Overview

overview

10

Static

static

3

2ff9a759b1...9N.dll

windows7-x64

10

2ff9a759b1...9N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ff9a759b1a15d61783762a9c3595a0983972d5e8117b4ad30239ad40f43dd19N.dll

  • Size

    156KB

  • MD5

    cbaea82b71660159af6de5a530d04e20

  • SHA1

    f2d1de3d319fa613d6579c3a3ffdc08dfe2d0d8f

  • SHA256

    2ff9a759b1a15d61783762a9c3595a0983972d5e8117b4ad30239ad40f43dd19

  • SHA512

    4cf29c705eb7b9dec6baad65330e6f29709eb8d2734833689cb0562c40ac2722386c8e98703203677d4df3acb26a76db40cdc3c197d29d74397f27057ac725fa

  • SSDEEP

    3072:ln4cV8gf2u41Z5tKlw6XZufRdL+eONORnKW12hB7:B4y8gOl2puiORnj12hB7

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ff9a759b1a15d61783762a9c3595a0983972d5e8117b4ad30239ad40f43dd19N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ff9a759b1a15d61783762a9c3595a0983972d5e8117b4ad30239ad40f43dd19N.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4104
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1372
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3728
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 204
                6⤵
                • Program crash
                PID:3864
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1952
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1708
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2884
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3728 -ip 3728
      1⤵
        PID:3756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        87f8376b71b1fd35da4b511eff055888

        SHA1

        0c55fba0aa699282bbe4d129dd0ba16d4e377ce9

        SHA256

        a1383ed3b4f8967fb19f5b16bfe41eb3242b296ffc06c1098fbe1d1a04a7003f

        SHA512

        8556ed20a3d9daf8f74b2eceaab6a3773b69d5c9524ba8dbb8af1ad64b2235165e487c41646e357be5906aaa7f0f4c57ff8dc9ea2acc0c87f443d3ad083c9031

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        d79cea90047a172c4df92d7d789f1835

        SHA1

        a4cdc5796a0aadb37aa4d2766794258cd9dd0be3

        SHA256

        381fe54f03103a9448ef89f1adab4468e3f5dfa1b9b7e911f26d84c48dbf9f2c

        SHA512

        1f02ddc12276e02d09d4212d10a3a3f6d54e71f8aee25e36c011e4649a23cb23be6cf75a734d4742f1fcbabbc1d30b94c95cbe3e596abebefbed58a486296e2a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        82dd8ce6eac651222353231dd4fdb789

        SHA1

        b577d5d5db787dd3155689cfb93e5f0c32b8a605

        SHA256

        e9710d9caec458c0db719ddba1cc8b3140a9ee5d5a0f7943787a5c9e78f901d9

        SHA512

        368762bbdfa644701f174d00396f6dbb746bc2962544df8b21d0a26b2ad7856cd1d0d34b3f69d8086c13bd5f4a5795f070f2b25efb81dfb20386eb95183c2e0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{72E5C235-B71C-11EF-A7EA-4E8E92B54298}.dat
        Filesize

        3KB

        MD5

        12ead18544a4a28eaa0303a3a7565f1e

        SHA1

        586bdf5308a701680708cfcce08b5facb57f3480

        SHA256

        bb850150fc00552e06ff3cd6eb34bf6ab435ef5e43485df386c981f01814ea97

        SHA512

        ff9e009aff1ef2592c1a480c8012a024f52e3695d52ffe7f4720430af8e72e15a30d138f1694f606e286b83d432e86aadc7a5d76cee28fe6b36f97dae6712f14

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{72E824DC-B71C-11EF-A7EA-4E8E92B54298}.dat
        Filesize

        5KB

        MD5

        908e6e200e8a0b98ef1c1b71fa9492f3

        SHA1

        5ef13fa261acce79fe7bfd0d3eff6b8e31a106b0

        SHA256

        28085ddb22d83dd3c3808294361c6f73eaa732e19c5513af7083ea1c4aad85a8

        SHA512

        9a503347edd26fb99818b48a99726beaea7c0def90422fdb5deaa519c9f098b5fcfc2cfce4f97455ea15da5550f55bdf2f69c17476413dff63c837561ef879d7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1E0.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        65KB

        MD5

        a9ea94ee4a3bb43d4057823b2072dc54

        SHA1

        94ade3c34ec08613daba8a1240586c24f8169794

        SHA256

        7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

        SHA512

        0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

        Download Submit

      • memory/1372-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-14-0x00000000005F0000-0x00000000005F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1372-19-0x0000000077B52000-0x0000000077B53000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1372-20-0x0000000000600000-0x0000000000601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1372-21-0x0000000077B52000-0x0000000077B53000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1372-22-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-15-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-25-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2044-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2044-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2044-5-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3728-17-0x0000000001210000-0x0000000001211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3728-18-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4104-0-0x0000000010000000-0x0000000010028000-memory.dmp

        Filesize

        160KB

        Download