Overview

overview

10

Static

static

3

325d5916ac...37.dll

windows7-x64

7

325d5916ac...37.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    325d5916ac8acdac5be76a2e536a4f8a668f0e751bf077ccb1b19d05914cdb37.dll

  • Size

    2.0MB

  • MD5

    35db4ac4dcd4ffeb07d06c740d086511

  • SHA1

    70f57f77d181df85f0f801a643e7ac75c73d0b95

  • SHA256

    325d5916ac8acdac5be76a2e536a4f8a668f0e751bf077ccb1b19d05914cdb37

  • SHA512

    fb7b9aa116221b67db4f99459153e1c4d3df7ddf29756291e890da2db9cdda2942d8965fda50bb1cf86526ab73a00f6996ce356b0a0e16f7f192a8fdc3ecc73b

  • SSDEEP

    24576:L7IY7a9IRCRqRPkHQo411810cNScGKJydXTZDwmzRMo3DP7x5nbiQj2k70gBZzoU:/IY5RMHMf810Knor5zqo3zNJuQj7jMU

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\325d5916ac8acdac5be76a2e536a4f8a668f0e751bf077ccb1b19d05914cdb37.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\325d5916ac8acdac5be76a2e536a4f8a668f0e751bf077ccb1b19d05914cdb37.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3784
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:1652
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:4960
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 212
                  7⤵
                  • Program crash
                  PID:4836
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                PID:2144
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                PID:2604
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:1484
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:4732
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 208
                  6⤵
                  • Program crash
                  PID:3676
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:684
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:17410 /prefetch:2
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4456
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1956
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:17410 /prefetch:2
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:316
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 652
            3⤵
            • Program crash
            PID:1636
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5044 -ip 5044
        1⤵
          PID:2100
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4732 -ip 4732
          1⤵
            PID:4532
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4960 -ip 4960
            1⤵
              PID:3836

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              4eaf9b3a48166fb8e172b3a7f24579ff

              SHA1

              0f45af7ebcfc4e2a6fb9c6eded199411ef8de0ae

              SHA256

              6df30e165ee411a067f02df7637526554b5f4d69dc970f0d67d2ad5b78974d1b

              SHA512

              883f4c7db6a115cbe2c2618d882bb3731b60c5c8012f851beb73985703244e17b9e401c987fcfcd5fbc1f8c187a106ccc438004cdc2f0d0e0d745f9db0d2d338

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              404B

              MD5

              ce1f542b2cb70049ad511adb40649b50

              SHA1

              115665c06740b0288b83d8f188f377318929b999

              SHA256

              99a43d7f3ffee0338166640bb9f7f8a91075eb46259acdc2a6665d970873a3e9

              SHA512

              571eed15ea3c1151fa1bcf1b0e266ce87362f50fc66bd96e85eced19a9925dc059bd9733827b838adea2d228cc586adfb4b573965821a58661387045bcf1b382

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              404B

              MD5

              af57eed34b8d82d9ae903abcbd150cc5

              SHA1

              f99a5ac38e1eac196a91f73da77359bac5c1502f

              SHA256

              112d94c58d0cbf4a7b382802621d60d70da7b15464a9a31e788943150bb4b50c

              SHA512

              1505596fdf590d38cf032e2c5d87b5924ff7ab8c6867cbeb315fa866222b728a3c68de803312afc362b11e669fd36b4543688621332d9aa72027f3471843513a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1
              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{03EB05A1-BFF8-11EF-BDBF-622000771059}.dat
              Filesize

              5KB

              MD5

              3ab90a63dd054474afd634cf1bd20481

              SHA1

              7edc688a4846bab813fe5a166d79b63607bfc388

              SHA256

              07567ee54a97c5b2585f85871ff147af13ab407ce83a1a5f7e93038d0586ccf6

              SHA512

              d5a35999a1a943609806406c32b548b406559cfb5bf8a6ad6d310b00e3cdca3d5341929219da095716751bc5d53aea4e9fe32efdff4934bb7fc19bc9bc2ba7c8

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{03ED6777-BFF8-11EF-BDBF-622000771059}.dat
              Filesize

              4KB

              MD5

              716465affdea4e3a1bbfeb1ed7f04180

              SHA1

              018bbe32fe323862b259268b62d4d8dd7ef271c5

              SHA256

              ba60578b1e8151066c585f7eeb5ecd93d712d8c679acce2e6b8b24aa7d40c198

              SHA512

              6783569242d45a0045457c86f83c811a5c53e9f5e5a71613be2a70678d075277d697c75e89dcb7ee783659dcb937b5285e50a8b0023358eb6995369e3770979e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver7B65.tmp
              Filesize

              15KB

              MD5

              1a545d0052b581fbb2ab4c52133846bc

              SHA1

              62f3266a9b9925cd6d98658b92adec673cbe3dd3

              SHA256

              557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

              SHA512

              bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

              Download Submit

            • C:\Windows\SysWOW64\rundll32mgr.exe
              Filesize

              249KB

              MD5

              137e9937fd71061c0e4a06812b009177

              SHA1

              73770a377c2f24584c9fe9084a5c4364a54ddbf8

              SHA256

              b6301b1793aca7b2fa9a589880f4e9454647d9d16b8edcac39b319349ae87d86

              SHA512

              13b1fcd197b9147ab7385f29eca585a50a4da12152ad89129712a653336eeb133c3ddb9e0db6cb233e45d96bcfea5ed65b1193114746acc2d92820e682df414c

              Download Submit

            • C:\Windows\SysWOW64\rundll32mgrmgr.exe
              Filesize

              123KB

              MD5

              9f2ac7383413965045aa13a4705a8d99

              SHA1

              7add11d19bea49fcbb6cdf315d71477a11998e8d

              SHA256

              0cf6926cc791b40eede351eef639396100282ea612fcb42bda9c8096e069908b

              SHA512

              e90cc32e2bda5446000ddd816ef47f683804a4042fce1ce5bb5e58c37ece4498736eda9126f4c992dd6c6eba3936e392d1250c1c5dcd6cafa80eb9ee5ad0d377

              Download Submit

            • memory/1484-74-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1484-52-0x0000000077E42000-0x0000000077E43000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1484-65-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/1484-51-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1484-50-0x0000000000900000-0x0000000000901000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1484-34-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/1484-63-0x0000000000070000-0x0000000000071000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1484-70-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1484-73-0x0000000077E42000-0x0000000077E43000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1484-68-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/1556-15-0x00000000008C0000-0x00000000008C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1556-12-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1556-11-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1556-10-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1556-14-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1556-4-0x0000000000400000-0x000000000044F000-memory.dmp

              Filesize

              316KB

              Download

            • memory/1556-35-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1652-58-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1652-56-0x0000000000060000-0x0000000000061000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1652-67-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1652-55-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1652-69-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/1652-72-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/3784-13-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/3784-23-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/3784-20-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/3784-28-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/3784-24-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/4732-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4732-60-0x0000000000410000-0x0000000000411000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5044-62-0x0000000010000000-0x0000000010389000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/5044-1-0x0000000010000000-0x0000000010389000-memory.dmp

              Filesize

              3.5MB

              Download