Analysis

  • max time kernel
    95s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 11:21

General

  • Target

    8dd904cf25ac653ca5701891a12739f45f971c67a54eded95f753d3f4c0b55d0N.dll

  • Size

    562KB

  • MD5

    a6e7bf5821b0325bb948946bfe940fc0

  • SHA1

    3bbe2787cdf0c09d2c84ef2fb10b3a93cad3979b

  • SHA256

    8dd904cf25ac653ca5701891a12739f45f971c67a54eded95f753d3f4c0b55d0

  • SHA512

    fdcfedabb8ce986037e74328de184223ba9900cf184a20710f873fc2e434b56b765e51fd21f53447c143c8b7bc6a80b91af9dff271fc5dc71af907e5d9ee49ea

  • SSDEEP

    12288:Uh8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMN1Zks:U8F+Pzr/Hfp4MIYwZckMQmXks

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd904cf25ac653ca5701891a12739f45f971c67a54eded95f753d3f4c0b55d0N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd904cf25ac653ca5701891a12739f45f971c67a54eded95f753d3f4c0b55d0N.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4244
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2552
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 208
                6⤵
                • Program crash
                PID:1340
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3420
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3420 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4864
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:952
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:5044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2552 -ip 2552
      1⤵
        PID:3600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        36ed732b90a27bd5f4716645a456ad34

        SHA1

        93caaf2e2b76b96142e3a9865eb12aa6aab4296e

        SHA256

        a41bae0a57d70f030a24668e1e68cfec75c27ed94105d8ae895025edfef3132e

        SHA512

        460f8f4e5bc5f445c7f175699c80e86e2f4c1822a4e7c3ecb07de224db0c7428f74058fa3e164b3fde0777af2818da0e9e831b869e8bd7b1ffb3b4abc794fbd2

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        de1e686d5f4a7332e3f8bf4a6bde1352

        SHA1

        0cd0a1bf6addd38111a1448299f4b13822253772

        SHA256

        d4d0f3fec8c983564638285b18dc20c4cb1fdb7b185c8cc2c7e939c47508fe85

        SHA512

        c3d5f5f43c4838fe51b5692de8bb5155955d2b2d1195071126dae371dc9f26cc9fc4ff9d2f31086270d1dccf53ad9d88aa1b6bf0b91bfdf8775f950c05848e43

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        f75869201708523daa96c7a7316f7aef

        SHA1

        bab09975d1aa854c58b13882bf008bec9345b82e

        SHA256

        656e1eb1156bfbcfb7e290d397c017a6d69ee26300fc950e86176e610618f256

        SHA512

        f81b5b3b49fbfb0621fe5ddb8030391e73d6def944d0afce476fd0d22a7fa763619f3cf7c199db8d7b0689afd1bc043fb8b18bca678435bd76d1df06d7bb8507

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DC41823F-C056-11EF-B9B6-CAF61997B0B0}.dat

        Filesize

        5KB

        MD5

        c3856eec726cc09d81174e4992bd73cc

        SHA1

        252a4dc10b2d8392c4866d4f3cde3e60025693ad

        SHA256

        67eea12356018e8f2a1f47bc02a27c7b1466a6bc37e0defdea30cac8dfce838d

        SHA512

        8aeb3b4f271c07db25a10ca3676715e4c8f23bdc9bc11537b6dd8ac2d086aa8bedb91be477ea9e24842c85cfd76488f66e577558b92ca958e2ae4946a95cae43

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DC43E52E-C056-11EF-B9B6-CAF61997B0B0}.dat

        Filesize

        3KB

        MD5

        eacf92061280ea0049f294a89d7ff4a9

        SHA1

        88104751c8886f3492f5bf3e253a2932c12aa3df

        SHA256

        7052c2f4352cbeae02cf8758b0f5b886f356cc9f70ec4fd8ad5ce65a13a92144

        SHA512

        1f204eb25ca26aac12d17c3cddf67963a824f2af14f9cb49d01776e4133611621c1502e15746719cb03962e65d4abfb0e4c38c1a01af3b273aad387752c1ea98

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        127KB

        MD5

        401b6a71129fa203f1bf4d5ade823209

        SHA1

        5ac71804a83b9acd4698a947eca02d1b1fbcdb93

        SHA256

        872552670d9eedc68c82906db27d877b552a111438c9ab4839f80444c3baaea2

        SHA512

        24706afbc25df0e42a76adc7a7c114c5f43a41682fb48a279559016323358d31ebb3349bd5d13e877659110b88a29d79f075c220e8fbb9ab9be2bdd548a56e50

      • memory/1956-34-0x0000000020010000-0x0000000020022000-memory.dmp

        Filesize

        72KB

      • memory/1956-41-0x00000000774E2000-0x00000000774E3000-memory.dmp

        Filesize

        4KB

      • memory/1956-22-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

      • memory/1956-45-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1956-23-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

      • memory/1956-33-0x00000000774E2000-0x00000000774E3000-memory.dmp

        Filesize

        4KB

      • memory/1956-32-0x0000000000430000-0x0000000000431000-memory.dmp

        Filesize

        4KB

      • memory/1956-30-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1956-44-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1956-37-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

      • memory/1956-38-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

      • memory/1956-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1956-39-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

      • memory/2552-36-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

      • memory/2552-35-0x0000000000400000-0x0000000000401000-memory.dmp

        Filesize

        4KB

      • memory/4244-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4244-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4244-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4244-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4244-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4244-15-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4244-10-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

      • memory/4244-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4244-4-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

      • memory/4580-0-0x0000000010000000-0x0000000010092000-memory.dmp

        Filesize

        584KB