Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
14-06-2024 05:05
General
-
Target
dfa9a4c3f187e3c4a6204c2a6cb545e629864c2424ae106da9d0a9ada8eb5542.dll
-
Size
508KB
-
MD5
a710201fa3d7aaa02f4a8d1875a37db0
-
SHA1
38471a0d4072cc93d380484b5170f24845cc3575
-
SHA256
dfa9a4c3f187e3c4a6204c2a6cb545e629864c2424ae106da9d0a9ada8eb5542
-
SHA512
4ee6b0ef10ac77a2b5af657cdd975f5cc1c2f354dcb09d5c2d79b80d520104b4871063c044da70ca4339cbe2c6db2d85b27d369873cd90779c29b5580f5fad65
-
SSDEEP
12288:eehnaNPpSVZmNxRCwnwm3W3OHIIf5QcY6QtOTD:eeh0PpS6NxNnwYeOHXHQtQ
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
UPX dump on OEP (original entry point) 8 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfa9a4c3f187e3c4a6204c2a6cb545e629864c2424ae106da9d0a9ada8eb5542.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfa9a4c3f187e3c4a6204c2a6cb545e629864c2424ae106da9d0a9ada8eb5542.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
260KB
MD574ec4d1d828a464258e64fcde52f9379
SHA118c40313f32174316fad0a58b36d6f5646da714b
SHA25662e03e83183b2d0ec14092ecfaa70961f7994bbec537b78a74c52c36e541f627
SHA512b2eba8abc192bac5fc64e5c9b21c95470172002843f23e2a34985a6896d2ca90908662c37de53b97db75f9758f8217fd415b70fe52b20c53cd2bc172fe5b8728
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
256KB
MD56e0f8151e92468ed019cac432bb6f421
SHA10d2cc2c08293a403f76fc667b96a80ce55c9609f
SHA2565d0b94b9b97160fb9fe42da2acdfae328ad3000f69360418f54191417ef02c73
SHA51286a33dbc39cb33ce61a441a8e861c6d4cf9ee004daa8ada545917d2cae1e3283b54dcb40c7f15f6b4e2eff3a3ae21ccd4724707630f3296d128baa5a48c9911f
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
123KB
MD541cdf1d40aff3f71114ea210307b6a1c
SHA18d5237ed7a29003af5b857edd85f7f54a91f600c
SHA25600ba79fa51af9b735ebbded72313232d83956c922e206362f9b71411772162b7
SHA512fdcba01191a345416f17fb4024255f97af135824f1ce57bb8456d74fbfd0e37f89500aeb92c19c4add62e6cb416c57cd06b2aee310fabb91e468852ca062ff0e
-
memory/2024-10-0x0000000000240000-0x000000000028A000-memory.dmpFilesize
296KB
-
memory/2024-3-0x0000000000240000-0x000000000028A000-memory.dmpFilesize
296KB
-
memory/2024-2-0x0000000010000000-0x0000000010081000-memory.dmpFilesize
516KB
-
memory/2180-29-0x00000000001A0000-0x00000000001EA000-memory.dmpFilesize
296KB
-
memory/2180-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2180-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2180-11-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2180-12-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2180-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2180-16-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2180-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2180-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2180-23-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2320-82-0x00000000776FF000-0x0000000077700000-memory.dmpFilesize
4KB
-
memory/2320-70-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/2320-39-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2320-35-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2320-50-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2320-51-0x00000000776FF000-0x0000000077700000-memory.dmpFilesize
4KB
-
memory/2320-558-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2320-40-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2320-71-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2660-58-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2660-65-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2660-61-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2660-41-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2660-60-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2660-62-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2660-43-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2660-999-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2660-53-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2984-91-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2984-90-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2984-89-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2984-88-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2984-302-0x0000000077700000-0x0000000077701000-memory.dmpFilesize
4KB
-
memory/2984-92-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2984-87-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2984-83-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2984-73-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB