f3502b065772eb59365f19396e866c0d7f494b836bf7460cc43a5413e2aefd00e223b51c4d824246ca7dacfd4bc1c48ec30f4c0386aa30c72bb1ff0621874fb

                                                          Download Submit

                                                        • C:\Windows\SysWOW64\rundll32Srv.exe
                                                          Filesize

                                                          73KB

                                                          MD5

                                                          181eb934177edfabbc1af33322d7e194

                                                          SHA1

                                                          52d113dc0ef1462dddb8e9e21d73e50856c28fd6

                                                          SHA256

                                                          207fb1bd8d3c387eb10dffb6db7cbd1c68e89356f7beedb7931f0b04ef3e1606

                                                          SHA512

                                                          4f3502b065772eb59365f19396e866c0d7f494b836bf7460cc43a5413e2aefd00e223b51c4d824246ca7dacfd4bc1c48ec30f4c0386aa30c72bb1ff0621874fb

                                                          Download Submit

                                                        • C:\Windows\SysWOW64\rundll32Srv.exe
                                                          Filesize

                                                          73KB

                                                          MD5

                                                          181eb934177edfabbc1af33322d7e194

                                                          SHA1

                                                          52d113dc0ef1462dddb8e9e21d73e50856c28fd6

                                                          SHA256

                                                          207fb1bd8d3c387eb10dffb6db7cbd1c68e89356f7beedb7931f0b04ef3e1606

                                                          SHA512

                                                          4f3502b065772eb59365f19396e866c0d7f494b836bf7460cc43a5413e2aefd00e223b51c4d824246ca7dacfd4bc1c48ec30f4c0386aa30c72bb1ff0621874fb

                                                          Download Submit

                                                        • \Program Files (x86)\Microsoft\WaterMark.exe
                                                          Filesize

                                                          73KB

                                                          MD5

                                                          181eb934177edfabbc1af33322d7e194

                                                          SHA1

                                                          52d113dc0ef1462dddb8e9e21d73e50856c28fd6

                                                          SHA256

                                                          207fb1bd8d3c387eb10dffb6db7cbd1c68e89356f7beedb7931f0b04ef3e1606

                                                          SHA512

                                                          4f3502b065772eb59365f19396e866c0d7f494b836bf7460cc43a5413e2aefd00e223b51c4d824246ca7dacfd4bc1c48ec30f4c0386aa30c72bb1ff0621874fb

                                                          Download Submit

                                                        • \Program Files (x86)\Microsoft\WaterMark.exe
                                                          Filesize

                                                          73KB

                                                          MD5

                                                          181eb934177edfabbc1af33322d7e194

                                                          SHA1

                                                          52d113dc0ef1462dddb8e9e21d73e50856c28fd6

                                                          SHA256

                                                          207fb1bd8d3c387eb10dffb6db7cbd1c68e89356f7beedb7931f0b04ef3e1606

                                                          SHA512

                                                          4f3502b065772eb59365f19396e866c0d7f494b836bf7460cc43a5413e2aefd00e223b51c4d824246ca7dacfd4bc1c48ec30f4c0386aa30c72bb1ff0621874fb

                                                          Download Submit

                                                        • \Windows\SysWOW64\rundll32Srv.exe
                                                          Filesize

                                                          73KB

                                                          MD5

                                                          181eb934177edfabbc1af33322d7e194

                                                          SHA1

                                                          52d113dc0ef1462dddb8e9e21d73e50856c28fd6

                                                          SHA256

                                                          207fb1bd8d3c387eb10dffb6db7cbd1c68e89356f7beedb7931f0b04ef3e1606

                                                          SHA512

                                                          4f3502b065772eb59365f19396e866c0d7f494b836bf7460cc43a5413e2aefd00e223b51c4d824246ca7dacfd4bc1c48ec30f4c0386aa30c72bb1ff0621874fb

                                                          Download Submit

                                                        • \Windows\SysWOW64\rundll32Srv.exe
                                                          Filesize

                                                          73KB

                                                          MD5

                                                          181eb934177edfabbc1af33322d7e194

                                                          SHA1

                                                          52d113dc0ef1462dddb8e9e21d73e50856c28fd6

                                                          SHA256

                                                          207fb1bd8d3c387eb10dffb6db7cbd1c68e89356f7beedb7931f0b04ef3e1606

                                                          SHA512

                                                          4f3502b065772eb59365f19396e866c0d7f494b836bf7460cc43a5413e2aefd00e223b51c4d824246ca7dacfd4bc1c48ec30f4c0386aa30c72bb1ff0621874fb

                                                          Download Submit

                                                        • memory/520-79-0x0000000020010000-0x0000000020021000-memory.dmp

                                                          Filesize

                                                          68KB

                                                          Download

                                                        • memory/520-74-0x0000000020010000-0x0000000020021000-memory.dmp

                                                          Filesize

                                                          68KB

                                                          Download

                                                        • memory/520-197-0x0000000020010000-0x0000000020021000-memory.dmp

                                                          Filesize

                                                          68KB

                                                          Download

                                                        • memory/520-70-0x0000000020010000-0x0000000020021000-memory.dmp

                                                          Filesize

                                                          68KB

                                                          Download

                                                        • memory/896-78-0x0000000000400000-0x0000000000453000-memory.dmp

                                                          Filesize

                                                          332KB

                                                          Download

                                                        • memory/896-196-0x0000000000400000-0x0000000000453000-memory.dmp

                                                          Filesize

                                                          332KB

                                                          Download

                                                        • memory/896-67-0x0000000000400000-0x0000000000453000-memory.dmp

                                                          Filesize

                                                          332KB

                                                          Download

                                                        • memory/948-66-0x0000000000400000-0x0000000000453000-memory.dmp

                                                          Filesize

                                                          332KB

                                                          Download

                                                        • memory/960-60-0x0000000000220000-0x0000000000273000-memory.dmp

                                                          Filesize

                                                          332KB

                                                          Download

                                                        • memory/960-55-0x0000000075591000-0x0000000075593000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/1556-81-0x0000000020010000-0x000000002001B000-memory.dmp

                                                          Filesize

                                                          44KB

                                                          Download

                                                        • memory/1556-84-0x0000000020010000-0x000000002001B000-memory.dmp

                                                          Filesize

                                                          44KB

                                                          Download