Overview

overview

10

Static

static

3

2b240b93bb...eN.dll

windows7-x64

10

2b240b93bb...eN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b240b93bbd97f60b0fdf3a233971fca5c4e9bd2aef37ff5110f216535d5623eN.dll

  • Size

    749KB

  • MD5

    a32f2bcfdf7ff4a206b428c4f209c040

  • SHA1

    3db18e92b74fdb87699cc10d829e06749a219598

  • SHA256

    2b240b93bbd97f60b0fdf3a233971fca5c4e9bd2aef37ff5110f216535d5623e

  • SHA512

    b7a9e006d35a238e935bb54c1c3b39af017bc48c80b0d558ec2d641781b8300ec835574626eedf22047ecdc70c32e2f828eea8ab6f46adcbe3917f36a75603ca

  • SSDEEP

    6144:2NIQzLZN4k3WvmRPLx+xXqOkyWh9ZN/c4bsXdHtVHs7Z9UqKJ0M:2NIyZN4+Wv4PLq6Okrh9ZN/hs9DsdDC

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b240b93bbd97f60b0fdf3a233971fca5c4e9bd2aef37ff5110f216535d5623eN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b240b93bbd97f60b0fdf3a233971fca5c4e9bd2aef37ff5110f216535d5623eN.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3744
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1788
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 204
                6⤵
                • Program crash
                PID:1196
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4480
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4480 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2100
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:1948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 608
          3⤵
          • Program crash
          PID:1384
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2468 -ip 2468
      1⤵
        PID:4264
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1788 -ip 1788
        1⤵
          PID:1020

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          e5ade6c00eff82e29d72a64e434c59bf

          SHA1

          39f7f2422694b953c56df2951bfa90e0ecc0bd5b

          SHA256

          a53cbf629f2b9e3e7ae51aad0cf20047fe6eedffe9b13e929036ec79c7de9501

          SHA512

          63e7b8bb83431752d876866898cc39d26a1b4494eff1f28c97d3c007849a46e93ed16f893156bb35b127d4717eed390e1cd1a2230ec8742c391af04bedb3ccbb

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          f1477e80dc6cf077119bc48ae399a8e2

          SHA1

          fb8587a6998f89b5ed282e363043bd9e80411030

          SHA256

          cb1737e74c314e02f28de4b53a64ab62f44c15c78408fb07318137cfea330372

          SHA512

          14fbe0534d38f31e3e36fec3fbb30ec9f5573e8aa03bf4dc4cb77f77b334918c49c7a7ba713fb73ce5c1c05b97eadd6815219ab2f50f40436ba7588e539447af

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1B63.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          164KB

          MD5

          2a37762e1964cb393abf1b26b048e762

          SHA1

          6167b12b2d0e4db8bad3dd8ac6c7674f8eea2f1d

          SHA256

          385539e7b0dbbe1de66ca4888b07baab2bbce51b3e6c6edc1b2602628fa7d8e5

          SHA512

          57e2904f6231c879d99df7fdbc321c03c76bef310e0510b818d1fa3663d44d6e56742d1b746e96d42e9559c83d437bbc4eb7fe672567fd7e18ec513bfb8c53aa

          Download Submit

        • memory/1788-35-0x0000000000E40000-0x0000000000E41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1788-36-0x0000000000E20000-0x0000000000E21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2468-1-0x0000000010000000-0x00000000100C1000-memory.dmp

          Filesize

          772KB

          Download

        • memory/2468-37-0x0000000010000000-0x00000000100C1000-memory.dmp

          Filesize

          772KB

          Download

        • memory/3744-32-0x0000000000830000-0x0000000000831000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3744-38-0x0000000000A80000-0x0000000000A81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3744-33-0x0000000077812000-0x0000000077813000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3744-41-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3744-40-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3744-39-0x0000000077812000-0x0000000077813000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3744-31-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3744-30-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/3744-29-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4656-8-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4656-10-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4656-6-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4656-7-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4656-17-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4656-12-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4656-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4656-11-0x00000000008B0000-0x00000000008B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4656-5-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download