Overview

overview

10

Static

static

769ae08e6e...85.dll

windows7-x64

8

769ae08e6e...85.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    769ae08e6e1189ebd0eebd460e25cc1b6ee614a119a5966d5c92ba18e6c36585.dll

  • Size

    444KB

  • MD5

    bf60e849797fdead87fd3c67d7376fd0

  • SHA1

    c21c58c190aad0303041e9e53bfc92413cae25c2

  • SHA256

    769ae08e6e1189ebd0eebd460e25cc1b6ee614a119a5966d5c92ba18e6c36585

  • SHA512

    0868f45a64656a82ee87e9d0d31abee17063710106d16bd991272545131915545243f090f87fe301074dd33676077f3b72209bae4dddc921e3a23da1a4cfaef8

  • SSDEEP

    12288:fehnaNPpSVZmNxRCwnwm3W3OHIIf5w9PeCc4QjUmk:feh0PpS6NxNnwYeOHXIPzQAmk

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\769ae08e6e1189ebd0eebd460e25cc1b6ee614a119a5966d5c92ba18e6c36585.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\769ae08e6e1189ebd0eebd460e25cc1b6ee614a119a5966d5c92ba18e6c36585.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4224
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2256
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 208
                6⤵
                • Program crash
                PID:492
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3480
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4948
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3688
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3688 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3888
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 608
          3⤵
          • Program crash
          PID:204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1700 -ip 1700
      1⤵
        PID:4764
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2256 -ip 2256
        1⤵
          PID:3832

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          60KB

          MD5

          94f2f6ffbba8e7644668b51b39983916

          SHA1

          63357bbdf90101969117983dbc0d4ed0e713c4d7

          SHA256

          ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

          SHA512

          d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

          Download Submit

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          60KB

          MD5

          94f2f6ffbba8e7644668b51b39983916

          SHA1

          63357bbdf90101969117983dbc0d4ed0e713c4d7

          SHA256

          ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

          SHA512

          d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24313E36-7634-11ED-BF5F-D668443210E4}.dat
          Filesize

          5KB

          MD5

          523c9d1af22a0f68d7c0d054c32ad18c

          SHA1

          5d014fa5250cdc015971ee1db98720fa9a147be4

          SHA256

          5e29fa30f109faad3f41b592772218848e0ad66064296bdf28e163885dbd3402

          SHA512

          3a612d812db408a57c64ce4c74368a34b3d116b7015f8d3e1dcdea8e0fbc0eae93dad37419aa8c6ac8880f63c04954b3f5b26b55fb31d3cdcfcb41b9a70453a6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{283273D2-7634-11ED-BF5F-D668443210E4}.dat
          Filesize

          3KB

          MD5

          fe51ea602ee73264795560d04eb7e760

          SHA1

          f9538030a8a662477a0423c6bcd07442a4453cda

          SHA256

          ee00888d50e6e07a3a94c0f1f07c98dcd612a52859309deb8f75d648f4578a82

          SHA512

          2e9bbf599cb8a08c8afa5ed7151d524782b2aac26211fcbdedfb7ab320537ee87d26abb29125d415d131f6242fe67c4cf4e62481020c44825372efac9e6d8a88

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          60KB

          MD5

          94f2f6ffbba8e7644668b51b39983916

          SHA1

          63357bbdf90101969117983dbc0d4ed0e713c4d7

          SHA256

          ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

          SHA512

          d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          60KB

          MD5

          94f2f6ffbba8e7644668b51b39983916

          SHA1

          63357bbdf90101969117983dbc0d4ed0e713c4d7

          SHA256

          ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

          SHA512

          d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

          Download Submit

        • memory/1700-150-0x0000000010000000-0x0000000010071000-memory.dmp

          Filesize

          452KB

          Download

        • memory/4224-151-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4224-152-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4224-153-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4532-139-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4532-142-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4532-138-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4532-136-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4532-137-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download