Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 01:42

General

  • Target

    904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll

  • Size

    847KB

  • MD5

    e39ce0a9490d34de9dcf5707efedbbae

  • SHA1

    3dafc8544447630375959d8387510f33b0867dac

  • SHA256

    904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669

  • SHA512

    5a9f30c9c39b3a0d141d8ab7b03d203c54d4b3062551443831f317f393b4524ef5ac1dc8aca8b687b866150ad0e170b5369c10b987cde592606137ad9159aea6

  • SSDEEP

    24576:2zb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwPEs++iv:2zbKsUmjtcdPGgIwPEsriv

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 5 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3712
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\904bf74c214e2d3f97418b03a5ff4a8df07bcc618cc22841f9e6eb97aa0dd669.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:1108
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:1724
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 76
                  7⤵
                  • Program crash
                  PID:1572
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3716
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1672
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1844
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4852
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2440
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:4712
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 204
                  6⤵
                  • Program crash
                  PID:1968
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:5084
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17410 /prefetch:2
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3556
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1804
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:17410 /prefetch:2
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1724 -ip 1724
        1⤵
          PID:4996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4712 -ip 4712
          1⤵
            PID:2588

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            471B

            MD5

            641fd00a680e2a2b7c46da9f49d4ac01

            SHA1

            91342c03f46164a5ffba758b6201387912e09026

            SHA256

            69b70d73aed768e709b4e26268d4bfbb349d3ed2d7fc7bba042a347b29f1062d

            SHA512

            004e47e9e0623bf782ad71418257088902bec47d213027287c46393d7a413d69a69fd213df1781d3c49ddde689943d5c5f3ff844fb9cc81c7eeaf331b8a4344f

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            404B

            MD5

            c0830253a2d8e42277495a83bf033787

            SHA1

            57efb34f6e615708cd33bbce5b3de6354893f911

            SHA256

            842358cd219a176e1a4e9868123fb0d7e4a55dee5b44323dccbd982f7ed10500

            SHA512

            ace000dca52d7435c5c0a2f8b2aac163b8c46fa65ebbab683acf397a49bf147c79bba77858ed2ac9873e554c9d76fb4315c02e8b99c1cd02a85765960d3119ab

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            404B

            MD5

            cc408022af32c1be8006ae27d6a60523

            SHA1

            2ae1fab8584d02e1a4cfecef69d6896c3103b3be

            SHA256

            9f995ca28dd92e0159a36726dcec23fb52b98cfbf66b5da068bc5a532322b5a8

            SHA512

            c206e27421ddda17aced87d82d57306ee9d10061868c3a20d68759c84a4e40906f8714a7005639907c07498264e82bff85e46f1cfcb2e52b41e9387384f27cac

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            404B

            MD5

            4918469e436edd2e0a23c59b3070a6e7

            SHA1

            0a796dfb5459a27295f174af3f723161ff4a9daa

            SHA256

            0766141069f2f012c78f90664af50569e93904b058bdd8e4f8bf055e9f2137c1

            SHA512

            538d319bded8c168df9963ea319551bca0421de1a0e8ca5eea1c92b7542c51be387a354d91f75ffbf917bb298a6ff0e4a2a88a47e4e5876115b4c9a5d43c2ff6

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{584E3675-BCE1-11EF-91C3-468C69F2ED48}.dat

            Filesize

            3KB

            MD5

            afcc0be78cd560d0f443ce673d710a76

            SHA1

            a38d0af64ec8e6b5359a06675809085eb897e293

            SHA256

            d6acbc8b9d19b87b2bd209ac0102899470974d25744f4dcdcd78437fb5c45be3

            SHA512

            b8222a6f6f375f094faf40859cedc0ec6c33a21eef83ad72aaad9b1047dc2c7aaa0b3df9b380ea2b09238f87fde4f808abb55fa0409f3d984ba336c7584151ab

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5852FB20-BCE1-11EF-91C3-468C69F2ED48}.dat

            Filesize

            5KB

            MD5

            39902b885819f97fbd127ece5bd9346f

            SHA1

            ccd1de9b135a08105418b617431647256aebaab6

            SHA256

            bc0a7bc8521bb0a707e65e1d44ba0d5ebb13890170575a8fdbd10494299715f7

            SHA512

            4ce8be451edfd4b6ffeb4aee9bb8351428c89ff9803c0d1ffee0157240d67808a37e3a2aad3168f4e9c370db63d947fa7ce2a5e996063b032fcf757ccf407781

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{58555D87-BCE1-11EF-91C3-468C69F2ED48}.dat

            Filesize

            5KB

            MD5

            525453ea689c6a87a981176ff503ce18

            SHA1

            ee7a218bed8b7d05b956af7eaf8993c8f899cdaa

            SHA256

            a08e213d6025a40736368100ec74e2b0b708e525283a67a844c1dd50b0210a44

            SHA512

            f416dcf7097fd01854724e05406520583dd6364e16a88453c2a3f6e2ffad4d9c2abdc7874cb0217ed9e85fa040cac1cfd0ceb502be4c362252e5758d07963a46

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{58558497-BCE1-11EF-91C3-468C69F2ED48}.dat

            Filesize

            3KB

            MD5

            1dbf205338e92c5613c5593e85f3527b

            SHA1

            7839651bd623113ac59b354999700767268aaade

            SHA256

            0c03cfa6fa91c86f9a10b926db96cc1f88b9afb9253930dd889f62a182856d55

            SHA512

            576f504c09d203e8ada2b92f129c43ad485e055d135bbf494317ff8a91868bfb68d3ed2c118b7333436fb329a5a4b6ed2978858a814d6c12715b8699567f2847

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

            Filesize

            15KB

            MD5

            1a545d0052b581fbb2ab4c52133846bc

            SHA1

            62f3266a9b9925cd6d98658b92adec673cbe3dd3

            SHA256

            557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

            SHA512

            bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Windows\SysWOW64\rundll32mgr.exe

            Filesize

            189KB

            MD5

            099e4698fcd0d07e187674a28d6f0753

            SHA1

            2d8f6796eb9481e50527192c28d4bb0b35ccf9fd

            SHA256

            250f98faf04cfac9aecdc1aac8014c8586b0f08564ad0ca782b17c7703fb6469

            SHA512

            94ce6c87edea0678d459d10bd1d5e19e1eba0a9fc54e2e8884c64fe5c67921b80b054b430dcb6b9102385587c48c93a6ac44c4dd77ba1cbdf378171ff8d0ea69

          • C:\Windows\SysWOW64\rundll32mgrmgr.exe

            Filesize

            93KB

            MD5

            35c2f27961e27275564493d459b6213e

            SHA1

            d8a65a578457493161262c77d6c76ed7876b6a8d

            SHA256

            1a1b741ef968cb4cb2e5a5404366a66cd69b025a5b38814792e2f51d43b2d60d

            SHA512

            b15bb1a4a5158bb4103d6f62cd64a8ac2df398f2990995a99898bf207fc653a0b877d5904689c106634d2bdb4efb38e55adafd4b07bb199c1875d4a1028ab557

          • memory/1108-50-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1108-73-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1108-37-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1108-65-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1108-68-0x00000000774D2000-0x00000000774D3000-memory.dmp

            Filesize

            4KB

          • memory/1108-51-0x00000000001D0000-0x00000000001D1000-memory.dmp

            Filesize

            4KB

          • memory/1108-64-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1108-63-0x0000000000070000-0x0000000000071000-memory.dmp

            Filesize

            4KB

          • memory/1204-24-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1204-12-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1204-13-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1204-18-0x0000000000A00000-0x0000000000A01000-memory.dmp

            Filesize

            4KB

          • memory/1204-11-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1204-10-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1204-22-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1204-17-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/1724-60-0x0000000001080000-0x0000000001081000-memory.dmp

            Filesize

            4KB

          • memory/1724-61-0x0000000001060000-0x0000000001061000-memory.dmp

            Filesize

            4KB

          • memory/2440-54-0x0000000000430000-0x0000000000431000-memory.dmp

            Filesize

            4KB

          • memory/2440-56-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/2440-67-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/2440-38-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2440-55-0x00000000774D2000-0x00000000774D3000-memory.dmp

            Filesize

            4KB

          • memory/2440-62-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/2792-29-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/2792-25-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/2792-6-0x0000000000400000-0x000000000044B000-memory.dmp

            Filesize

            300KB

          • memory/2972-0-0x0000000005000000-0x00000000050D9000-memory.dmp

            Filesize

            868KB