Overview

overview

10

Static

static

3

ceff35deb6...30.dll

windows7-x64

10

ceff35deb6...30.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll

  • Size

    157KB

  • MD5

    13512ca83401d4a94f6ca2fe8bc742ca

  • SHA1

    de6caf7d767d89dce94ce3f3f828742f55a82b6c

  • SHA256

    ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30

  • SHA512

    adf6c380f633d6365c7eaf8cf32e41fb134175b5ca7c2b7b2b74cbccb7a4dae7c4b890ebed656165f536b6a0968a52743e740d8062aea311a37709bb92935d59

  • SSDEEP

    3072:IMr6N9WfdNAbxBU69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1xO:IMqWfdNANO6yEYZ7DVQgsQLPzo1xO

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX dump on OEP (original entry point) 12 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Drops file in System32 directory
              • Drops file in Program Files directory
              PID:3028
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1412
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
            "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of UnmapMainImage
              PID:2780
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2996
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2288

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
      Filesize

      257KB

      MD5

      75a714bf15efc9adcf8f332bdfec0854

      SHA1

      68d0ef2b44b500fedb4f52d2c51230e9bbc4a0ac

      SHA256

      1626de15178719d70c25d8dc0cf012272b9c129c6ac33b866443e38b073e4f51

      SHA512

      5f7f318d3655c4fc0d4cca925c8341d4b472121deb7570c565779ba429f05fa69c7e1b6b66f2e4b1cc8750df408b21403a02ee7ffa767e02be01c213be32e868

      Download Submit
    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
      Filesize

      253KB

      MD5

      2e7219eb455525bcbe6cd2d040c14001

      SHA1

      661b29c13607cda3a6a819250741bfe5dbb15e04

      SHA256

      7c970b48faf310772e1e660e092a7ba0666322c2c502d8b1b1d95108b3f06629

      SHA512

      ee88d00077dac5cc15af7d97afcd889e2c3dd188fc1b9e058f4f5e8b8c002d273062544adfed2718319a338de650646d571897d9a0a0e56a4c506bb096326c24

      Download Submit
    • \Windows\SysWOW64\rundll32mgr.exe
      Filesize

      122KB

      MD5

      c5255edf109342e3e1d1eb0990b2d094

      SHA1

      ba029b47b9b3a5ccccae3038d90382ec68a1dd44

      SHA256

      ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

      SHA512

      6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

      Download Submit
    • \Windows\SysWOW64\rundll32mgrmgr.exe
      Filesize

      59KB

      MD5

      f2c8b7e238a07cce22920efb1c8645a6

      SHA1

      cd2af4b30add747e222f938206b78d7730fdf346

      SHA256

      6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

      SHA512

      c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

      Download Submit
    • memory/1224-32-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1224-24-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1224-25-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1224-26-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1224-34-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1224-18-0x0000000000120000-0x0000000000143000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1224-27-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1224-40-0x0000000000140000-0x0000000000141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1224-41-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2380-2-0x0000000010000000-0x000000001002B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/2380-4-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2380-11-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2380-1-0x0000000010000000-0x000000001002B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/2380-14-0x00000000777E0000-0x00000000777E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-13-0x00000000000E0000-0x00000000000E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-12-0x00000000000D0000-0x00000000000D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2564-75-0x00000000001A0000-0x00000000001A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2564-178-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2564-66-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2572-67-0x0000000000120000-0x0000000000143000-memory.dmp
      Filesize

      140KB

      Download
    • memory/2572-68-0x0000000000120000-0x0000000000143000-memory.dmp
      Filesize

      140KB

      Download
    • memory/2572-180-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2652-97-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2668-39-0x0000000000400000-0x0000000000423000-memory.dmp
      Filesize

      140KB

      Download
    • memory/2668-42-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2780-122-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2780-130-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/3028-81-0x0000000020010000-0x0000000020022000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3028-114-0x0000000020010000-0x0000000020022000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3028-83-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3028-110-0x0000000020010000-0x0000000020022000-memory.dmp
      Filesize

      72KB

      Download