Overview

overview

10

Static

static

0c2c089d93...96.dll

windows7-x64

8

0c2c089d93...96.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c2c089d9341b6c1e1511cfe02d6cc3c2bca4a2ed451a174deda6fd8cb619296.dll

  • Size

    2.3MB

  • MD5

    0ff3cd66f402c409e341afaceeab1d1a

  • SHA1

    fd3aa891831d41b727a8e47c2e17c47d221e7205

  • SHA256

    0c2c089d9341b6c1e1511cfe02d6cc3c2bca4a2ed451a174deda6fd8cb619296

  • SHA512

    fbe1e739a5ad1472718ed7d13e6e69cb0222b7c6eeb99959c8e2e4db4113a6a12fceebaf54a7539216277aedc24416526527306cd2756d4938653e6878aeab96

  • SSDEEP

    49152:gU3U+ZYmxjpv7x4GFM/+b8dTMNh9Wr73h7NXSWEqNJO5hYTVMCRisKEt:giU2YmxjpDx4Zo8dYNh9q73h7NXYkRim

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2c089d9341b6c1e1511cfe02d6cc3c2bca4a2ed451a174deda6fd8cb619296.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2c089d9341b6c1e1511cfe02d6cc3c2bca4a2ed451a174deda6fd8cb619296.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:5092
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4640
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 204
                6⤵
                • Program crash
                PID:1900
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:5008
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1400
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:608
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 636
          3⤵
          • Program crash
          PID:4300
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3704 -ip 3704
      1⤵
        PID:1896
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4640 -ip 4640
        1⤵
          PID:2720

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          92KB

          MD5

          f3cd42733c9f17686eb97e547f595220

          SHA1

          63579bee2925fc4c6dc1c1d1c43548bdfb474e32

          SHA256

          46eeefd6ce0063d613b07a8a4765b23ae0dd30c5ee5638294c696a81da47e758

          SHA512

          82d426939e4d3155b7260eb9b67680652a68deebfc7391307a70647f17f8621d744389c791b1585f34b4aaf16ea309901363189b07a1962b0f3bdae3c3ef0fb4

          Download Submit

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          92KB

          MD5

          f3cd42733c9f17686eb97e547f595220

          SHA1

          63579bee2925fc4c6dc1c1d1c43548bdfb474e32

          SHA256

          46eeefd6ce0063d613b07a8a4765b23ae0dd30c5ee5638294c696a81da47e758

          SHA512

          82d426939e4d3155b7260eb9b67680652a68deebfc7391307a70647f17f8621d744389c791b1585f34b4aaf16ea309901363189b07a1962b0f3bdae3c3ef0fb4

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          92KB

          MD5

          f3cd42733c9f17686eb97e547f595220

          SHA1

          63579bee2925fc4c6dc1c1d1c43548bdfb474e32

          SHA256

          46eeefd6ce0063d613b07a8a4765b23ae0dd30c5ee5638294c696a81da47e758

          SHA512

          82d426939e4d3155b7260eb9b67680652a68deebfc7391307a70647f17f8621d744389c791b1585f34b4aaf16ea309901363189b07a1962b0f3bdae3c3ef0fb4

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          92KB

          MD5

          f3cd42733c9f17686eb97e547f595220

          SHA1

          63579bee2925fc4c6dc1c1d1c43548bdfb474e32

          SHA256

          46eeefd6ce0063d613b07a8a4765b23ae0dd30c5ee5638294c696a81da47e758

          SHA512

          82d426939e4d3155b7260eb9b67680652a68deebfc7391307a70647f17f8621d744389c791b1585f34b4aaf16ea309901363189b07a1962b0f3bdae3c3ef0fb4

          Download Submit

        • memory/2188-143-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2188-140-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2188-139-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3704-151-0x0000000008000000-0x0000000008252000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/5092-152-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

          Download

        • memory/5092-153-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

          Download

        • memory/5092-154-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

          Download

        • memory/5092-155-0x0000000000400000-0x000000000045D000-memory.dmp

          Filesize

          372KB

          Download

        • memory/5092-156-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download