Overview

overview

10

Static

static

3

c5f878dfe1...72.dll

windows7-x64

10

c5f878dfe1...72.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 02:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5f878dfe1e0fd2062cff300d0002a94666aaf10cf89de2151178bca0e3e0f72.dll

  • Size

    101KB

  • MD5

    07c8194c8c7347f7e1af8f03dc9295f1

  • SHA1

    5a8bb45bb0a85817bf0c238a957e0090c30e0a64

  • SHA256

    c5f878dfe1e0fd2062cff300d0002a94666aaf10cf89de2151178bca0e3e0f72

  • SHA512

    70541c73e60cbbbc0027c2095ea378f4e1c607f161167d691c7a7c0cd811bf40328c21c8579a7ecdffcf15b1c26fbe40b64f3398a321a80fded5f6f73318328a

  • SSDEEP

    1536:hcMr6N99X0fdNAbxB5A0HoHuqmCbEVwh4hlp1KB3yvi94MOXX9Wo/+:2Mr6N9WfdNAbxB5AZHglVwEDnvG/OcQ+

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX dump on OEP (original entry point) 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c5f878dfe1e0fd2062cff300d0002a94666aaf10cf89de2151178bca0e3e0f72.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c5f878dfe1e0fd2062cff300d0002a94666aaf10cf89de2151178bca0e3e0f72.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1152
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Drops file in System32 directory
            • Drops file in Program Files directory
            PID:2680
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    144KB

    MD5

    38f6ed3f1993b00162d63f7d5cfe00f3

    SHA1

    ce2aacf2811522489f33a98aef37f94a5bf225c0

    SHA256

    e832e1944099f8b0bcfe8bc76c3b14b792ef4a9ce182a25b2e2fb542b3adeb2e

    SHA512

    8a4c869ed2d9383dfdd0a9624ee49ae0636afb494e3759b948e404d315181df68e344ebf5390c4849714dcccd50bd59ab7be0a26e594360efe078900d0c6840f

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    140KB

    MD5

    a8c238b1482f233c97f5e4a45cdc1fbe

    SHA1

    238fa6006671b9f1732ddb58ac2ea8b91b0e904d

    SHA256

    526f179822dd58fd5b9238a8ee85b86b54a71c13ef94f150e281dbd434695139

    SHA512

    71b51e1e8513b7e5f4232f4ac77de38a75ac45a813318b34877d34d426e0ec291a422b4de017377af787c78f2c68b8e02812d3e39bc36d1612f5ba989c89254d

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    65KB

    MD5

    849ef19ec0155d79d4fa5bfb5657b106

    SHA1

    eb7e7ff208ecb40d35755d8f36e31e2482166299

    SHA256

    8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

    SHA512

    30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

    Download Submit

  • memory/1152-72-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1152-24-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1152-25-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1152-50-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1152-71-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1152-58-0x00000000773AF000-0x00000000773B0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-12-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-16-0x00000000773B0000-0x00000000773B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-11-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-2-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2640-64-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2640-67-0x0000000020010000-0x000000002001B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2640-68-0x00000000773B0000-0x00000000773B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2640-65-0x0000000020010000-0x000000002001B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2640-52-0x0000000020010000-0x000000002001B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2640-66-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2640-63-0x0000000020010000-0x000000002001B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2640-59-0x0000000020010000-0x000000002001B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2680-33-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2680-42-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2680-45-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-46-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-44-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-38-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2680-29-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-73-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2680-27-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2872-13-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download