Overview

overview

10

Static

static

3

325d5916ac...37.dll

windows7-x64

7

325d5916ac...37.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    325d5916ac8acdac5be76a2e536a4f8a668f0e751bf077ccb1b19d05914cdb37.dll

  • Size

    2.0MB

  • MD5

    35db4ac4dcd4ffeb07d06c740d086511

  • SHA1

    70f57f77d181df85f0f801a643e7ac75c73d0b95

  • SHA256

    325d5916ac8acdac5be76a2e536a4f8a668f0e751bf077ccb1b19d05914cdb37

  • SHA512

    fb7b9aa116221b67db4f99459153e1c4d3df7ddf29756291e890da2db9cdda2942d8965fda50bb1cf86526ab73a00f6996ce356b0a0e16f7f192a8fdc3ecc73b

  • SSDEEP

    24576:L7IY7a9IRCRqRPkHQo411810cNScGKJydXTZDwmzRMo3DP7x5nbiQj2k70gBZzoU:/IY5RMHMf810Knor5zqo3zNJuQj7jMU

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 10 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\325d5916ac8acdac5be76a2e536a4f8a668f0e751bf077ccb1b19d05914cdb37.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\325d5916ac8acdac5be76a2e536a4f8a668f0e751bf077ccb1b19d05914cdb37.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4984
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:3104
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 204
                  7⤵
                  • Program crash
                  PID:3576
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2836
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2404
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:1980
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4624
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4956
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:1444
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:2348
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  7⤵
                    PID:2284
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 204
                      8⤵
                      • Program crash
                      PID:3840
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                    • Modifies Internet Explorer settings
                    PID:4612
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                    • Modifies Internet Explorer settings
                    PID:2472
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                5⤵
                  PID:3848
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 204
                    6⤵
                    • Program crash
                    PID:960
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:184
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17410 /prefetch:2
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:884
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2412
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:17410 /prefetch:2
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:2932
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 640
              3⤵
              • Program crash
              PID:5064
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1204 -ip 1204
          1⤵
            PID:3192
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3848 -ip 3848
            1⤵
              PID:4928
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3104 -ip 3104
              1⤵
                PID:1416
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2284 -ip 2284
                1⤵
                  PID:1056

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  4eaf9b3a48166fb8e172b3a7f24579ff

                  SHA1

                  0f45af7ebcfc4e2a6fb9c6eded199411ef8de0ae

                  SHA256

                  6df30e165ee411a067f02df7637526554b5f4d69dc970f0d67d2ad5b78974d1b

                  SHA512

                  883f4c7db6a115cbe2c2618d882bb3731b60c5c8012f851beb73985703244e17b9e401c987fcfcd5fbc1f8c187a106ccc438004cdc2f0d0e0d745f9db0d2d338

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  831b61ed322bd190f8ab266ed48512ab

                  SHA1

                  16bd6a50b8281dfb885d6659bc480a9251b0b023

                  SHA256

                  ef2323c9780030b73dbf6990000d679f961d0b1fcca74ecd3b5747cb14bec469

                  SHA512

                  352f5bde870187795f0a1102714ac79d31f36702cc0de899cd1a24871790abd56b734ef5e42fd97fcd6bc5f5b8bacab41ba24bf1d5c4ff9e41da4f1f9548b5d5

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  496830242ffa07649e5b7dc47135a00c

                  SHA1

                  da599fa842220d23f1e6fd09f3f3db50833b8fe3

                  SHA256

                  47864d3dda7ac3547fda64a4314c2b904708da35280c3e5e102ae09ff74d8cee

                  SHA512

                  feb5f356e111e9f974c6de02478db6f4b1f4a20ceaad672919f2b4284a42663d74b4329605b685b6fa833466609768cc68ec891ca7661272e2d7193659f461cf

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  ca8f7e274eaf042254495febd15a2781

                  SHA1

                  7cb20ac6fa9f1e1e6b2fe03ea8e0a6d838fb17b8

                  SHA256

                  3314ecb857b2fadb4f0fdbe1b0038d5b10c90c7b6450f94206f292b41aa757cc

                  SHA512

                  3d5cde39003f08b4bf3da2ee1b8644eeb7684f3d1b354a5e4652ad45c4d3b348b1191bca67011bdb34d636b134519db59663a30589306af480f8337cb2df7eb1

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  076eecd69d249c30886294e5d06d0fb5

                  SHA1

                  d9fb4dcd4908e7023ddf33a71b81384c7071ecbd

                  SHA256

                  1ed9e8540a15501c6c6be5942bbbd41dd56df2d663c550480bd6f8ef79d659f2

                  SHA512

                  d4a27e30d7e1e561663cf40438de879792cb047e8b2620b12bbcd9e87c5482deb392c289d7d55a6b22056f381fd80a3f2e873ca3362755acba202988b362f3e8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A3823806-BFF8-11EF-AEE2-FA89EA07D49F}.dat
                  Filesize

                  3KB

                  MD5

                  5d3bd616e955c08f8bf1ac7982dc7266

                  SHA1

                  3261f87359ed7db76fde4a6b68957e3166ae2456

                  SHA256

                  4f79f3ec720c0d78e4c57fcdc4942c86c4bbf78e7f518f76db9d4954b2be87aa

                  SHA512

                  73ac77ef122c0c9b262a67fb6aef288426c1d9687969af120d5989d20b037950dec20bc0c342d360f8b76d842fc1284e8ed46c834f30e3e2b2354fa4d0e0798a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A386FCFB-BFF8-11EF-AEE2-FA89EA07D49F}.dat
                  Filesize

                  5KB

                  MD5

                  8808bef69746de6a6cf8d466d0b63301

                  SHA1

                  c15d61a37611eaa63fe56ab088c80db7cc9a9ed7

                  SHA256

                  56c18b9837ea8201e0c94ed2404e2d1833d3ea9df5c329e3d92642f548f11319

                  SHA512

                  f16581d05f594019ac8ef33b63972a51805bd1b3f6e82bbc73b4cc23dfe0d4f73c6dd00f6af7fb9353252e2ee9c9dc12baedf260233b4400db7de45259ecd7c2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A387240B-BFF8-11EF-AEE2-FA89EA07D49F}.dat
                  Filesize

                  3KB

                  MD5

                  5033a2d13c9f10566dcae925fda4cd9c

                  SHA1

                  41ea3fb520a02cc48e5a83e6d727198d08bfc085

                  SHA256

                  aefbd4838df018494200241040bb62e03a29ba7ab4d404eedecc5106a84b68d0

                  SHA512

                  658ee5b23a6b760114fffd9df4e6b0d84d94f3269414ca17e4ae776d3794661645f83007483d984a52e9d0fb57f8f98a2be5a4e9d70a28519cad06864c82ea10

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A387240B-BFF8-11EF-AEE2-FA89EA07D49F}.dat
                  Filesize

                  5KB

                  MD5

                  93578a2655143b5cd857758a2582b443

                  SHA1

                  fee73082892630f8e2d838b0fa2d22cd6e79ee22

                  SHA256

                  5c625e152eca6c5ac43a71a2322ad07cc74718c3f87cf1e77760ebf8b799dee8

                  SHA512

                  add6dfc179ad6c3d9b5248a5eca7d8d4ced473db7807a2144fdde6d9ae88a07efda379448805bdf1455dbc8377f054503322cf5b6b680ce88d3812a264eab14a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml
                  Filesize

                  15KB

                  MD5

                  1a545d0052b581fbb2ab4c52133846bc

                  SHA1

                  62f3266a9b9925cd6d98658b92adec673cbe3dd3

                  SHA256

                  557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                  SHA512

                  bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\suggestions[1].en-US
                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgr.exe
                  Filesize

                  249KB

                  MD5

                  137e9937fd71061c0e4a06812b009177

                  SHA1

                  73770a377c2f24584c9fe9084a5c4364a54ddbf8

                  SHA256

                  b6301b1793aca7b2fa9a589880f4e9454647d9d16b8edcac39b319349ae87d86

                  SHA512

                  13b1fcd197b9147ab7385f29eca585a50a4da12152ad89129712a653336eeb133c3ddb9e0db6cb233e45d96bcfea5ed65b1193114746acc2d92820e682df414c

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                  Filesize

                  123KB

                  MD5

                  9f2ac7383413965045aa13a4705a8d99

                  SHA1

                  7add11d19bea49fcbb6cdf315d71477a11998e8d

                  SHA256

                  0cf6926cc791b40eede351eef639396100282ea612fcb42bda9c8096e069908b

                  SHA512

                  e90cc32e2bda5446000ddd816ef47f683804a4042fce1ce5bb5e58c37ece4498736eda9126f4c992dd6c6eba3936e392d1250c1c5dcd6cafa80eb9ee5ad0d377

                  Download Submit

                • memory/1204-77-0x0000000010000000-0x0000000010389000-memory.dmp

                  Filesize

                  3.5MB

                  Download

                • memory/1204-2-0x0000000010000000-0x0000000010389000-memory.dmp

                  Filesize

                  3.5MB

                  Download

                • memory/1444-68-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1444-55-0x0000000000400000-0x000000000042F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1812-36-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1812-14-0x0000000000400000-0x000000000042F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/2128-27-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2128-10-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2128-21-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2128-11-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2128-12-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2128-15-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2128-16-0x00000000008C0000-0x00000000008C1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2128-22-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2128-4-0x0000000000400000-0x000000000044F000-memory.dmp

                  Filesize

                  316KB

                  Download

                • memory/2348-89-0x0000000000400000-0x000000000044F000-memory.dmp

                  Filesize

                  316KB

                  Download

                • memory/2348-73-0x0000000000400000-0x000000000044F000-memory.dmp

                  Filesize

                  316KB

                  Download

                • memory/4956-53-0x00000000772D2000-0x00000000772D3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4956-88-0x00000000772D2000-0x00000000772D3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4956-90-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4956-86-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4956-81-0x0000000000400000-0x000000000044F000-memory.dmp

                  Filesize

                  316KB

                  Download

                • memory/4956-78-0x0000000000070000-0x0000000000071000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4956-45-0x0000000000060000-0x0000000000061000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4956-52-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4956-42-0x0000000000400000-0x000000000044F000-memory.dmp

                  Filesize

                  316KB

                  Download

                • memory/4984-87-0x0000000000400000-0x000000000044F000-memory.dmp

                  Filesize

                  316KB

                  Download

                • memory/4984-65-0x0000000000430000-0x0000000000431000-memory.dmp

                  Filesize

                  4KB

                  Download