Analysis
-
max time kernel
188s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
04/12/2022, 02:23
General
-
Target
48999a898a10b4cd18d5214645a1237b5ad68cf10f20f843e98d14e0e178a149.dll
-
Size
677KB
-
MD5
a0073f70dc28ae4bacd6ebae831efaf0
-
SHA1
ec809cba09e157b3902344cb5bf251fec18d1482
-
SHA256
48999a898a10b4cd18d5214645a1237b5ad68cf10f20f843e98d14e0e178a149
-
SHA512
0a89df10c6f4c2f09f0c5210deefe8991437e327c6ec04943a7bb9aa0994d13c1fbd2989e646a783c5734527805535665e913aa1287f9ae096408ff351b21ced
-
SSDEEP
12288:sNIyZN4+Wv4PLq6Okrh9ZN/hs9DsdseTTPvEK:s9TPmirh9Zdh6LeTTnEK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 4 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\wininit.exewininit.exe3⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=163⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48999a898a10b4cd18d5214645a1237b5ad68cf10f20f843e98d14e0e178a149.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48999a898a10b4cd18d5214645a1237b5ad68cf10f20f843e98d14e0e178a149.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 2284⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD56573e42f114e86e6e8a4ecb862d0bb96
SHA149f06fe5173a22923ce99807e74730772e51b558
SHA256b8e4c7de78d23aa6636384fdd922f7e37b7a20b30cc25f1e1b75a3bebfa20648
SHA51241439ff2d92861651d3f51352daf2594242661d40300e4730815ba52a07240b188f2ea710cd1f15631e90e9d8f33d44014b49d4c59b091c3ea3970ce8f5d1394
-
Filesize
92KB
MD56573e42f114e86e6e8a4ecb862d0bb96
SHA149f06fe5173a22923ce99807e74730772e51b558
SHA256b8e4c7de78d23aa6636384fdd922f7e37b7a20b30cc25f1e1b75a3bebfa20648
SHA51241439ff2d92861651d3f51352daf2594242661d40300e4730815ba52a07240b188f2ea710cd1f15631e90e9d8f33d44014b49d4c59b091c3ea3970ce8f5d1394
-
Filesize
92KB
MD56573e42f114e86e6e8a4ecb862d0bb96
SHA149f06fe5173a22923ce99807e74730772e51b558
SHA256b8e4c7de78d23aa6636384fdd922f7e37b7a20b30cc25f1e1b75a3bebfa20648
SHA51241439ff2d92861651d3f51352daf2594242661d40300e4730815ba52a07240b188f2ea710cd1f15631e90e9d8f33d44014b49d4c59b091c3ea3970ce8f5d1394
-
Filesize
92KB
MD56573e42f114e86e6e8a4ecb862d0bb96
SHA149f06fe5173a22923ce99807e74730772e51b558
SHA256b8e4c7de78d23aa6636384fdd922f7e37b7a20b30cc25f1e1b75a3bebfa20648
SHA51241439ff2d92861651d3f51352daf2594242661d40300e4730815ba52a07240b188f2ea710cd1f15631e90e9d8f33d44014b49d4c59b091c3ea3970ce8f5d1394
-
Filesize
92KB
MD56573e42f114e86e6e8a4ecb862d0bb96
SHA149f06fe5173a22923ce99807e74730772e51b558
SHA256b8e4c7de78d23aa6636384fdd922f7e37b7a20b30cc25f1e1b75a3bebfa20648
SHA51241439ff2d92861651d3f51352daf2594242661d40300e4730815ba52a07240b188f2ea710cd1f15631e90e9d8f33d44014b49d4c59b091c3ea3970ce8f5d1394
-
Filesize
92KB
MD56573e42f114e86e6e8a4ecb862d0bb96
SHA149f06fe5173a22923ce99807e74730772e51b558
SHA256b8e4c7de78d23aa6636384fdd922f7e37b7a20b30cc25f1e1b75a3bebfa20648
SHA51241439ff2d92861651d3f51352daf2594242661d40300e4730815ba52a07240b188f2ea710cd1f15631e90e9d8f33d44014b49d4c59b091c3ea3970ce8f5d1394
-
Filesize
92KB
MD56573e42f114e86e6e8a4ecb862d0bb96
SHA149f06fe5173a22923ce99807e74730772e51b558
SHA256b8e4c7de78d23aa6636384fdd922f7e37b7a20b30cc25f1e1b75a3bebfa20648
SHA51241439ff2d92861651d3f51352daf2594242661d40300e4730815ba52a07240b188f2ea710cd1f15631e90e9d8f33d44014b49d4c59b091c3ea3970ce8f5d1394
-
Filesize
92KB
MD56573e42f114e86e6e8a4ecb862d0bb96
SHA149f06fe5173a22923ce99807e74730772e51b558
SHA256b8e4c7de78d23aa6636384fdd922f7e37b7a20b30cc25f1e1b75a3bebfa20648
SHA51241439ff2d92861651d3f51352daf2594242661d40300e4730815ba52a07240b188f2ea710cd1f15631e90e9d8f33d44014b49d4c59b091c3ea3970ce8f5d1394
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
288KB
-
Filesize
700KB
-
Filesize
8KB
-
Filesize
700KB
-
Filesize
288KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB