Overview

overview

10

Static

static

3

11ca1a1359...6b.dll

windows7-x64

10

11ca1a1359...6b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11ca1a13594f135fb7db1e43820f632785c694e0cc08d0a60f4ea56f076dc46b.dll

  • Size

    432KB

  • MD5

    e2795bde417b4b6413113dd2fad7b69e

  • SHA1

    3d60d07b1c6e8b8175146942ba49b680f59f0c63

  • SHA256

    11ca1a13594f135fb7db1e43820f632785c694e0cc08d0a60f4ea56f076dc46b

  • SHA512

    23ef497e74100ada223db852131fb9ff71336674d39aab9ef9ffbe1fec3ea9a48ae200302a2992cc4ed7951dc3fbaf77293885f5e75b9b778d052a7701b4dbbb

  • SSDEEP

    3072:qn4cV8gf2u41Z5tKlwgtYuYZZr25Z2tKEtx8xys:Q4y8gOl2WgRYH25Z2tF8xys

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\11ca1a13594f135fb7db1e43820f632785c694e0cc08d0a60f4ea56f076dc46b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\11ca1a13594f135fb7db1e43820f632785c694e0cc08d0a60f4ea56f076dc46b.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1104
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    ee5fe122ed7f86c205655b9cba8c9138

    SHA1

    e336589d24be98c05a47ad93daf11ab568dea58b

    SHA256

    e4980b849930ff5ad2572d98efa45c128edad97927f4519a3ad8f037787b7be5

    SHA512

    1d0a1901f19a14173ef483d4c4cdb7ab6716bf2bec26cdefa22f1c4b661e592daea02c6dc634ddbcdf18e2b30df171ad8b166428b5fe9ff3f2290da2378caed5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    fa69a3558c213533524fd8e71bb09492

    SHA1

    0dbe71947767bf130fec86b66717ef3060b198aa

    SHA256

    53d7cbbc3d38963c829110db02e594406ef69070d4da960e9df2668d35a7bcbe

    SHA512

    d5abeea443fd4e0d62dc3fd821208b4a85ee03092d6f07bfca1b430e41dc96235e66706b90cf7b5b2dd463545ec7d714e533558f72f5cff525117279ca75af33

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    340KB

    MD5

    36ca36c203021c6f987ee4b5c3dd605f

    SHA1

    f98c77ec78ec6a41e8e175c51c0fc0dee3c46b8b

    SHA256

    84cfde6d10074056ad2acf655507bce47e9f4bf62825c81ff3d4135245e7014a

    SHA512

    2387150226ddff9a2e7f8a910407e092949ce631f326ae73568cc4dbf018d25ef6f0b3dd2aaef51bdb1bbbbb9964a5e33fd6fab764e49a8a69ae0a861b478f58

    Download Submit

  • memory/3620-12-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3620-18-0x0000000077E62000-0x0000000077E63000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3620-16-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3620-15-0x00000000007F0000-0x00000000007F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3620-4-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/3620-10-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3620-11-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3620-8-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3620-7-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3620-6-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3620-17-0x0000000077E62000-0x0000000077E63000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3620-14-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3620-13-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3936-0-0x0000000010000000-0x000000001006D000-memory.dmp

    Filesize

    436KB

    Download