Overview

overview

10

Static

static

3

d300e14a2f...8f.dll

windows7-x64

10

d300e14a2f...8f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d300e14a2f6a452d482f9edfdaf8d8cc28f401dfe36f7d118c9a0ff844b1a38f.dll

  • Size

    284KB

  • MD5

    7f84c5da3178763ada09b7891c7fae1d

  • SHA1

    6ffb94ca2a7884739c047fdf276a25b70143d63d

  • SHA256

    d300e14a2f6a452d482f9edfdaf8d8cc28f401dfe36f7d118c9a0ff844b1a38f

  • SHA512

    c4ff8fcd04eb2d89d6f7917b5db85a9c549b45faec03bcc0f9dc508dc768a788a6c846cd725690790debf9232bb589da332094ba02c8a8dba7ef6889b00a0487

  • SSDEEP

    6144:dMqWfdNAF0/p8O456wg+RFxj3OWmgvWruTyOQMYM:GqWfdNAqpV45a+FxLmb5MYM

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 10 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d300e14a2f6a452d482f9edfdaf8d8cc28f401dfe36f7d118c9a0ff844b1a38f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d300e14a2f6a452d482f9edfdaf8d8cc28f401dfe36f7d118c9a0ff844b1a38f.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:468
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3980
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2568
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:2280
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:2188
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  8⤵
                    PID:2196
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 204
                      9⤵
                      • Program crash
                      PID:3040
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    8⤵
                      PID:2412
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      8⤵
                        PID:432
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\system32\svchost.exe
                    6⤵
                      PID:1760
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 208
                        7⤵
                        • Program crash
                        PID:3616
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      6⤵
                      • Modifies Internet Explorer settings
                      PID:2108
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:17410 /prefetch:2
                        7⤵
                          PID:4344
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe"
                        6⤵
                        • Modifies Internet Explorer settings
                        PID:4888
                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                    4⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of UnmapMainImage
                    • Suspicious use of WriteProcessMemory
                    PID:3352
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\system32\svchost.exe
                      5⤵
                        PID:4024
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 204
                          6⤵
                          • Program crash
                          PID:4572
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe"
                        5⤵
                        • Modifies Internet Explorer settings
                        PID:1360
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1360 CREDAT:17410 /prefetch:2
                          6⤵
                            PID:1500
                        • C:\Program Files\Internet Explorer\iexplore.exe
                          "C:\Program Files\Internet Explorer\iexplore.exe"
                          5⤵
                          • Modifies Internet Explorer settings
                          PID:1948
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:17410 /prefetch:2
                            6⤵
                              PID:1460
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2196 -ip 2196
                    1⤵
                      PID:2632
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1760 -ip 1760
                      1⤵
                        PID:2840
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
                        1⤵
                          PID:4588
                        • C:\Windows\system32\backgroundTaskHost.exe
                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                          1⤵
                            PID:1760

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files (x86)\Microsoft\WaterMark.exe
                            Filesize

                            249KB

                            MD5

                            725aad1265430294dabb34fbbdd37b60

                            SHA1

                            e6f02781f9dfe58ba653554d45ef027646638d41

                            SHA256

                            c305dd145312babc4bd84cb9b1f998f81ed90b527b52666d68add509eca1b5e7

                            SHA512

                            7437a4b7b9ea19267d71933ef1fb18565ecc00516dbed0b49a3b3300be824db3509aace52baa96e5d31143d8aff9ec8abb6499c620e5f5fa403f4f2c741ca1e9

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                            Filesize

                            471B

                            MD5

                            55e40aa7a274d26f0bb8e2117239d1bd

                            SHA1

                            3174d1748da1dea0226e5b485400c5a139b6dd9f

                            SHA256

                            1d11d5b7b9240006ea7860d39703d111fefaae92f3c67259f0c743417e634a8e

                            SHA512

                            4b6de1f6ed69e04740b16428e984e1476c0e3ebb37ab8893454a1c271c2fce65fb5c4a355f1db0eb00560a6f951ee8102fb9629abfff5fd1ab363ef53cd2253d

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                            Filesize

                            404B

                            MD5

                            f56f64478d8a323703acad04e8ea1f7d

                            SHA1

                            c3109fad689c4600e45227cf070355254a5a55c8

                            SHA256

                            8b47317e0c926c78102ccc37247893e169e07902494ce3c8085b0dae5ce7542c

                            SHA512

                            9a7b26fe12bb110849f562dc10df29c63d45c3addb5e0a302f32a4411b722bcb5a6593b4372a2b17f386246db912c757b6209520442775c566d4b8c55b7fa574

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4826E0B9-A7F2-11EF-B9B6-F6235BFAC6D3}.dat
                            Filesize

                            4KB

                            MD5

                            ad6d7fb46af3ccdb13113cd5a1ce85fe

                            SHA1

                            a3c2f39fa0d85557b6328196c8805a7fc4b2b1db

                            SHA256

                            8c98fba3511fed5fc414df57f2a0e73ac2d2a5a009aea33e4934bafc2de992f6

                            SHA512

                            fcb27f2d94ae2739ae886005c7ce4b4df4e4030149d4829e4ec22279ea0e52eaed579a1e5d1fde948a512df843f4e0b054b8ef02e6524377521735c0a1a17e08

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4826E0B9-A7F2-11EF-B9B6-F6235BFAC6D3}.dat
                            Filesize

                            5KB

                            MD5

                            7ded658aed39883bf3aee346bf2a4d22

                            SHA1

                            61e3e53b6fa8cd809172f5ab4a2784fb3953519d

                            SHA256

                            8a90f3015a1e798f3c996c81b77c041d4973a189a47c58dd457b248ebfa37b81

                            SHA512

                            cea595a8733fce24df425e90d2d86fca8136d42af940b8183609760b47be0c5bfa54580fd83f6df0d3e2ad8f45897f5cd8a89c18405b8bf416cb852f60a6077b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4829422E-A7F2-11EF-B9B6-F6235BFAC6D3}.dat
                            Filesize

                            3KB

                            MD5

                            5810513ad71b0b9ab9ada64402c119a5

                            SHA1

                            af765e01e36f6e79817a5a7e7dc216a62b9d9699

                            SHA256

                            88a1158eb41dba0c29b043588a649031176c07d6b3750a9ce9b1ee079d8de588

                            SHA512

                            ae9d33d044b76b1fbeedc3ad66066c9174a6156cfceb4d143c4dac500f0d355dcf5ba842c66c9c858853423e6248a35812fdfef94f87d0a94e6787910e2745de

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver468A.tmp
                            Filesize

                            15KB

                            MD5

                            1a545d0052b581fbb2ab4c52133846bc

                            SHA1

                            62f3266a9b9925cd6d98658b92adec673cbe3dd3

                            SHA256

                            557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                            SHA512

                            bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US
                            Filesize

                            17KB

                            MD5

                            5a34cb996293fde2cb7a4ac89587393a

                            SHA1

                            3c96c993500690d1a77873cd62bc639b3a10653f

                            SHA256

                            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                            SHA512

                            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                            Download Submit

                          • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                            Filesize

                            123KB

                            MD5

                            04161f533ee93611681445f8a165ed68

                            SHA1

                            d3f4b2bfc8b384d2602989082056751ae21b8105

                            SHA256

                            97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

                            SHA512

                            4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

                            Download Submit

                          • memory/468-16-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/468-15-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/468-13-0x0000000000401000-0x0000000000405000-memory.dmp

                            Filesize

                            16KB

                            Download

                          • memory/468-14-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/468-4-0x0000000000400000-0x000000000044B000-memory.dmp

                            Filesize

                            300KB

                            Download

                          • memory/468-34-0x0000000000401000-0x0000000000405000-memory.dmp

                            Filesize

                            16KB

                            Download

                          • memory/468-21-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/468-20-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/468-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/468-25-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/468-18-0x0000000000400000-0x000000000044B000-memory.dmp

                            Filesize

                            300KB

                            Download

                          • memory/468-17-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/2280-70-0x0000000000400000-0x000000000042B000-memory.dmp

                            Filesize

                            172KB

                            Download

                          • memory/2280-73-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/2336-6-0x0000000001410000-0x0000000001411000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2336-7-0x0000000077792000-0x0000000077793000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2336-0-0x0000000010000000-0x000000001004A000-memory.dmp

                            Filesize

                            296KB

                            Download

                          • memory/2336-5-0x00000000013B0000-0x00000000013B1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2568-52-0x0000000000400000-0x000000000044B000-memory.dmp

                            Filesize

                            300KB

                            Download

                          • memory/2568-58-0x0000000000430000-0x0000000000431000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2568-82-0x0000000000070000-0x0000000000071000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2568-88-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/2568-67-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/2568-69-0x0000000077792000-0x0000000077793000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2568-90-0x0000000077792000-0x0000000077793000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3352-68-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/3352-89-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/3352-91-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/3980-12-0x0000000000400000-0x000000000042B000-memory.dmp

                            Filesize

                            172KB

                            Download

                          • memory/3980-26-0x0000000000400000-0x000000000042B000-memory.dmp

                            Filesize

                            172KB

                            Download

                          • memory/3980-31-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download

                          • memory/3980-37-0x0000000000400000-0x0000000000421000-memory.dmp

                            Filesize

                            132KB

                            Download