Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
22-04-2024 21:51
General
-
Target
4f3f92c76a390bb91672096c646ba448860edc8973ce9ef550dfbf6108dc3a95.dll
-
Size
608KB
-
MD5
cdb6566d6f87909ca27a2dba7b7b046f
-
SHA1
346e4d24ed8b7c88f3cf7e88587a943d2f59334c
-
SHA256
4f3f92c76a390bb91672096c646ba448860edc8973ce9ef550dfbf6108dc3a95
-
SHA512
177d195b546036ce25f804a9d80ea0e244c29a281c91f7abc91e61dd64758896d932fcb87b51373c95c144d5d9280c3a0c4370a95f746f5521197dd2f8672786
-
SSDEEP
12288:IhpUrEIZJqr1AkBWwNa5R0EYl795/amaX3QXaPKUSK+QCV7:I/jG01NHXaPpCV7
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
UPX dump on OEP (original entry point) 10 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f3f92c76a390bb91672096c646ba448860edc8973ce9ef550dfbf6108dc3a95.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f3f92c76a390bb91672096c646ba448860edc8973ce9ef550dfbf6108dc3a95.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 2324⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
312KB
MD5de53e52e74b1fc1334ed1c68a475fa45
SHA1a58729806d688d9bfc622e2362fd4c5b9631d0c6
SHA256327e49807646ad23fa88f5eca49a561d46962df7db30ddc74b3602771b5b796d
SHA512142d8129347da45549ad05fef338ba4dd0661222d12dece84503553de5aa4bda6be57f43cdea7bdf66925317f2bdff470951d886d614b0d1c0e59c0035871dc8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
308KB
MD5647477309b0079c26ab18564557ccb7a
SHA1c10347dba1db3486bec23102c8c1248fe239a620
SHA2564354849c950d0ee778c83f139d9d09f25a672882e7b21dbe083ed8893db71cae
SHA512158a8a7c36614a0fde5e359426916bbf8f11a89ca9dd92642faba8cf09ea5b8bd75d03d78ae37da82afd556ecc8f77272f94d14eadc20f15f34b72c06ad73a15
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
149KB
MD58d87ebfc9dc5999ca44efe778f374615
SHA1d3cb9d32706995373c25f44b6843a0c8a28502ef
SHA2560ac48779df767bd67c862f7154cf13eaec6c15aea06ff74e41f09b8bb23a2d8d
SHA512553588d1d7d34c12c7f1b41a442a9f5745c34e62f7505ced34f8846475ea05bab9b231a63ae4d06c98a65b3c4749ed6921dd8fc280aa09f6bdf6523386a79c18
-
memory/2200-41-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/2200-72-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/2200-344-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2200-45-0x000000007792F000-0x0000000077930000-memory.dmpFilesize
4KB
-
memory/2200-84-0x000000007792F000-0x0000000077930000-memory.dmpFilesize
4KB
-
memory/2200-499-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2200-42-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2200-43-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2340-90-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2340-91-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2340-89-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2340-85-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2340-93-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2340-94-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2340-92-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2340-100-0x0000000077930000-0x0000000077931000-memory.dmpFilesize
4KB
-
memory/2340-74-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2460-321-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/2736-58-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2736-496-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2736-60-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2736-63-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2736-61-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2736-68-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2736-55-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2736-48-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2736-46-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2920-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-34-0x0000000000050000-0x0000000000080000-memory.dmpFilesize
192KB
-
memory/2920-11-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-14-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/2920-23-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-21-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-16-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2920-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2920-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2968-311-0x0000000077930000-0x0000000077931000-memory.dmpFilesize
4KB
-
memory/2968-307-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2968-304-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2968-0-0x0000000010000000-0x0000000010099000-memory.dmpFilesize
612KB
-
memory/2968-12-0x0000000000140000-0x0000000000170000-memory.dmpFilesize
192KB
-
memory/2968-10-0x0000000000140000-0x0000000000170000-memory.dmpFilesize
192KB
-
memory/2968-3-0x0000000010000000-0x0000000010099000-memory.dmpFilesize
612KB