Overview

overview

10

Static

static

3

ed98e70e68...0N.dll

windows7-x64

10

ed98e70e68...0N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed98e70e680e907bb303b808fa727305d776c40d345aba70f662e987f4151a60N.dll

  • Size

    380KB

  • MD5

    d74393951add63f153307b310648bbe0

  • SHA1

    3dbe186de2b6c82bfdcd28a39b964ad723fdcc0c

  • SHA256

    ed98e70e680e907bb303b808fa727305d776c40d345aba70f662e987f4151a60

  • SHA512

    1719ec1dac670c568af05abec8da859942c8b2f9bd540b4ef38ff70ddad15dc1719f3c4772bc36956676efa905760800d3cb2d05debea1478da4628909873a22

  • SSDEEP

    6144:/4y8gOl2lWXFYTVNtfU3bnKWWJZfEJ8xln5+f:gy8gyQNe2J6Js58

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 10 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed98e70e680e907bb303b808fa727305d776c40d345aba70f662e987f4151a60N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed98e70e680e907bb303b808fa727305d776c40d345aba70f662e987f4151a60N.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4424
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:648
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:3972
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:1792
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 204
                  7⤵
                  • Program crash
                  PID:2228
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2560
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2060
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1060
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3948
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4720
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:3816
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:3188
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  7⤵
                    PID:4872
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 204
                      8⤵
                      • Program crash
                      PID:4028
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                    • Modifies Internet Explorer settings
                    PID:2260
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                      PID:4920
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  5⤵
                    PID:2016
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 204
                      6⤵
                      • Program crash
                      PID:3168
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:4412
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4412 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:2440
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:2172
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:1888
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2016 -ip 2016
            1⤵
              PID:2080
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1792 -ip 1792
              1⤵
                PID:1884
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4872 -ip 4872
                1⤵
                  PID:2296

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  73d8dd7eaa8896905e31f1960f51ece1

                  SHA1

                  164e031603e75d95091220c5ff0d695547f6d3ae

                  SHA256

                  9ff75ab638fe252bd0d04aea3f0ce38270ffc8df5db9399f9ea45aaef196dddc

                  SHA512

                  4879585482992d7ea3ee02775b74592b06daab32a63dc7700dd4da40c45a524f3bcfc2beff928a85563f09ad0438be5b3e458bc3d0cd08ad146d416fec014a04

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  680e6683a912ab032eccf51a4af0c654

                  SHA1

                  37e897434390384c4494bd8368e08939aeca58e2

                  SHA256

                  4bb233ab10f74116e811b268a5e6b26109f2b9a8c024b5860e06bcca17136ac0

                  SHA512

                  c07d6701a1d81ed454cfe3780b6075fe328e10b6d66b7f59a53dfee43790cc7beb3bd9b671361ac3793a32bcb943f5506b20bfe218ceed8a0f83ee38873a6a9b

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  151b71f2515daf0f0d79d6eda92b33cf

                  SHA1

                  c093f9ab2f1fe4c3ccc6cae767609679a991213a

                  SHA256

                  20faf358fd06b8694b367c6a744e685bbfa478b813a775eeebbdb1ee3629400c

                  SHA512

                  2725e3bbd2157a360272f881cb1ace85d8452dfd66fba092aea6b59a744d4f720578ecdd114588e085342e3fb4f484026626059d18dc48b1f2c54c24e7849b6c

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  79ba62fdb8e1fb311166fbd95458b858

                  SHA1

                  61e46b8d398ca5b2a5b2576d27fdad372c69fc69

                  SHA256

                  6feb8f8c40baf1e1e0c974b55cd40aef3c1940c982938d3fd51b7f1e400c1cc2

                  SHA512

                  29802314905da26610e16569de5bffc766dab8a754fcc9e65dc00d39c0aed56b7625c3889e9d27dcf921af6d208827284d5638d18aad9a95ea4bd9a158c7630f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{02C7A054-C2EC-11EF-BEF1-CAFD856C81B1}.dat
                  Filesize

                  5KB

                  MD5

                  ebb23acb8037591a0864e6543edd5643

                  SHA1

                  48ede336ec7bd1ad46e824359116e229675f9a4d

                  SHA256

                  e7a3df69e2470cdc12f08cb48952c7342556c7f820bc367fa5b72d5ff8f1d302

                  SHA512

                  5386bd23c74b0395641e0d420b24fa93ce37bb22609902e5282dae015a53848376b3e03ae0e02e9da3a65742d961efab034a1894811614bccbe5b0d9a0f28b68

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{02C7C764-C2EC-11EF-BEF1-CAFD856C81B1}.dat
                  Filesize

                  3KB

                  MD5

                  54b777e670b06b139f15828a6658224c

                  SHA1

                  737d4f694a12b31bfffe2c54e8e08c50cd3fad79

                  SHA256

                  bd9e748a82a5d753b473504ada72aab009d76990e437018c6d63d7875592bddc

                  SHA512

                  552c4f2c8afb3f7a61afc482bcec16b097539b36f07aa55e28ffcc2fd23ab4dca9c34078c59d9a49ada45b7756e883de35f3c56d201e34eedc53e1714e5401d6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{02C7C764-C2EC-11EF-BEF1-CAFD856C81B1}.dat
                  Filesize

                  5KB

                  MD5

                  e3fc691de0e9e09e5726cbb3acad8077

                  SHA1

                  5f2026dc8690fd8c2b417d6a67c4b60dc1f38cf3

                  SHA256

                  69e8d6a06a34897634a6faba11b4d59fa413c3c3668637cacc82099be7fb7dfb

                  SHA512

                  143b997987cdbd0b62dad6ede873836e4bffd9b94c4c88f94643a597300c0ff25f1f21ba6be68c4c7a533afbe0a3728bf8be58c0d5d206f085f140f56d538f1a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{02CA0295-C2EC-11EF-BEF1-CAFD856C81B1}.dat
                  Filesize

                  5KB

                  MD5

                  39ee61915fa4f48f8c2e6f0d5a57505a

                  SHA1

                  ab1c758312201409ea78607142d4687f3456c50e

                  SHA256

                  ce50d1636223881aadac54b9065a8af7c335a9901cb9da9413f2c3094ed9b50f

                  SHA512

                  67555fa57f39eca054d4a8de56a710035253a2ccaab5e75a88fedd3728c1825eeb78d6eb6e2e9c5be8e251dee0c6eb843707b4e509cc405ba27220985b030317

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFE07.tmp
                  Filesize

                  15KB

                  MD5

                  1a545d0052b581fbb2ab4c52133846bc

                  SHA1

                  62f3266a9b9925cd6d98658b92adec673cbe3dd3

                  SHA256

                  557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                  SHA512

                  bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US
                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgr.exe
                  Filesize

                  288KB

                  MD5

                  cfe059b10b1bc8f06bb9c6138d483841

                  SHA1

                  249c77b3fd7e8ccf8e28265d26b398afa2c35da8

                  SHA256

                  8b8112544efbab0d457590a04fe11069073d29f7b912e7c163cb7ab4c215570f

                  SHA512

                  f7fc030eb5650cee2ecdd23e4874b51ce76aebda0d639f7ac7d0c4554f51c81998b935b68a57802c154b6a7d76966ec0c6b59e40654e4ac237f7dc6da88d1d46

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                  Filesize

                  143KB

                  MD5

                  963056968f712dce49fed780756eafa3

                  SHA1

                  1f833526e877d34bda4b7aad52be1b52f25c9bf2

                  SHA256

                  be71c16ee9e9ea295cf6f266ddf343c4589843e4288a09f60f9e15923d8f8313

                  SHA512

                  8ff2bd3c17e6a8730940dcc45faa600c5429a1e5e812821350d8c6448ddcc1526f5246608b5a56592276b15a821a78440adf05652c7dfb2b0016707dce9c958e

                  Download Submit

                • memory/648-27-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/648-9-0x0000000000400000-0x000000000042F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/1792-80-0x0000000000870000-0x0000000000871000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1792-79-0x0000000000890000-0x0000000000891000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1992-0-0x0000000010000000-0x0000000010060000-memory.dmp

                  Filesize

                  384KB

                  Download

                • memory/3188-78-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3188-86-0x0000000000060000-0x0000000000061000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3188-98-0x00000000774A2000-0x00000000774A3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3188-97-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3188-85-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3188-92-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3816-69-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3816-59-0x0000000000400000-0x000000000042F000-memory.dmp

                  Filesize

                  188KB

                  Download

                • memory/3972-87-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3972-89-0x0000000000070000-0x0000000000071000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3972-44-0x0000000000400000-0x0000000000454000-memory.dmp

                  Filesize

                  336KB

                  Download

                • memory/3972-68-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3972-67-0x0000000000430000-0x0000000000431000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4424-21-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4424-15-0x00000000008E0000-0x00000000008E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4424-23-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4424-6-0x0000000000400000-0x0000000000454000-memory.dmp

                  Filesize

                  336KB

                  Download

                • memory/4424-24-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4424-10-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4424-11-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4424-12-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4424-14-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4720-42-0x0000000000400000-0x0000000000454000-memory.dmp

                  Filesize

                  336KB

                  Download

                • memory/4720-60-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4720-100-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4720-81-0x0000000000400000-0x0000000000454000-memory.dmp

                  Filesize

                  336KB

                  Download

                • memory/4720-82-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4720-58-0x00000000001D0000-0x00000000001D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4720-37-0x0000000000400000-0x0000000000454000-memory.dmp

                  Filesize

                  336KB

                  Download

                • memory/4720-77-0x0000000000400000-0x0000000000454000-memory.dmp

                  Filesize

                  336KB

                  Download

                • memory/4720-61-0x00000000774A2000-0x00000000774A3000-memory.dmp

                  Filesize

                  4KB

                  Download