Overview

overview

10

Static

static

3

ddc90ceb2f...dN.dll

windows7-x64

10

ddc90ceb2f...dN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 20:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddc90ceb2fe45dad57289f3d1991dafdda833cc119511867b805b1d179b7b30dN.dll

  • Size

    700KB

  • MD5

    a24dce7944629450d9bfa2695f355f30

  • SHA1

    3debd1f6891fb4075792f6230e51ac02fbb3e956

  • SHA256

    ddc90ceb2fe45dad57289f3d1991dafdda833cc119511867b805b1d179b7b30d

  • SHA512

    b79b9bc5a5c39719500423a80965546564a393e2dd5bbdd0d2f8e735c8a38c062b02b9fdae91c390543bdd0d0758c79f1bd589ecc060f948943cec368be3140c

  • SSDEEP

    12288:th8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNVmLCyps3XHbPVD2BWRYO3xP:t8F+Pzr/Hfp4MIYwZckMQmILCy0XrVD3

Score
10/10
ramnitsalitybackdoorbankerdefense_evasiondiscoveryevasionspywarestealertrojanupxworm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Hijack Execution Flow: DLL Search Order Hijacking 1 TTPs

    Possible initial access via DLL redirection search order hijacking.

    defense_evasion
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ddc90ceb2fe45dad57289f3d1991dafdda833cc119511867b805b1d179b7b30dN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ddc90ceb2fe45dad57289f3d1991dafdda833cc119511867b805b1d179b7b30dN.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3268
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1320
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3464
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2400
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2316
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1880
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:628
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4204

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Hijack Execution Flow

    1
    T1574

    DLL Search Order Hijacking

    1
    T1574.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Hijack Execution Flow

    1
    T1574

    DLL Search Order Hijacking

    1
    T1574.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hijack Execution Flow

    1
    T1574

    DLL Search Order Hijacking

    1
    T1574.001

    Impair Defenses

    4
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      e5ade6c00eff82e29d72a64e434c59bf

      SHA1

      39f7f2422694b953c56df2951bfa90e0ecc0bd5b

      SHA256

      a53cbf629f2b9e3e7ae51aad0cf20047fe6eedffe9b13e929036ec79c7de9501

      SHA512

      63e7b8bb83431752d876866898cc39d26a1b4494eff1f28c97d3c007849a46e93ed16f893156bb35b127d4717eed390e1cd1a2230ec8742c391af04bedb3ccbb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      9411308a6cee9eff6b32c86fac7fcbd3

      SHA1

      3c0779986eadb04fd7a41a0b421c9fc01008efb9

      SHA256

      123357c4875cab4b747408306e40598a920d2f2eb6c074d8467690338ffb2465

      SHA512

      8d3ad86f1c452e85bb33064d98d5f49670b1877550c3ce07a230432547243e9ec1ceb65f5b76635482a8fea1ce5142638392fb4e2d7a26ea44dbcc00aff06de3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      2dc778e0e745939b06c62eb28bc09ea1

      SHA1

      8a82d5604ad25d976318148d5b3685ad64a54c2a

      SHA256

      274d97e8149181f82bd1e5cd711a86333a843c2f2580e52834a1a3931b86dc74

      SHA512

      c6fc647a0b7784f569360d815a4a7ed217ae17c358d8d85b89c63398304fe6b3d186325cbc92c1c44e195ec5521d62ab12bffcc56a1cc98c6034c00313addc94

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{342391F7-BE49-11EF-BEF1-FA9F886F8D04}.dat
      Filesize

      3KB

      MD5

      712204eea9f2fe643b03a42a720755a3

      SHA1

      fe030e8fe92617bdefe047d5130264062f9b2f33

      SHA256

      f3b30f1e85445a0571e6942e544d56471449da5889badb9caa3b990cbf1e9e0b

      SHA512

      5acb5653f8bad38a82e0ab782403e40ecfdbe590a4361cb7feb25b9c6fe572b4a8cca73bfaafda2197a12ec4d75c55602fc8df4fa22d77005e595579c603cac9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3425F488-BE49-11EF-BEF1-FA9F886F8D04}.dat
      Filesize

      5KB

      MD5

      35f98e7127bef6cce3db796f6519bd87

      SHA1

      ed720b42dbc4423b90f7e585384b475a0470dc66

      SHA256

      f3e24f6fc19436d9118a73d0bdef137a30005bc83707969744d6530cc3954195

      SHA512

      7b082428735031e2f73dd5f469ff7b60606ee848f6f5e3b55a12ebabbf83dc593847e835db91960d721a6b6e115aaf0ad56eb0815d1b371ed6978180450389ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver664.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Wplugin.dll
      Filesize

      108KB

      MD5

      8847a8302dacc1d6fca61f125c8fe8e0

      SHA1

      f399142bbf03660bee1df555ebbf3acc8f658cf0

      SHA256

      9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

      SHA512

      2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

      Download Submit

    • C:\Windows\SysWOW64\rundll32mgr.exe
      Filesize

      264KB

      MD5

      ee7ab63b15daf6e7e916a6d63c2637ea

      SHA1

      a4f03719b2cf5767dc40c122aaf4411284870cfe

      SHA256

      e0555799255e6ab4ed2c85b2847b4c408bb1a9616cb842a8fc84ff679c2dc80f

      SHA512

      3731763857e30a4b3dfa41447b6ea4b0521846194a4d4cab2359345c2ead46deeca63216d4080c576dcd10673cc8973fb581edae068d964c913759c3d0cfe9ec

      Download Submit

    • memory/1320-37-0x0000000003C00000-0x0000000004C8E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1320-30-0x00000000008B0000-0x00000000008B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1320-29-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1320-4-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-11-0x0000000000401000-0x0000000000402000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1320-19-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1320-26-0x0000000003C00000-0x0000000004C8E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1320-24-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1320-38-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1320-15-0x0000000003C00000-0x0000000004C8E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1320-23-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1320-32-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1320-31-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1320-22-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1320-21-0x0000000003C00000-0x0000000004C8E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/3268-0-0x0000000010000000-0x00000000100B4000-memory.dmp

      Filesize

      720KB

      Download

    • memory/3464-59-0x0000000077DD2000-0x0000000077DD3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3464-56-0x0000000000070000-0x0000000000071000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3464-57-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3464-62-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3464-58-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3464-53-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3464-54-0x0000000077DD2000-0x0000000077DD3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3464-52-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3464-44-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download