Analysis
-
max time kernel
133s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
27-05-2024 02:53
General
-
Target
ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll
-
Size
157KB
-
MD5
13512ca83401d4a94f6ca2fe8bc742ca
-
SHA1
de6caf7d767d89dce94ce3f3f828742f55a82b6c
-
SHA256
ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30
-
SHA512
adf6c380f633d6365c7eaf8cf32e41fb134175b5ca7c2b7b2b74cbccb7a4dae7c4b890ebed656165f536b6a0968a52743e740d8062aea311a37709bb92935d59
-
SSDEEP
3072:IMr6N9WfdNAbxBU69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1xO:IMqWfdNANO6yEYZ7DVQgsQLPzo1xO
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
UPX dump on OEP (original entry point) 11 IoCs
-
Executes dropped EXE 6 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Program crash 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of UnmapMainImage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ceff35deb6c1159e48b44a9bc30c6ffafeb3787824de4ea03415eeb8dd3a6a30.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 2047⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4812 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 2046⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5068 -ip 50681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3324 -ip 33241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2120 -ip 21201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48A303B8-1BD4-11EF-9519-4A6FEDA150B9}.datFilesize
4KB
MD5b90c23de4902765bde451588ae1d9d90
SHA1ab4672f112d5787aa8172b07d7abb5bd8c6712ef
SHA256029f20c1d2258bf9067c04d6c7faf2c07e163634da6e8d71cd36ce5cede4c120
SHA5128c9b6e34e28f60be97d850124b1fc26d5e51f94b300ba60fff92ae513b5f9c4a5162d51f095b538b2e0fd5059bbe54d50d86839cf3241ea3918ad1a593e26c9c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48A32AC8-1BD4-11EF-9519-4A6FEDA150B9}.datFilesize
5KB
MD5d206156428779c1dfff25fe432861222
SHA1849980e6373078bb3b3724d18dd0d5ca71aa1771
SHA256dcd377fe5a11df795be74b835ae18c7615755ecbf4222acab48a806615d8aba8
SHA5122e0c044c2f7ae624f3a65bf7839d3eff4a349380a82dc4298c540ff50e88de4e8ab5e3fe5e3f56bd1cfd129c0187d5bd80dbfff5cc1585ab55fbdb2482d56add
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48A32AC8-1BD4-11EF-9519-4A6FEDA150B9}.datFilesize
5KB
MD5185cb9c1003e6146241816c146b3367b
SHA1c817736af7a3d53f1556533ac6b30189edde80d4
SHA2560acf6f1d6114c16137660d74f0ea066a918cd9089708f970748a44dd3e7f3983
SHA512d32996df24ffbe7659e4e0bcc7ce658ae9c7fc0bff659e113636932d959595ee49040d8e1fb2d7572c3adde8920c6acc64673da89b56accd67bac63f2c1aa4bb
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48A351D8-1BD4-11EF-9519-4A6FEDA150B9}.datFilesize
5KB
MD5abe1cb786ca32fc3b8e8e676854909af
SHA1a9a443e47d85460b07c41a15b6cbb37da629369e
SHA2564550169d76c1965841902d095abddb690684c5fbf9ef574168c6e57bca2ef82a
SHA51263c8e8ce50f4d0c1c1b1ea6d4c86379ceb32144c5459ec68685dfb44a42ead4ccc1dd1b74539c9890cd42129de58700a9a72e00736f7defe7d2a06f36638c43f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD939.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
122KB
MD5c5255edf109342e3e1d1eb0990b2d094
SHA1ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA5126b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeFilesize
59KB
MD5f2c8b7e238a07cce22920efb1c8645a6
SHA1cd2af4b30add747e222f938206b78d7730fdf346
SHA2566b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699
-
memory/1208-67-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1208-53-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/1208-69-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1320-12-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1320-36-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-7-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2216-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-23-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-22-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2216-25-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/2216-24-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3168-62-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3168-58-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3380-68-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3380-38-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3380-77-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/3380-39-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3380-84-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4020-1-0x0000000010000000-0x000000001002B000-memory.dmpFilesize
172KB
-
memory/4020-5-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/4020-8-0x00000000777B2000-0x00000000777B3000-memory.dmpFilesize
4KB
-
memory/4020-6-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB