Overview

overview

10

Static

static

8129be9f69...13.dll

windows7-x64

8

8129be9f69...13.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 02:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8129be9f6956e7d26e42317663af4001e792dc7d1cc51f6bbd8006cb0184c913.dll

  • Size

    353KB

  • MD5

    280601f551e919aeb97b199e8e4d4b8c

  • SHA1

    e251a0c8f0b8f09e74209ac5783875fc8c60cd12

  • SHA256

    8129be9f6956e7d26e42317663af4001e792dc7d1cc51f6bbd8006cb0184c913

  • SHA512

    bdddf45902a95bcc09c181aea0b15f48cb6c0e311d2f290b3885cda583b4f781517e02c7ec34fb0bff517de1e63e9287d32a79d81678ddafdc53c1a5e81dabe0

  • SSDEEP

    6144:HCIGPj038tAgFMldWNX+ij4kaAW/Q6Za49yf0Oy:cj038t/FMldW4dkanQma49yf4

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 5 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Program crash 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 5 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8129be9f6956e7d26e42317663af4001e792dc7d1cc51f6bbd8006cb0184c913.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8129be9f6956e7d26e42317663af4001e792dc7d1cc51f6bbd8006cb0184c913.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of UnmapMainImage
          PID:4444
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
            "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:5032
            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:2360
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                7⤵
                  PID:512
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 204
                    8⤵
                    • Program crash
                    PID:2688
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  7⤵
                  • Modifies Internet Explorer settings
                  PID:224
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  7⤵
                  • Modifies Internet Explorer settings
                  PID:3408
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:4212
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 204
                  6⤵
                  • Program crash
                  PID:1720
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3484
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3484 CREDAT:17410 /prefetch:2
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4692
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3584
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3584 CREDAT:17410 /prefetch:2
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4664
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 616
            3⤵
            • Program crash
            PID:3348
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3060 -ip 3060
        1⤵
          PID:844
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4212 -ip 4212
          1⤵
            PID:4132
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 512 -ip 512
            1⤵
              PID:3020

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                    Filesize

                    186KB

                    MD5

                    7849d40b95e55b6601c71becad386f68

                    SHA1

                    ae139b70619664c6347bc3eb167291ad46e1af8a

                    SHA256

                    17d00564f07cbd194b97512a3ee72736ad7522230cee2952bd319887d5822750

                    SHA512

                    a27563461a1ec53b4ca812509b09636b0d79bed42448cd52377e827378efe25d51896a73b823cdb41d026672241ef424753b84e1b47cbd741d818385020fbeef

                    Download Submit

                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                    Filesize

                    186KB

                    MD5

                    7849d40b95e55b6601c71becad386f68

                    SHA1

                    ae139b70619664c6347bc3eb167291ad46e1af8a

                    SHA256

                    17d00564f07cbd194b97512a3ee72736ad7522230cee2952bd319887d5822750

                    SHA512

                    a27563461a1ec53b4ca812509b09636b0d79bed42448cd52377e827378efe25d51896a73b823cdb41d026672241ef424753b84e1b47cbd741d818385020fbeef

                    Download Submit

                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                    Filesize

                    186KB

                    MD5

                    7849d40b95e55b6601c71becad386f68

                    SHA1

                    ae139b70619664c6347bc3eb167291ad46e1af8a

                    SHA256

                    17d00564f07cbd194b97512a3ee72736ad7522230cee2952bd319887d5822750

                    SHA512

                    a27563461a1ec53b4ca812509b09636b0d79bed42448cd52377e827378efe25d51896a73b823cdb41d026672241ef424753b84e1b47cbd741d818385020fbeef

                    Download Submit

                  • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                    Filesize

                    92KB

                    MD5

                    e4a98325a6721a477e66b0b0c20d4ad4

                    SHA1

                    5ddb2e57a78bd9fbc7a7446ea16f82bfe1143ca8

                    SHA256

                    8f5ee7751bf22af7b994e4c71f9717a527ca0c69ee14b4956a60c948cf029729

                    SHA512

                    fa1c714009d9434f67af3d8a2007f2b955183724e4e9b38ab25edefccd6db60db07962a3c1eeceb3d4e3d3ff262bf73907eb6c5218337494cd9ce996c72f3b0d

                    Download Submit

                  • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                    Filesize

                    92KB

                    MD5

                    e4a98325a6721a477e66b0b0c20d4ad4

                    SHA1

                    5ddb2e57a78bd9fbc7a7446ea16f82bfe1143ca8

                    SHA256

                    8f5ee7751bf22af7b994e4c71f9717a527ca0c69ee14b4956a60c948cf029729

                    SHA512

                    fa1c714009d9434f67af3d8a2007f2b955183724e4e9b38ab25edefccd6db60db07962a3c1eeceb3d4e3d3ff262bf73907eb6c5218337494cd9ce996c72f3b0d

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                    Filesize

                    471B

                    MD5

                    a62e66dbd157955d60808bf89987bcde

                    SHA1

                    a97e8478902ac7db7fd904300304944a41afee8e

                    SHA256

                    d34e72ae586b00a60e3526f1e75677dcffa83fd33860a771ae592e7d8320cf25

                    SHA512

                    2c969c621bd5881acf47e85b3a2977b1c43dfa80887f0ab447327162d143795ff647b8ed1aec174a868c0faf1e09eb8baa6a67ea42764b65fe4416d2168e81fc

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                    Filesize

                    471B

                    MD5

                    a62e66dbd157955d60808bf89987bcde

                    SHA1

                    a97e8478902ac7db7fd904300304944a41afee8e

                    SHA256

                    d34e72ae586b00a60e3526f1e75677dcffa83fd33860a771ae592e7d8320cf25

                    SHA512

                    2c969c621bd5881acf47e85b3a2977b1c43dfa80887f0ab447327162d143795ff647b8ed1aec174a868c0faf1e09eb8baa6a67ea42764b65fe4416d2168e81fc

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                    Filesize

                    434B

                    MD5

                    bb99a85c6d91d6e1d69660156c9a06e1

                    SHA1

                    c1697611acfd8eea5befd31e413fc09348f33ada

                    SHA256

                    14edfe701714d225b4f66088addca0fd38d465cd80c6b9e7ba77409fdffe7b38

                    SHA512

                    de6425c9c96935628c61647794b672197518094b9a692f05e9450c721bdeac08e9e3f426b1769b4f6f354ffa87b9a32b1c8120d9e540350df125044bfea0b1dd

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                    Filesize

                    434B

                    MD5

                    0e66757e30e961a0ee0f80b4c17f345b

                    SHA1

                    8ee6dd08272a3b03d386884da26e53596881ce29

                    SHA256

                    c079b957a29df471fdf9126ab8571fd3d93ac830e1d200eb3ccebf2916951fd0

                    SHA512

                    b82e720880ad739ba1b46e2fa007dd98aa53a5e349fe1f508a1b763db621ad8e8cfd563544db2fd18de3d9fef40e3b26b1e91379c40e9e2d418f94cd6087fa7e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D56029DA-762C-11ED-B696-5A10AEE59B4B}.dat
                    Filesize

                    5KB

                    MD5

                    fbd2bc3c05d15dbeef1c98d2cd3c0976

                    SHA1

                    cc6e1fd500747e7b00386b1df58139c0b05bffe8

                    SHA256

                    87f202215d968615d24c50426ddcf3c91756bcafc4c5a334d0a2afd9c63f83bf

                    SHA512

                    1fdaf00b3c0d78301d333f3006d283dda981e0186b909649ee2eef5c8b035a856f47e84622db781ea75357f871e37df919c1decc6c8fd5fd21c7865725796d21

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D562897E-762C-11ED-B696-5A10AEE59B4B}.dat
                    Filesize

                    4KB

                    MD5

                    0b14248a1fd216884b31a9b41c40f45a

                    SHA1

                    10bc530d207b84abb51600f315d8d3959650daaa

                    SHA256

                    636fa8979e99e52077cc8eab81ab9f74d1ad5a2deb5bbcfd05a8b512ce9bf6b3

                    SHA512

                    27d90a0e4db60c38680ebeeb474d241ef89e7d83ef0513c9822a235618c88dd3a3916c734f7f14da1edb5f99d01e60e1815501abb80c345b22dc4383103634d4

                    Download Submit

                  • C:\Windows\SysWOW64\rundll32mgr.exe
                    Filesize

                    186KB

                    MD5

                    7849d40b95e55b6601c71becad386f68

                    SHA1

                    ae139b70619664c6347bc3eb167291ad46e1af8a

                    SHA256

                    17d00564f07cbd194b97512a3ee72736ad7522230cee2952bd319887d5822750

                    SHA512

                    a27563461a1ec53b4ca812509b09636b0d79bed42448cd52377e827378efe25d51896a73b823cdb41d026672241ef424753b84e1b47cbd741d818385020fbeef

                    Download Submit

                  • C:\Windows\SysWOW64\rundll32mgr.exe
                    Filesize

                    186KB

                    MD5

                    7849d40b95e55b6601c71becad386f68

                    SHA1

                    ae139b70619664c6347bc3eb167291ad46e1af8a

                    SHA256

                    17d00564f07cbd194b97512a3ee72736ad7522230cee2952bd319887d5822750

                    SHA512

                    a27563461a1ec53b4ca812509b09636b0d79bed42448cd52377e827378efe25d51896a73b823cdb41d026672241ef424753b84e1b47cbd741d818385020fbeef

                    Download Submit

                  • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                    Filesize

                    92KB

                    MD5

                    e4a98325a6721a477e66b0b0c20d4ad4

                    SHA1

                    5ddb2e57a78bd9fbc7a7446ea16f82bfe1143ca8

                    SHA256

                    8f5ee7751bf22af7b994e4c71f9717a527ca0c69ee14b4956a60c948cf029729

                    SHA512

                    fa1c714009d9434f67af3d8a2007f2b955183724e4e9b38ab25edefccd6db60db07962a3c1eeceb3d4e3d3ff262bf73907eb6c5218337494cd9ce996c72f3b0d

                    Download Submit

                  • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                    Filesize

                    92KB

                    MD5

                    e4a98325a6721a477e66b0b0c20d4ad4

                    SHA1

                    5ddb2e57a78bd9fbc7a7446ea16f82bfe1143ca8

                    SHA256

                    8f5ee7751bf22af7b994e4c71f9717a527ca0c69ee14b4956a60c948cf029729

                    SHA512

                    fa1c714009d9434f67af3d8a2007f2b955183724e4e9b38ab25edefccd6db60db07962a3c1eeceb3d4e3d3ff262bf73907eb6c5218337494cd9ce996c72f3b0d

                    Download Submit

                  • memory/952-195-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/952-191-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/952-189-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/952-166-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/952-163-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/952-167-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/952-192-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/952-184-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/952-198-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/1460-150-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/1460-145-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/1460-142-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/2360-197-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/2360-193-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/2360-178-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/2360-185-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/2360-186-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/2360-180-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/2360-196-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/2360-194-0x0000000000400000-0x0000000000475000-memory.dmp

                    Filesize

                    468KB

                    Download

                  • memory/3060-158-0x0000000010000000-0x000000001005D000-memory.dmp

                    Filesize

                    372KB

                    Download

                  • memory/4444-147-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/5032-175-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/5032-190-0x0000000000400000-0x000000000045D000-memory.dmp

                    Filesize

                    372KB

                    Download

                  • memory/5032-161-0x0000000000400000-0x000000000045D000-memory.dmp

                    Filesize

                    372KB

                    Download

                  • memory/5032-176-0x0000000000400000-0x000000000045D000-memory.dmp

                    Filesize

                    372KB

                    Download

                  • memory/5032-170-0x0000000000400000-0x000000000045D000-memory.dmp

                    Filesize

                    372KB

                    Download

                  • memory/5032-168-0x0000000000400000-0x000000000045D000-memory.dmp

                    Filesize

                    372KB

                    Download