Overview

overview

10

Static

static

3

38a3b3b4a0...e7.dll

windows7-x64

10

38a3b3b4a0...e7.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2024, 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38a3b3b4a06fe3d8e43d0d4348dff9e7.dll

  • Size

    166KB

  • MD5

    38a3b3b4a06fe3d8e43d0d4348dff9e7

  • SHA1

    ee0eb512b443c84f5dd69c8b2ed0066815bcc9c4

  • SHA256

    279dc6f915f7513aa1cd00910f1a2c7541021d9bb9f2f5f67592a8ca1f002bc3

  • SHA512

    d5a97ef4e54e4924bdef7a40a1f35ee59b9b8dd946317a168874398f775bca7a2a1aa70ff45049028ea16cac50a7daed1507e74ad5d15135d60be4a702720ae8

  • SSDEEP

    1536:05lTUKCYmCgV5bT/2d1QYesG+sxFm2mEgW+YBOYYtV/rerTK:KTU56gVxj27NeUuFm1byOYUNq6

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38a3b3b4a06fe3d8e43d0d4348dff9e7.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\38a3b3b4a06fe3d8e43d0d4348dff9e7.dll
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4508
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4268
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 212
                6⤵
                • Program crash
                PID:208
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3328
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3328 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2568
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1764
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:380
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4268 -ip 4268
      1⤵
        PID:8

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F97568DA-ABC2-11EE-BB4F-7E4216712C33}.dat
        Filesize

        3KB

        MD5

        f0174208522bf31b25638fa79b6bd566

        SHA1

        f4f98582ddafcb0fc80428959bb6a3b76a6a6faa

        SHA256

        89ac8dce49e7efce1507628ca7caf3a0fdb820144f65992043315c0ff0fe9744

        SHA512

        63cc0a65986431e8426e5760d72d3d8384b676f4d73ff323e41d33e8a68e878e2174031cdf8127d0c0abec60d9b93414cb94991f4022a2edde61228b7e95f790

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F97C8EBD-ABC2-11EE-BB4F-7E4216712C33}.dat
        Filesize

        5KB

        MD5

        76b4e60685a3f3a4675598d7ebcd8fb2

        SHA1

        ecc2275f1bd3c29b7f7fa815871849c3009861f1

        SHA256

        d2b2f2016a974c8092bfc2a7c3f04d55079475a477a94f3ee5c39b08ff7e8229

        SHA512

        e6b31213afc07f05f82feb69db46bf621be1de3cb619a81fc6d5ae472acb674c1951091890d3924ba72391b55a6f4da719ea0a8f8d717d66ff0ae87dd140ee29

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2BBE.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MCZQJD7V\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        96KB

        MD5

        8c51fd9d6daa7b6137634de19a49452c

        SHA1

        db2a11cca434bacad2bf42adeecae38e99cf64f8

        SHA256

        528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

        SHA512

        b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

        Download Submit

      • memory/4268-34-0x0000000000420000-0x0000000000421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4268-33-0x0000000000440000-0x0000000000441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4280-0-0x00000000756F0000-0x000000007571C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/4508-35-0x0000000077D42000-0x0000000077D43000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-36-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-41-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4508-21-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4508-28-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4508-29-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4508-30-0x0000000000060000-0x0000000000061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-31-0x0000000077D42000-0x0000000077D43000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4508-39-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/4668-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4668-7-0x0000000000910000-0x0000000000911000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4668-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4668-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4668-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4668-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4668-16-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4668-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4668-5-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download