Overview

overview

10

Static

static

3

dfa9a4c3f1...42.dll

windows7-x64

10

dfa9a4c3f1...42.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 05:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfa9a4c3f187e3c4a6204c2a6cb545e629864c2424ae106da9d0a9ada8eb5542.dll

  • Size

    508KB

  • MD5

    a710201fa3d7aaa02f4a8d1875a37db0

  • SHA1

    38471a0d4072cc93d380484b5170f24845cc3575

  • SHA256

    dfa9a4c3f187e3c4a6204c2a6cb545e629864c2424ae106da9d0a9ada8eb5542

  • SHA512

    4ee6b0ef10ac77a2b5af657cdd975f5cc1c2f354dcb09d5c2d79b80d520104b4871063c044da70ca4339cbe2c6db2d85b27d369873cd90779c29b5580f5fad65

  • SSDEEP

    12288:eehnaNPpSVZmNxRCwnwm3W3OHIIf5QcY6QtOTD:eeh0PpS6NxNnwYeOHXHQtQ

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX dump on OEP (original entry point) 9 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dfa9a4c3f187e3c4a6204c2a6cb545e629864c2424ae106da9d0a9ada8eb5542.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dfa9a4c3f187e3c4a6204c2a6cb545e629864c2424ae106da9d0a9ada8eb5542.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3908
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:6120
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4608
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1948
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 204
                6⤵
                • Program crash
                PID:3580
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1196
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1196 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:368
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3528
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3528 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 608
          3⤵
          • Program crash
          PID:2748
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908
      1⤵
        PID:3500
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1948 -ip 1948
        1⤵
          PID:2648

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B10B7BD9-2A0B-11EF-9519-C2BABBD8D0A3}.dat
          Filesize

          5KB

          MD5

          478dafbec8fef34a9ce66f47389e213b

          SHA1

          e67a54bda3827f13a30a41c1264786c467128f48

          SHA256

          81d4c8253b45711d9e760df8cc11c4fb118d4ee4b3bc65e0914fe1eea7817383

          SHA512

          e009487f00d6181f754a2b12ae37ab690ef16d88d091c6ab81a5ded70beb983924f5978f9236a1fad9b8a567086a10cd9f41fad26841026b9f2fa15cfe0b17b1

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B10DDDB0-2A0B-11EF-9519-C2BABBD8D0A3}.dat
          Filesize

          3KB

          MD5

          892278f063f6151ee13a348aceb173c1

          SHA1

          20b1284d1ea4c0b0784eeed23174820516fde0b6

          SHA256

          4f31cf43dc2b705ce68da55be4369f0b2e7a3b20203e036361435bb766c3665d

          SHA512

          09fa31bb81fb17a70f4a19f2a43a19e30bf66af4f392a34c4e5c9309fafcf38485e84dab39ae327639bfb9a4b3020fb35d8ec0bcb31412ec231a6e797e8871b0

          Download Submit
        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          123KB

          MD5

          41cdf1d40aff3f71114ea210307b6a1c

          SHA1

          8d5237ed7a29003af5b857edd85f7f54a91f600c

          SHA256

          00ba79fa51af9b735ebbded72313232d83956c922e206362f9b71411772162b7

          SHA512

          fdcba01191a345416f17fb4024255f97af135824f1ce57bb8456d74fbfd0e37f89500aeb92c19c4add62e6cb416c57cd06b2aee310fabb91e468852ca062ff0e

          Download Submit
        • memory/1948-33-0x0000000000730000-0x0000000000731000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1948-34-0x0000000000710000-0x0000000000711000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3908-1-0x0000000010000000-0x0000000010081000-memory.dmp
          Filesize

          516KB

          Download
        • memory/3908-35-0x0000000010000000-0x0000000010081000-memory.dmp
          Filesize

          516KB

          Download
        • memory/4608-40-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/4608-31-0x0000000000400000-0x000000000044A000-memory.dmp
          Filesize

          296KB

          Download
        • memory/4608-30-0x0000000077372000-0x0000000077373000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4608-29-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/4608-27-0x0000000000430000-0x0000000000431000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4608-37-0x0000000077372000-0x0000000077373000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4608-36-0x0000000000070000-0x0000000000071000-memory.dmp
          Filesize

          4KB

          Download
        • memory/6120-13-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/6120-6-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/6120-10-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/6120-11-0x00000000008D0000-0x00000000008D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/6120-12-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/6120-16-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/6120-8-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/6120-7-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/6120-5-0x0000000000400000-0x000000000044A000-memory.dmp
          Filesize

          296KB

          Download