Overview

overview

10

Static

static

3

c9fbaa3919...a1.dll

windows7-x64

10

c9fbaa3919...a1.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9fbaa3919cc10d2a95cc5495e4abb78cfa7f89e8350442916bba1f21bf3a3a1.dll

  • Size

    157KB

  • MD5

    457aa792186d3c64f612cd92be10914a

  • SHA1

    ff60592e8963b603f7e71bf306d24831d629edd8

  • SHA256

    c9fbaa3919cc10d2a95cc5495e4abb78cfa7f89e8350442916bba1f21bf3a3a1

  • SHA512

    62a22c67ff88b7f841c38ef2e1924092017295410e23753476a4aa9329d00c803b6decdf3474d84c6480f0db18aae5bcccdf15bdbd3bf2fbe8d1e351940dbc4f

  • SSDEEP

    3072:IMr6N9WfdNAbxBk69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1f:IMqWfdNANG6yEYZ7DVQgsQLPzo1f

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX dump on OEP (original entry point) 10 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9fbaa3919cc10d2a95cc5495e4abb78cfa7f89e8350442916bba1f21bf3a3a1.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9fbaa3919cc10d2a95cc5495e4abb78cfa7f89e8350442916bba1f21bf3a3a1.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:2164
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:332
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
              • Modifies WinLogon for persistence
              • Drops file in System32 directory
              • Drops file in Program Files directory
              PID:2160
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1016

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
      Filesize

      132KB

      MD5

      4eedc2be1ef650e85b050a54dc57f71e

      SHA1

      b9ed9a62756d16a6c00816082808a76a882b18e0

      SHA256

      03e2e0cf6367022a163183e9091c0dba3f48a58d816eb5c5a30f0c247855dba5

      SHA512

      1ad0e6623c1366233d2750e8b88d68e796d4d854e45968261ec12828f3ceec6d0b5340032af173db1f7449582d1ceeb729e814f7f76e613fa77f4cdef75f818b

      Download Submit
    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
      Filesize

      128KB

      MD5

      f4ef26b8ab712faa4e64a928db215e4d

      SHA1

      fb8d1b8aed2d0c4b116c08712d1e34d6316d51c7

      SHA256

      7a2937b979a07650544e28dc47bdcde35fad56bbe35a78fcc244c781b2f2bb66

      SHA512

      760540f06030ee44ff34488c9c92d5d3c68923bfe208f5eb2b034d246d624c4245098b621ce330111519d001ca3db237ab0f615908a5bff8ddd51688a7964595

      Download Submit
    • \Windows\SysWOW64\rundll32mgr.exe
      Filesize

      122KB

      MD5

      c5255edf109342e3e1d1eb0990b2d094

      SHA1

      ba029b47b9b3a5ccccae3038d90382ec68a1dd44

      SHA256

      ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

      SHA512

      6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

      Download Submit
    • \Windows\SysWOW64\rundll32mgrmgr.exe
      Filesize

      59KB

      MD5

      f2c8b7e238a07cce22920efb1c8645a6

      SHA1

      cd2af4b30add747e222f938206b78d7730fdf346

      SHA256

      6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

      SHA512

      c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

      Download Submit
    • memory/1896-69-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1896-155-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1896-68-0x0000000000170000-0x0000000000171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1896-60-0x0000000000400000-0x0000000000423000-memory.dmp
      Filesize

      140KB

      Download
    • memory/2160-100-0x0000000020010000-0x0000000020022000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2160-105-0x0000000020010000-0x0000000020022000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2160-93-0x0000000020010000-0x0000000020022000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2164-73-0x0000000020010000-0x0000000020022000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2164-77-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2408-109-0x0000000000100000-0x0000000000101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2408-70-0x00000000000F0000-0x00000000000F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2408-156-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2500-22-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2500-39-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2500-31-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2500-30-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2500-25-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2500-24-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2500-23-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2500-15-0x0000000000120000-0x0000000000143000-memory.dmp
      Filesize

      140KB

      Download
    • memory/2500-38-0x0000000000140000-0x0000000000141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2500-33-0x0000000000120000-0x0000000000143000-memory.dmp
      Filesize

      140KB

      Download
    • memory/2592-1-0x0000000010000000-0x000000001002B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/2592-12-0x0000000077200000-0x0000000077201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2592-10-0x00000000000C0000-0x00000000000C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2592-11-0x00000000000D0000-0x00000000000D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2592-3-0x0000000000130000-0x0000000000163000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2632-40-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2632-36-0x0000000000400000-0x0000000000423000-memory.dmp
      Filesize

      140KB

      Download