Overview

overview

10

Static

static

3

007063d9f4...4N.dll

windows7-x64

10

007063d9f4...4N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    007063d9f4c3761c8e371805d52991711f369c7acc9945b9db5975cd867af364N.dll

  • Size

    764KB

  • MD5

    f4b425d9ccec076906a9ef79203852a0

  • SHA1

    3db71e97ae1df8cad9fc06cdcbc8117a90ff1a3a

  • SHA256

    007063d9f4c3761c8e371805d52991711f369c7acc9945b9db5975cd867af364

  • SHA512

    b3f1ca0ac63ffbe2fad35092ed79f21b77ab7245b0174d8c247e6f12cf93b5d4ceebe293c64320e80363f4c4cf210d245f696b8ce9f1f1dfbc26250e052a85aa

  • SSDEEP

    12288:Vh8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNvqxH1t+o10o7kFY919:V8F+Pzr/Hfp4MIYwZckMQmvqxH1BL7kQ

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\007063d9f4c3761c8e371805d52991711f369c7acc9945b9db5975cd867af364N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\007063d9f4c3761c8e371805d52991711f369c7acc9945b9db5975cd867af364N.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4596
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:4396
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 204
                  7⤵
                  • Program crash
                  PID:2448
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4324
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4324 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3808
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                PID:4080
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4256
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:4980
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 204
                  6⤵
                  • Program crash
                  PID:1400
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2932
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:17410 /prefetch:2
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3016
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1240
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:17410 /prefetch:2
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4396 -ip 4396
        1⤵
          PID:2260
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4980 -ip 4980
          1⤵
            PID:2128

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            e5ade6c00eff82e29d72a64e434c59bf

            SHA1

            39f7f2422694b953c56df2951bfa90e0ecc0bd5b

            SHA256

            a53cbf629f2b9e3e7ae51aad0cf20047fe6eedffe9b13e929036ec79c7de9501

            SHA512

            63e7b8bb83431752d876866898cc39d26a1b4494eff1f28c97d3c007849a46e93ed16f893156bb35b127d4717eed390e1cd1a2230ec8742c391af04bedb3ccbb

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            a50518d65258470d16dae6c1ce5a0c67

            SHA1

            f396fdb86fa790c4a126c9961d816a440351e136

            SHA256

            e2a6b691a66789b68cc77f705f4a5da5ee738e2a90291f0c367704a9ba8d4ffc

            SHA512

            a04c62424c338ec652f6eaafc61fddea1814c56116bad9101c4511334c9d3532534066fac5bdbfaad54a468f6da545ac29711a474ba94b548752ff2243548939

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5F5C4FD-BE91-11EF-A7EA-DA67B56E6C1B}.dat
            Filesize

            3KB

            MD5

            fe51874874a5fff6359354c3dc1cfb23

            SHA1

            a449533d7a93669ab6c134e45d49ddf412880d62

            SHA256

            844af9bb0b634338572b2ce2d606531e31e4c204eea4d26a53bcfa69e9ea465d

            SHA512

            1c2a3c3f15b9d313ab5a0d4fba49e9fde875b331b035beac841dc46446e6dd6b21af4bbe9ac5ed3784cff2c24570aa3eeec7999d33fdd19365a099fe6b967529

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5F8276F-BE91-11EF-A7EA-DA67B56E6C1B}.dat
            Filesize

            5KB

            MD5

            81217cdddf553b4d970821f4061ef9b7

            SHA1

            30ed205598426f05b8153ed0ca3adf0faca290cf

            SHA256

            ad519a75a42c6d083cb555a63ae596ae3c7713613039656bfafdeff3e57b6e4d

            SHA512

            a4fa081ab814c96a6861026ac6bd8fd6c4517b46b160528a2c897218d1f5177996896bd8225cd88fe93f5a84978f0592d67cb5b1ebabb2555cc8c3375323c965

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5FCEBDA-BE91-11EF-A7EA-DA67B56E6C1B}.dat
            Filesize

            5KB

            MD5

            7c8fea0bd988d96c78790f04b44fa8c1

            SHA1

            48ed1f2f9d868472f53c13596c4b4c2f5fae0442

            SHA256

            a763b2e5cfbb1630e482c32b854abc166757fbca324ee9c9ba76c47de9982773

            SHA512

            551c7b6a5bb9d9ec9b3d06c78c9776533f20c99751d805601f2aa8e880fcfdd86ecc08af26733f8ce4944ced31956b7a1c31fd4011a29682ec32afe0a512b702

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4476.tmp
            Filesize

            15KB

            MD5

            1a545d0052b581fbb2ab4c52133846bc

            SHA1

            62f3266a9b9925cd6d98658b92adec673cbe3dd3

            SHA256

            557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

            SHA512

            bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit

          • C:\Windows\SysWOW64\rundll32mgr.exe
            Filesize

            328KB

            MD5

            71c29fe7fcb09fb67433948f39b18967

            SHA1

            4c7f7be7a4bc2205b612666c1aa607d8143db529

            SHA256

            359eaf59b5b67a22a182fc2ce9711621ca7c51de6fb244ac3ec3186dc91c115c

            SHA512

            4aa671661c446c08854b26a4ed9f76256b47db69a82e5fe2ed7bc8bf96529453dc1fbb511485a7f63487295df44d87a0cb8b89917025a51d2f9552574d571c60

            Download Submit

          • C:\Windows\SysWOW64\rundll32mgrmgr.exe
            Filesize

            163KB

            MD5

            7cf26a4e8115573dd665737b56fd3ce8

            SHA1

            87664e454e80ab15289d1725a0c2dc38ea0667e0

            SHA256

            a2a2b71f3fc207aea6f2a1c76a81a59338afc5d07bc4495e308fa0517fbb41b1

            SHA512

            4d3e7f597968b2c8d7138ea5128e609f161547128b961d4d388043492f25700fff825b0af7b60cd55ac6bd736cfc40a09434b7daae23c4a83a678cf416bd7827

            Download Submit

          • memory/2768-0-0x0000000010000000-0x00000000100C4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/3064-11-0x0000000000401000-0x0000000000405000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3064-20-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/3064-9-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

            Download

          • memory/3064-19-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/3064-16-0x00000000006C0000-0x00000000006C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3064-15-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/3064-14-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/3064-13-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/3064-18-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/3064-12-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

            Download

          • memory/3064-37-0x0000000000401000-0x0000000000405000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3064-17-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4256-52-0x00000000779D2000-0x00000000779D3000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4256-68-0x00000000779D2000-0x00000000779D3000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4256-54-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4256-74-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4256-51-0x0000000000430000-0x0000000000431000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4256-64-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4256-43-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

            Download

          • memory/4256-66-0x0000000000070000-0x0000000000071000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4596-67-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4596-65-0x0000000000401000-0x0000000000402000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4596-45-0x0000000000401000-0x0000000000402000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4596-35-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

            Download

          • memory/4596-53-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4604-34-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4604-23-0x0000000000400000-0x000000000045F000-memory.dmp

            Filesize

            380KB

            Download

          • memory/4604-4-0x0000000000400000-0x000000000045F000-memory.dmp

            Filesize

            380KB

            Download

          • memory/4980-61-0x0000000001200000-0x0000000001201000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4980-60-0x0000000001220000-0x0000000001221000-memory.dmp

            Filesize

            4KB

            Download