Overview

overview

10

Static

static

3

ff0d7349bf...dN.dll

windows7-x64

10

ff0d7349bf...dN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 05:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff0d7349bf7426d816ace7eb0061309a055f2c246cbc748c5385f94b8c782b3dN.dll

  • Size

    653KB

  • MD5

    a8f5466521f175fcee8c8e8a4ae08ba0

  • SHA1

    3ce901f8333fe59a52263f7241fd99ad3e2d0085

  • SHA256

    ff0d7349bf7426d816ace7eb0061309a055f2c246cbc748c5385f94b8c782b3d

  • SHA512

    49daec3dd1e1cf5a8f5639b6f82c0afbc6bb9bc8713d6ed10940dccdd0661e7b26558a089aa8e80f329466adb3f7a0d31afd266656ed33b4b7c3875797511222

  • SSDEEP

    6144:WNIQzLZN4k3WvmRPLx+xXqOkyWh9ZN/c4bsXdHtVHs7ZrssmHoE:WNIyZN4+Wv4PLq6Okrh9ZN/hs9Dsd4v

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff0d7349bf7426d816ace7eb0061309a055f2c246cbc748c5385f94b8c782b3dN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff0d7349bf7426d816ace7eb0061309a055f2c246cbc748c5385f94b8c782b3dN.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4080
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 208
                6⤵
                • Program crash
                PID:1960
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3388
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3388 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:316
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2324
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 608
          3⤵
          • Program crash
          PID:3940
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 408 -ip 408
      1⤵
        PID:4448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4080 -ip 4080
        1⤵
          PID:3652

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          ee5fe122ed7f86c205655b9cba8c9138

          SHA1

          e336589d24be98c05a47ad93daf11ab568dea58b

          SHA256

          e4980b849930ff5ad2572d98efa45c128edad97927f4519a3ad8f037787b7be5

          SHA512

          1d0a1901f19a14173ef483d4c4cdb7ab6716bf2bec26cdefa22f1c4b661e592daea02c6dc634ddbcdf18e2b30df171ad8b166428b5fe9ff3f2290da2378caed5

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          f4c7e3b6d8975e2a7867144c9bfb4e91

          SHA1

          fc831c1f39a2683858c5ca8adb5d0b9d2b516c2b

          SHA256

          9b95dcfb4e2747e685b43dbda6b3762bcf86bbc94984e8048edc8033e0857eeb

          SHA512

          6c6f1ef1399653e7b0a5df830201e0deac1cbd83f359f0cfed3383f207c8ac8a499aeabc0ae0e5e83f8daf04892f481629a89ccabb5f5c2fde0e283f40fc29e1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9FAFA6BA-9E5E-11EF-B9B6-FA89EA07D49F}.dat
          Filesize

          5KB

          MD5

          8088d13875c56a35ebf1c3a10e1464b6

          SHA1

          c95966c1ad1755f40ed1f62f964231df274ab584

          SHA256

          69eebf586047e0efbb6c318a560cd070a86a9ae6e628521dac998fc12975f72e

          SHA512

          7da9ccf06a7b299e494e7b7ab1db389fe7d571f2ea17b0775af338efdcaba14876448e99b34147228eccea0cb206ad0c80305bc834ea4dffa047676eb65a33ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9FB20889-9E5E-11EF-B9B6-FA89EA07D49F}.dat
          Filesize

          5KB

          MD5

          6d557ce584c8a9b87039802b8fe4cd67

          SHA1

          3e35c0168a967b2f483cf565ef831981bb650954

          SHA256

          727ac36ff35b6a0f62874c49513b07c434829f05f88e89c4dddd7192bae7bc43

          SHA512

          57df3e7acb16dd3c4bdf8c9edb5c6bd502ba338e339983d09b98e1c72a0e64d83da49365d24e493edfe6b24ddf10be47c5cb66e2188e20557bea6f11bbac73c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver31D9.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          68KB

          MD5

          00c1298f1a25368dbb2101d277345d6f

          SHA1

          b789d839f78e07f414e86e8a84be9960fb305262

          SHA256

          c488a4e83e777d52edd3ef44fbd77d2f34dda8f7d54f3f568972435c5a177b81

          SHA512

          00f0b9c4fcc99ba3ddce94dd42dec845deef6c3b12d3651aa571b136b22d84811063d9d550c817c805b3908c68092c822845543c554d1ccabd2d366a7673decd

          Download Submit

        • memory/408-19-0x0000000010000000-0x00000000100A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/408-1-0x0000000010000000-0x00000000100A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1484-23-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1484-14-0x0000000000590000-0x0000000000591000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1484-21-0x00000000006E0000-0x00000000006E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1484-20-0x0000000077322000-0x0000000077323000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1484-22-0x0000000077322000-0x0000000077323000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1484-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1484-15-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1484-29-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1484-26-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1708-12-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1708-6-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1708-5-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4080-18-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4080-17-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

          Filesize

          4KB

          Download