Overview

overview

10

Static

static

3

7ed2b49fd7...1N.dll

windows7-x64

10

7ed2b49fd7...1N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ed2b49fd78f1e8299bc660333182ab97da2cffe0a53d7c1c4f9ea96cb743c21N.dll

  • Size

    847KB

  • MD5

    d43c791d583c4a7175ab01c5734565f0

  • SHA1

    3d9124c80d48352127f8f9998939378fa802095f

  • SHA256

    7ed2b49fd78f1e8299bc660333182ab97da2cffe0a53d7c1c4f9ea96cb743c21

  • SHA512

    bd34e5aca0155644b340b01486f4051c9faf7860429e866dd8b338c4a65b330e5c7aa8978c08a1075b82ed1004109b82f99f9c1cb634c4bab281e47074e40cd6

  • SSDEEP

    24576:Uzb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwPKxyCFrKTE:UzbKsUmjtcdPGgIwPKjFr0E

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 10 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ed2b49fd78f1e8299bc660333182ab97da2cffe0a53d7c1c4f9ea96cb743c21N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ed2b49fd78f1e8299bc660333182ab97da2cffe0a53d7c1c4f9ea96cb743c21N.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2916
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:2648
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:3280
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  8⤵
                    PID:508
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 204
                      9⤵
                      • Program crash
                      PID:3320
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    8⤵
                      PID:4556
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      8⤵
                      • Modifies Internet Explorer settings
                      PID:4864
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  6⤵
                    PID:4652
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 204
                      7⤵
                      • Program crash
                      PID:4992
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    6⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:1444
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:17410 /prefetch:2
                      7⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:4040
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    6⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:3916
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:17410 /prefetch:2
                      7⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:4932
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                4⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:2012
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  5⤵
                    PID:3192
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 204
                      6⤵
                      • Program crash
                      PID:1588
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:452
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:5020
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:3784
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3784 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:1744
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4652 -ip 4652
            1⤵
              PID:3232
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3192 -ip 3192
              1⤵
                PID:3404
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 508 -ip 508
                1⤵
                  PID:1780

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  ec237169ada59f1945749967a6d3d7f0

                  SHA1

                  e8fe32e8fa527409463d3fa0d63b6bdf709d7bd6

                  SHA256

                  b783f55456ca301f00aab79b6a0720bfb2450aefd094e6026231fab663152d70

                  SHA512

                  d5b5bff9f6afb36817c2c556e67c4ed7fc787a51bef623eb7150b596cc4cc88bee4b10b5eccae2c2ed0055653166f68bf75f2375ce4689666eb42330361de2d5

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  effdc2968ded0fef8799155df27dc71b

                  SHA1

                  ef987cdea6068b4a95ab79760f879b859afaf83f

                  SHA256

                  b317db1877ba1a402e07a217bd10645f5f4ebe2506edd1747a46d3a2a111a954

                  SHA512

                  372e11c414bcec49a89ba98f49b95af787863e2e68b917b3361ee56e885ddbe7897162fcb69352da65b8e427ccf62a76b1f6816a08d07c184a4468724d00896d

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  dfaada6215201c674f2d904d33e4f43a

                  SHA1

                  b956314f846f9bc79e0188cd9b2ff0af138021cb

                  SHA256

                  da9413dccdf50c70ff7bab46744d6f42ae5374b9ef963d3ae8dd9d1464fafd40

                  SHA512

                  2d1e5e8ebbb33bb2d59129a0c38c0ea4b5560d70494b164fe08f7a4bd906503971b922545421da1371f25e7bed448be00e1e1df0289283c5e110e8385907d721

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  b176ad2f169f75b76cdd0d5a529a1f78

                  SHA1

                  971a3c7fcb3574069a91f990669812d2ac1cfbd8

                  SHA256

                  1cbfc5877789c6c674551db7cd7a299571cf8f81bcb219a087f63a4187b389a8

                  SHA512

                  122bf4cfc356c81eb13dbf37fef3ba1820dea8af2deaba9d0ed565dc2d743d8e5d0e5dad3175c076bc416b080eea1c581ad91a02122c481ac268459dec1794e1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24A5DEF3-BBDB-11EF-AF2A-5EA348B38F9D}.dat
                  Filesize

                  3KB

                  MD5

                  c35404c4f072e5cf4784fb2ef8cda918

                  SHA1

                  83d4c418785256172526fe4be83fe3e95ba4b3f2

                  SHA256

                  d28d60399fa693dc43a6e952dec535705d7134b252883693e0e80963b4c64c74

                  SHA512

                  f756fc8231c608f6996ba5659f48400adeb3e34e72639a879097b71dec2be99e34272aa3f2857fe03346a133628477aca47bcc660f50aca4324af9c09a60364c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24A84101-BBDB-11EF-AF2A-5EA348B38F9D}.dat
                  Filesize

                  5KB

                  MD5

                  703bbfb0eff619574d31ea3201bd7e5c

                  SHA1

                  eda6e3b9a5c824ba2e026be37be92de6db94d339

                  SHA256

                  4b6f7cace7a41790988f87e9f58294d072ae001ad15dc5f293fdf85773750e5a

                  SHA512

                  0e7f26b8ad3c1f1fcdf27daea74f1ef2e3594965f0e39d7262008e6821d71f58269345b69db540391547b3e15e11c57cab352f031999202704384ee339cd52b4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24A86811-BBDB-11EF-AF2A-5EA348B38F9D}.dat
                  Filesize

                  5KB

                  MD5

                  deac019fda5025714b22e81a4c7d7f5b

                  SHA1

                  f83fe229256dc9f450cc5f0ee848ed422d0c8dde

                  SHA256

                  0759f3f0776405b13f2a45a64a781e30f03004e150fef69ff1772332f1bada5e

                  SHA512

                  279b33ee887ce951f420f95dc1a35834bbad52f0e73cfc04050a7a5f4ed44d113e85a7928010b4988ce81578205da00d00ea0a452db8789835f74aeb9ecf9976

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24AAA3CC-BBDB-11EF-AF2A-5EA348B38F9D}.dat
                  Filesize

                  3KB

                  MD5

                  6b401fee9d24d926762055917d53cb12

                  SHA1

                  d964484a0e2984cb57b56a40c6f150ea2a027ad9

                  SHA256

                  51074f88c290e8663199b9def4bc3550ebc23eea0d369c2b863bb8157edc839f

                  SHA512

                  2f90cb78b6396dc4221caf2e28a7055a5fb723e4233ea2c1bd6276586d7006e0777085fc56d1f2c949925098bb7de8ce49f5afc126587b2e585e623a7664de85

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver913.tmp
                  Filesize

                  15KB

                  MD5

                  1a545d0052b581fbb2ab4c52133846bc

                  SHA1

                  62f3266a9b9925cd6d98658b92adec673cbe3dd3

                  SHA256

                  557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                  SHA512

                  bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\suggestions[1].en-US
                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgr.exe
                  Filesize

                  188KB

                  MD5

                  f1cc4545ce3fbb3f67997f636075c308

                  SHA1

                  ec73914f3f5d69b55450dcae36f38c2723dc0b37

                  SHA256

                  7c268326f493ef41a068cfca87d25e6c60442faa9a24539eea5777013f797856

                  SHA512

                  749a50c6663be9d3e74602a916a0679a25acbcf3763c3c8882a6d663a33a70b8b37a1f4927aa39bd1da60bbad572b1eae22ba0736d6d97ef61e1027c609fe6b2

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                  Filesize

                  93KB

                  MD5

                  35c2f27961e27275564493d459b6213e

                  SHA1

                  d8a65a578457493161262c77d6c76ed7876b6a8d

                  SHA256

                  1a1b741ef968cb4cb2e5a5404366a66cd69b025a5b38814792e2f51d43b2d60d

                  SHA512

                  b15bb1a4a5158bb4103d6f62cd64a8ac2df398f2990995a99898bf207fc653a0b877d5904689c106634d2bdb4efb38e55adafd4b07bb199c1875d4a1028ab557

                  Download Submit

                • memory/960-14-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/960-11-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/960-4-0x0000000000400000-0x000000000044B000-memory.dmp

                  Filesize

                  300KB

                  Download

                • memory/960-9-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/960-10-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/960-21-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/960-25-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/960-15-0x0000000000A60000-0x0000000000A61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/960-22-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1540-33-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1540-13-0x0000000000400000-0x0000000000433000-memory.dmp

                  Filesize

                  204KB

                  Download

                • memory/2012-66-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2012-81-0x0000000000070000-0x0000000000071000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2012-85-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2012-60-0x0000000000430000-0x0000000000431000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2012-92-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2648-58-0x0000000000400000-0x0000000000433000-memory.dmp

                  Filesize

                  204KB

                  Download

                • memory/2648-63-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2916-84-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2916-90-0x0000000077252000-0x0000000077253000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2916-65-0x0000000000060000-0x0000000000061000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2916-72-0x0000000077252000-0x0000000077253000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2916-46-0x0000000000400000-0x000000000044B000-memory.dmp

                  Filesize

                  300KB

                  Download

                • memory/2916-59-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3192-78-0x0000000000390000-0x0000000000391000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3192-79-0x0000000000370000-0x0000000000371000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3280-91-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3280-71-0x0000000000400000-0x000000000044B000-memory.dmp

                  Filesize

                  300KB

                  Download

                • memory/4296-0-0x0000000005000000-0x00000000050D9000-memory.dmp

                  Filesize

                  868KB

                  Download