Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 00:20

General

  • Target

    952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN.dll

  • Size

    343KB

  • MD5

    0200557e45133b8e58841b36be401e00

  • SHA1

    d2870cbeb09754804deb00ead0db443668064afd

  • SHA256

    952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecd

  • SHA512

    ffcd3ba30fa7f2b6a8abe767ca851759dba8ac811bdcc952ad7c26275609c645747892a5f09be0f543e09d01f2cdb38121acaab686cb2feeb9f4f0a4d73210ba

  • SSDEEP

    6144:pMJOWK4l0wqOVq1ZweJ2L9Y+fJsaosgF315PjWGpNcAlURB:p2OWK4llnZY+ms015PjlpyEUf

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4200
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4352
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 10176
            5⤵
            • Program crash
            PID:4996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 10184
          4⤵
          • Program crash
          PID:1252
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4200 -ip 4200
    1⤵
      PID:2008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4352 -ip 4352
      1⤵
        PID:3040

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\~TMB73B.tmp

              Filesize

              1.6MB

              MD5

              4f3387277ccbd6d1f21ac5c07fe4ca68

              SHA1

              e16506f662dc92023bf82def1d621497c8ab5890

              SHA256

              767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

              SHA512

              9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

            • C:\Windows\SysWOW64\rundll32mgr.exe

              Filesize

              191KB

              MD5

              d3d9e83859d00c69a12e334852e0e40e

              SHA1

              88b6d73a9a92b96f017417e346781aa62e412112

              SHA256

              3b50ec5daef877dabead21459e6e6dd8de74ea4fbdaf1163768e0376b4060887

              SHA512

              3f565d70caa9139068468cb296f15a05d5921d01362f04bb2996007683bf8816dbc6338283acba22d8349c1214c98bddb476fef3878b97f555acd46ac8754fe2

            • C:\Windows\SysWOW64\rundll32mgrmgr.exe

              Filesize

              94KB

              MD5

              8abf6898662a995642dd979ff1fe5eef

              SHA1

              08aeda19120993801a6f3a8aa2b73b559ed361ad

              SHA256

              8aa6d0613c1ad6326d92678bc90dd10be1fba7a5b5f9d7a4a6fac6a42baf94cb

              SHA512

              a1e88bde3478d8a0c74824998b13e1fdf4484eec444540352076acc43675ecd2daed86e719b3889e7e8ce2104b2b7259a237b42d474acbca8f7e7fb3f37a3313

            • memory/4200-5-0x0000000000400000-0x000000000045C000-memory.dmp

              Filesize

              368KB

            • memory/4200-11-0x0000000002080000-0x00000000020DC000-memory.dmp

              Filesize

              368KB

            • memory/4200-15-0x0000000000400000-0x000000000045C000-memory.dmp

              Filesize

              368KB

            • memory/4200-21-0x0000000002080000-0x00000000020DC000-memory.dmp

              Filesize

              368KB

            • memory/4352-9-0x0000000000400000-0x0000000000443000-memory.dmp

              Filesize

              268KB

            • memory/4352-12-0x0000000000400000-0x0000000000443000-memory.dmp

              Filesize

              268KB

            • memory/5040-0-0x0000000010000000-0x000000001005A000-memory.dmp

              Filesize

              360KB