Overview

overview

10

Static

static

69cc84e019...9c.dll

windows7-x64

10

69cc84e019...9c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69cc84e019560b1ad8540f167cea60d5cf64e5b64adecfc6741136d4d6c8e29c.dll

  • Size

    448KB

  • MD5

    d229c3a7abd79e7e0202293d85e4b570

  • SHA1

    a5df0fc7609cd5e7df98b5ca42afd9e183ebf316

  • SHA256

    69cc84e019560b1ad8540f167cea60d5cf64e5b64adecfc6741136d4d6c8e29c

  • SHA512

    253a3ebee5161e0412bfaeb9d8a25ad10f428c3d3725667921875823cfe6887aea9520c68c27bf50db7f03d696490d4fa93397fcad1b57c0180193c6c8f6cbfc

  • SSDEEP

    12288:FehnaNPpSVZmNxRCwnwm3W3OHIIf5SnF/C0:Feh0PpS6NxNnwYeOHX0ntC0

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\system32\sppsvc.exe
          C:\Windows\system32\sppsvc.exe
          2⤵
            PID:1676
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
            2⤵
              PID:1512
            • C:\Windows\system32\taskhost.exe
              "taskhost.exe"
              2⤵
                PID:1260
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                2⤵
                  PID:1032
                • C:\Windows\System32\spoolsv.exe
                  C:\Windows\System32\spoolsv.exe
                  2⤵
                    PID:276
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k NetworkService
                    2⤵
                      PID:300
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                        PID:872
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:844
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:796
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                              PID:732
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:652
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:576
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:376
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:484
                                      • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                        wmiadap.exe /F /T /R
                                        1⤵
                                          PID:1088
                                        • C:\Windows\Explorer.EXE
                                          C:\Windows\Explorer.EXE
                                          1⤵
                                            PID:1420
                                            • C:\Windows\system32\rundll32.exe
                                              rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cc84e019560b1ad8540f167cea60d5cf64e5b64adecfc6741136d4d6c8e29c.dll,#1
                                              2⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:1572
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cc84e019560b1ad8540f167cea60d5cf64e5b64adecfc6741136d4d6c8e29c.dll,#1
                                                3⤵
                                                • Loads dropped DLL
                                                • Drops file in System32 directory
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:304
                                                • C:\Windows\SysWOW64\rundll32mgr.exe
                                                  C:\Windows\SysWOW64\rundll32mgr.exe
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Drops file in Program Files directory
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:316
                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1896
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      6⤵
                                                      • Modifies WinLogon for persistence
                                                      • Drops file in System32 directory
                                                      • Drops file in Program Files directory
                                                      PID:1480
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      6⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1740
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 228
                                                  4⤵
                                                  • Program crash
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1280
                                          • C:\Windows\system32\Dwm.exe
                                            "C:\Windows\system32\Dwm.exe"
                                            1⤵
                                              PID:1364
                                            • C:\Windows\system32\csrss.exe
                                              %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                              1⤵
                                                PID:332
                                              • C:\Windows\System32\smss.exe
                                                \SystemRoot\System32\smss.exe
                                                1⤵
                                                  PID:260

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  65KB

                                                  MD5

                                                  a9ea94ee4a3bb43d4057823b2072dc54

                                                  SHA1

                                                  94ade3c34ec08613daba8a1240586c24f8169794

                                                  SHA256

                                                  7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                                                  SHA512

                                                  0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                                                  Download Submit

                                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  65KB

                                                  MD5

                                                  a9ea94ee4a3bb43d4057823b2072dc54

                                                  SHA1

                                                  94ade3c34ec08613daba8a1240586c24f8169794

                                                  SHA256

                                                  7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                                                  SHA512

                                                  0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                                                  Download Submit

                                                • C:\Windows\SysWOW64\rundll32mgr.exe
                                                  Filesize

                                                  65KB

                                                  MD5

                                                  a9ea94ee4a3bb43d4057823b2072dc54

                                                  SHA1

                                                  94ade3c34ec08613daba8a1240586c24f8169794

                                                  SHA256

                                                  7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                                                  SHA512

                                                  0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                                                  Download Submit

                                                • C:\Windows\SysWOW64\rundll32mgr.exe
                                                  Filesize

                                                  65KB

                                                  MD5

                                                  a9ea94ee4a3bb43d4057823b2072dc54

                                                  SHA1

                                                  94ade3c34ec08613daba8a1240586c24f8169794

                                                  SHA256

                                                  7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                                                  SHA512

                                                  0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                                                  Download Submit

                                                • \Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  65KB

                                                  MD5

                                                  a9ea94ee4a3bb43d4057823b2072dc54

                                                  SHA1

                                                  94ade3c34ec08613daba8a1240586c24f8169794

                                                  SHA256

                                                  7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                                                  SHA512

                                                  0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                                                  Download Submit

                                                • \Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  65KB

                                                  MD5

                                                  a9ea94ee4a3bb43d4057823b2072dc54

                                                  SHA1

                                                  94ade3c34ec08613daba8a1240586c24f8169794

                                                  SHA256

                                                  7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                                                  SHA512

                                                  0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                                                  Download Submit

                                                • \Windows\SysWOW64\rundll32mgr.exe
                                                  Filesize

                                                  65KB

                                                  MD5

                                                  a9ea94ee4a3bb43d4057823b2072dc54

                                                  SHA1

                                                  94ade3c34ec08613daba8a1240586c24f8169794

                                                  SHA256

                                                  7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                                                  SHA512

                                                  0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                                                  Download Submit

                                                • \Windows\SysWOW64\rundll32mgr.exe
                                                  Filesize

                                                  65KB

                                                  MD5

                                                  a9ea94ee4a3bb43d4057823b2072dc54

                                                  SHA1

                                                  94ade3c34ec08613daba8a1240586c24f8169794

                                                  SHA256

                                                  7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                                                  SHA512

                                                  0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                                                  Download Submit

                                                • memory/304-78-0x0000000010000000-0x0000000010072000-memory.dmp

                                                  Filesize

                                                  456KB

                                                  Download

                                                • memory/304-877-0x0000000010000000-0x0000000010072000-memory.dmp

                                                  Filesize

                                                  456KB

                                                  Download

                                                • memory/304-55-0x0000000076121000-0x0000000076123000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/304-54-0x0000000000000000-mapping.dmp

                                                  Download

                                                • memory/316-67-0x0000000000220000-0x0000000000241000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/316-66-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/316-58-0x0000000000000000-mapping.dmp

                                                  Download

                                                • memory/1280-62-0x0000000000000000-mapping.dmp

                                                  Download

                                                • memory/1480-74-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1480-72-0x0000000000000000-mapping.dmp

                                                  Download

                                                • memory/1480-70-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1480-80-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1480-204-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1740-82-0x0000000020010000-0x000000002001B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                  Download

                                                • memory/1740-84-0x0000000000000000-mapping.dmp

                                                  Download

                                                • memory/1740-85-0x0000000020010000-0x000000002001B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                  Download

                                                • memory/1896-79-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/1896-203-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/1896-64-0x0000000000000000-mapping.dmp

                                                  Download