Overview

overview

10

Static

static

51709dee09...1f.dll

windows7-x64

10

51709dee09...1f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 02:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    51709dee09153cf95719891ec72eafcbb5be85d52e694dd83f45567d6e4abd1f.dll

  • Size

    278KB

  • MD5

    a74a648dc04c6ba369e4e2f3c36e1b60

  • SHA1

    aeb98110f2c179bf79640d0924d51029364dde62

  • SHA256

    51709dee09153cf95719891ec72eafcbb5be85d52e694dd83f45567d6e4abd1f

  • SHA512

    02367935cfafe3b76e23eb9bae1e2e01932cc43a09e1e4c5e5df31fe778e8958945d00ebe55145948f62babbfa73274e7e441fc1472dfbd2b6f09ea36a105786

  • SSDEEP

    6144:QxGMku94XCzTurXzURlbDC9K69u2m+SqOWcsQQKiY4leDDGoggH/VREG6j4Gm01U:QxGCOXzURlbDC9K69u2m+SqOWcsQQKiM

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\51709dee09153cf95719891ec72eafcbb5be85d52e694dd83f45567d6e4abd1f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\51709dee09153cf95719891ec72eafcbb5be85d52e694dd83f45567d6e4abd1f.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5088
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4604
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 204
                6⤵
                • Program crash
                PID:1464
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4156
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4156 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4676
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:5076
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5076 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4828
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 628
          3⤵
          • Program crash
          PID:3540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3404 -ip 3404
      1⤵
        PID:4592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4604 -ip 4604
        1⤵
          PID:2100

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                Filesize

                65KB

                MD5

                a9ea94ee4a3bb43d4057823b2072dc54

                SHA1

                94ade3c34ec08613daba8a1240586c24f8169794

                SHA256

                7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                SHA512

                0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                Download Submit

              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                Filesize

                65KB

                MD5

                a9ea94ee4a3bb43d4057823b2072dc54

                SHA1

                94ade3c34ec08613daba8a1240586c24f8169794

                SHA256

                7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                SHA512

                0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
                Filesize

                4KB

                MD5

                f7dcb24540769805e5bb30d193944dce

                SHA1

                e26c583c562293356794937d9e2e6155d15449ee

                SHA256

                6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

                SHA512

                cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                Filesize

                471B

                MD5

                a62e66dbd157955d60808bf89987bcde

                SHA1

                a97e8478902ac7db7fd904300304944a41afee8e

                SHA256

                d34e72ae586b00a60e3526f1e75677dcffa83fd33860a771ae592e7d8320cf25

                SHA512

                2c969c621bd5881acf47e85b3a2977b1c43dfa80887f0ab447327162d143795ff647b8ed1aec174a868c0faf1e09eb8baa6a67ea42764b65fe4416d2168e81fc

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
                Filesize

                302B

                MD5

                ac44f54dbf6ed62dcad8536ef10df98b

                SHA1

                b056daa9489e9f60e0a11f70ba4d364c071b6bc1

                SHA256

                41ba3668d1c01b11a351ca9fd049c387afa4b28e26151747016c3d11ea2b1512

                SHA512

                0ca7249d4bdeb01968f716979e9014c5cde059f07291234f8835d2f7ee2ede5d3c2846cfe60edc84220a609b6022ed9294a129d01ab3f6d10a706aaafc3abbab

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                Filesize

                434B

                MD5

                ed5e30998e656744ad884c830617b8f0

                SHA1

                fb36c3f42f7f61666a6eaac040b1287634032a8b

                SHA256

                a41d30b42dc9b6f9711adab413f17b7768b7b76e2bf243388717987bb9fa79ee

                SHA512

                01048ec613a2437297220250dcd972e85692d24592f242a86370d80ecd869bcf5c1796fda8e88bb6c20ae836b66abf1b4fe567cbe336d542824d28c9e4cea6ff

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E0DACF36-7635-11ED-89AC-466E527D41B2}.dat
                Filesize

                5KB

                MD5

                7fa850a597d0f2eb783db47e98ca4b44

                SHA1

                a333e1a5601ec570ca3258735e04baff7c1466b2

                SHA256

                f605eb048d0f64deb3a01837e48d703a8b7e9b7e2246cc8bf3e444455ab8592a

                SHA512

                0b81b6bc821725e414ea4fb8b141469907ff6c1d8085a369bd24d2b78df03ad9a26d5e0995a72b7dde27a6efd00d3f8d91454f9f47a61d9f41655400331358b3

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E0E1F724-7635-11ED-89AC-466E527D41B2}.dat
                Filesize

                3KB

                MD5

                e7c64cb084fa3ae312d5d4b230940bef

                SHA1

                82a305db7ab707a82629df3d55841c20f564f299

                SHA256

                b4c93befb21de9a4219357458e717ee0ceb4cd8456c0544207078ff09f87e250

                SHA512

                4abed9525b68feb1385758a107aed13ec5c86de8586e0146174bd96e7ff76d4248f90ea714f1269f64bd399de68393ac28d36c9f19088bfa52a1fbec4b7016b0

                Download Submit

              • C:\Windows\SysWOW64\rundll32mgr.exe
                Filesize

                65KB

                MD5

                a9ea94ee4a3bb43d4057823b2072dc54

                SHA1

                94ade3c34ec08613daba8a1240586c24f8169794

                SHA256

                7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                SHA512

                0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                Download Submit

              • C:\Windows\SysWOW64\rundll32mgr.exe
                Filesize

                65KB

                MD5

                a9ea94ee4a3bb43d4057823b2072dc54

                SHA1

                94ade3c34ec08613daba8a1240586c24f8169794

                SHA256

                7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

                SHA512

                0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

                Download Submit

              • memory/3404-143-0x0000000010000000-0x000000001004C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3648-140-0x0000000000540000-0x0000000000561000-memory.dmp

                Filesize

                132KB

                Download

              • memory/3648-139-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5088-144-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5088-145-0x0000000000530000-0x0000000000551000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5088-148-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5088-149-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download