Overview

overview

10

Static

static

3

672cafdb04...93.dll

windows7-x64

10

672cafdb04...93.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29-05-2024 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    672cafdb040972a1e0827958b3afabce1576f8e0cd59f669b04863a258bb4c93.dll

  • Size

    832KB

  • MD5

    fee29d749e9a6755526a0c517164cb16

  • SHA1

    4232c812300820be5f637b15c68959961f316a33

  • SHA256

    672cafdb040972a1e0827958b3afabce1576f8e0cd59f669b04863a258bb4c93

  • SHA512

    81994cddf01f31c7b3c2ff5b73f21da66b2496a313d5774bd73919b03f410f31bf1722136e09088d8b6174eca019f6d9fd0c42e767dd9b1274e05a530b7191ac

  • SSDEEP

    24576:TxTyK5ZRYoRwVZlCvQ3cRB7aBq3U9T3Gaw:TxRp/RwblCvQ3g7c39jw

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX dump on OEP (original entry point) 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
      PID:384
    • C:\Windows\system32\wininit.exe
      wininit.exe
      1⤵
        PID:392
        • C:\Windows\system32\services.exe
          C:\Windows\system32\services.exe
          2⤵
            PID:476
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k DcomLaunch
              3⤵
                PID:592
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  4⤵
                    PID:1632
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  3⤵
                    PID:676
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    3⤵
                      PID:764
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      3⤵
                        PID:804
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          4⤵
                            PID:1156
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          3⤵
                            PID:844
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            3⤵
                              PID:960
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k NetworkService
                              3⤵
                                PID:236
                              • C:\Windows\System32\spoolsv.exe
                                C:\Windows\System32\spoolsv.exe
                                3⤵
                                  PID:108
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                  3⤵
                                    PID:1064
                                  • C:\Windows\system32\taskhost.exe
                                    "taskhost.exe"
                                    3⤵
                                      PID:1096
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                      3⤵
                                        PID:1144
                                      • C:\Windows\system32\sppsvc.exe
                                        C:\Windows\system32\sppsvc.exe
                                        3⤵
                                          PID:2060
                                      • C:\Windows\system32\lsass.exe
                                        C:\Windows\system32\lsass.exe
                                        2⤵
                                          PID:492
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:500
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:424
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1196
                                              • C:\Windows\system32\rundll32.exe
                                                rundll32.exe C:\Users\Admin\AppData\Local\Temp\672cafdb040972a1e0827958b3afabce1576f8e0cd59f669b04863a258bb4c93.dll,#1
                                                2⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:3052
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  rundll32.exe C:\Users\Admin\AppData\Local\Temp\672cafdb040972a1e0827958b3afabce1576f8e0cd59f669b04863a258bb4c93.dll,#1
                                                  3⤵
                                                  • Loads dropped DLL
                                                  • Drops file in System32 directory
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2124
                                                  • C:\Windows\SysWOW64\rundll32mgr.exe
                                                    C:\Windows\SysWOW64\rundll32mgr.exe
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious behavior: MapViewOfSection
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1836

                                            Network

                                            MITRE ATT&CK Matrix

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • \Users\Admin\AppData\Local\Temp\~TM2626.tmp
                                              Filesize

                                              1.2MB

                                              MD5

                                              d124f55b9393c976963407dff51ffa79

                                              SHA1

                                              2c7bbedd79791bfb866898c85b504186db610b5d

                                              SHA256

                                              ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

                                              SHA512

                                              278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

                                              Download Submit

                                            • \Users\Admin\AppData\Local\Temp\~TM2666.tmp
                                              Filesize

                                              1.1MB

                                              MD5

                                              9b98d47916ead4f69ef51b56b0c2323c

                                              SHA1

                                              290a80b4ded0efc0fd00816f373fcea81a521330

                                              SHA256

                                              96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

                                              SHA512

                                              68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

                                              Download Submit

                                            • \Windows\SysWOW64\rundll32mgr.exe
                                              Filesize

                                              514KB

                                              MD5

                                              bb015e33525a7ff0bb6a6f9bef84d148

                                              SHA1

                                              4588e9f270c950aaa37a379af0ef0602e529fc74

                                              SHA256

                                              2fb82ee3d618e43d133349e6ccf0d9904a0d50085915fe7519a99c1dddf4b01c

                                              SHA512

                                              2a8f584e3ca507433a49aa1d7b7a8cd5cf79705cc32865b5d24201812bde30173dd1dbb0dced856f0df8af81f6eb1e0d997ff7e952dde634e8b061321f6db497

                                              Download Submit

                                            • memory/1836-13-0x0000000000230000-0x0000000000231000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1836-12-0x0000000077410000-0x0000000077411000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1836-11-0x000000007740F000-0x0000000077410000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1836-14-0x0000000000400000-0x00000000004BA000-memory.dmp

                                              Filesize

                                              744KB

                                              Download

                                            • memory/1836-10-0x0000000000400000-0x00000000004BA000-memory.dmp

                                              Filesize

                                              744KB

                                              Download

                                            • memory/1836-22-0x0000000000400000-0x00000000004BA000-memory.dmp

                                              Filesize

                                              744KB

                                              Download

                                            • memory/1836-21-0x0000000000240000-0x0000000000241000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2124-1-0x0000000010000000-0x00000000100D4000-memory.dmp

                                              Filesize

                                              848KB

                                              Download

                                            • memory/2124-9-0x0000000000300000-0x00000000003BA000-memory.dmp

                                              Filesize

                                              744KB

                                              Download

                                            • memory/2124-24-0x0000000000300000-0x00000000003BA000-memory.dmp

                                              Filesize

                                              744KB

                                              Download