Overview

overview

10

Static

static

30a6ca067d...ed.dll

windows7-x64

10

30a6ca067d...ed.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30a6ca067df975818a69eb475901f7a2501e1a0883442ae01352a490d4cc8bed.dll

  • Size

    307KB

  • MD5

    e2fb1ac20c598e5a8f3bc3ee20a36492

  • SHA1

    f9b2e09ffbcd6f5736276c5417901b865c61fb74

  • SHA256

    30a6ca067df975818a69eb475901f7a2501e1a0883442ae01352a490d4cc8bed

  • SHA512

    43da98b3a2ead7ef5e5da8ff9eea0b0c923628a5fb51a7395efeb4963557b76568547248fab7bd8c5dbf7e2acb68b7a7027d569836f52afb897d90d3af3bfcb5

  • SSDEEP

    6144:ZxWfO7cf3bZUa3BrVLwBkFO0G1NQZe7TCRsa8gz8DrEnKgUueqonfkBCFcNa:+v3bZZRrCPGKanz8DrEnKgjonfkBicM

Score
10/10
ramnitbankerevasionspywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\30a6ca067df975818a69eb475901f7a2501e1a0883442ae01352a490d4cc8bed.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\30a6ca067df975818a69eb475901f7a2501e1a0883442ae01352a490d4cc8bed.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
        "rvtql1X1e"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
          "rvtql1X1e"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1696
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4368
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 204
                6⤵
                • Program crash
                PID:5108
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1784
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2252
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:17410 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:216
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:17416 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4720
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:1464
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 204
                  6⤵
                  • Program crash
                  PID:3392
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1496
                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                  6⤵
                  • Modifies Internet Explorer settings
                  PID:3952
              • C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe
                "C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe" elevate
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1944
                • C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe
                  "C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe" elevate
                  6⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3248
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe"" admin
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4312
                    • C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe
                      "C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe" admin
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of SetWindowsHookEx
                      PID:3544
                      • C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe
                        "C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe" admin
                        9⤵
                        • Modifies firewall policy service
                        • Modifies security service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:644
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 620
            3⤵
            • Program crash
            PID:796
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4836 -ip 4836
        1⤵
          PID:4980
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4368 -ip 4368
          1⤵
            PID:3060
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1464 -ip 1464
            1⤵
              PID:3108

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              2e02780939de763a8bb3e91dfbf21980

              SHA1

              47e818dcbc1d307b43654dfe3a03b9a7625d9ce4

              SHA256

              971abb405a443302f8c61627933bd0f46ed6953f5815e298974e6f7532908748

              SHA512

              51709ae31e885719d848f619c4b3e732b0765a5349484f7c4ca524072a6b0d75f33d3f6c015a0ed4fd188a43d5cc9e0d221d1d7cca5a31a044b73fcbcebbe5fd

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              434B

              MD5

              6ebb11811171d90daa802e5d8976a7fb

              SHA1

              de52fd5e27708d0464cc35e1331de1e1c7d0c03a

              SHA256

              4b0f20eb9c74c98c17bbf791438e98a3728d856330f2d049fad71b38b3c8c105

              SHA512

              06ce70376d0919012e3a79b4f033e78d4ba0aafdab9652babff1655a8e2c1c5a0fdf6edbabe90102bf82a9a986c31d6af45122847e8b3f0ce5c628159119ce06

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
              Filesize

              99KB

              MD5

              33ace2a98e6aa56dbd6f1ae58a9af9ae

              SHA1

              67de6edab77318d997f002c9884dd08069612570

              SHA256

              8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

              SHA512

              ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
              Filesize

              99KB

              MD5

              33ace2a98e6aa56dbd6f1ae58a9af9ae

              SHA1

              67de6edab77318d997f002c9884dd08069612570

              SHA256

              8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

              SHA512

              ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
              Filesize

              99KB

              MD5

              33ace2a98e6aa56dbd6f1ae58a9af9ae

              SHA1

              67de6edab77318d997f002c9884dd08069612570

              SHA256

              8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

              SHA512

              ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe
              Filesize

              99KB

              MD5

              33ace2a98e6aa56dbd6f1ae58a9af9ae

              SHA1

              67de6edab77318d997f002c9884dd08069612570

              SHA256

              8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

              SHA512

              ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe
              Filesize

              99KB

              MD5

              33ace2a98e6aa56dbd6f1ae58a9af9ae

              SHA1

              67de6edab77318d997f002c9884dd08069612570

              SHA256

              8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

              SHA512

              ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe
              Filesize

              99KB

              MD5

              33ace2a98e6aa56dbd6f1ae58a9af9ae

              SHA1

              67de6edab77318d997f002c9884dd08069612570

              SHA256

              8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

              SHA512

              ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe
              Filesize

              99KB

              MD5

              33ace2a98e6aa56dbd6f1ae58a9af9ae

              SHA1

              67de6edab77318d997f002c9884dd08069612570

              SHA256

              8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

              SHA512

              ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\vvtoslpd.exe
              Filesize

              99KB

              MD5

              33ace2a98e6aa56dbd6f1ae58a9af9ae

              SHA1

              67de6edab77318d997f002c9884dd08069612570

              SHA256

              8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

              SHA512

              ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

              Download Submit

            • memory/644-187-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1696-142-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1696-150-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1696-145-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1696-159-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1696-147-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1944-158-0x0000000070350000-0x00000000704AD000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1944-162-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

              Download

            • memory/1944-163-0x0000000000030000-0x0000000000033000-memory.dmp

              Filesize

              12KB

              Download

            • memory/1944-168-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

              Download

            • memory/2900-146-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

              Download

            • memory/2900-136-0x00000000756B0000-0x000000007580D000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2900-139-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

              Download

            • memory/2900-140-0x0000000000030000-0x0000000000033000-memory.dmp

              Filesize

              12KB

              Download

            • memory/3248-172-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3544-175-0x0000000070810000-0x000000007096D000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/3544-179-0x0000000000020000-0x0000000000023000-memory.dmp

              Filesize

              12KB

              Download

            • memory/3544-177-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

              Download

            • memory/3544-185-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

              Download