Overview

overview

10

Static

static

3

ca4994d8a0...4N.dll

windows7-x64

7

ca4994d8a0...4N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca4994d8a0dbdbc32bf29555473890fd6d535df4e88f8da49182e9ed3eb2cf14N.dll

  • Size

    2.4MB

  • MD5

    ddb05b30f69ee2ff53771593bdc89540

  • SHA1

    3dbbd00f62b85ff26a3e18d680b6687e195858c2

  • SHA256

    ca4994d8a0dbdbc32bf29555473890fd6d535df4e88f8da49182e9ed3eb2cf14

  • SHA512

    f5198a920d891ccdca4383a5b76b107ec7a304c54421add960f35d35b05063342a5476e56e5d4016433212827a21142fd3b6b1b8ad13f7f21ef0d33c7198bd72

  • SSDEEP

    49152:xU3U+ZYmxjpv7x4GFM/+b8dTMNh9Wr73h7NXSWEqNJO5hYTVMCRisKEbzc:xiU2YmxjpDx4Zo8dYNh9q73h7NXYkRil

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 10 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca4994d8a0dbdbc32bf29555473890fd6d535df4e88f8da49182e9ed3eb2cf14N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3712
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca4994d8a0dbdbc32bf29555473890fd6d535df4e88f8da49182e9ed3eb2cf14N.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4212
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:564
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:1156
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  8⤵
                    PID:4908
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 204
                      9⤵
                      • Program crash
                      PID:3848
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    8⤵
                    • Modifies Internet Explorer settings
                    PID:2608
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    8⤵
                    • Modifies Internet Explorer settings
                    PID:4684
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                6⤵
                  PID:4924
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 204
                    7⤵
                    • Program crash
                    PID:660
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3328
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3328 CREDAT:17410 /prefetch:2
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:3288
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4240
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4240 CREDAT:17410 /prefetch:2
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:3968
            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:1556
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                5⤵
                  PID:2636
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 204
                    6⤵
                    • Program crash
                    PID:2876
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2612
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:17410 /prefetch:2
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:2740
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:3964
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3964 CREDAT:17410 /prefetch:2
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:3680
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 624
              3⤵
              • Program crash
              PID:3360
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4780 -ip 4780
          1⤵
            PID:3936
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4924 -ip 4924
            1⤵
              PID:4932
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2636 -ip 2636
              1⤵
                PID:5060
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4908 -ip 4908
                1⤵
                  PID:1424

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  e5e877bcc2542ab8629d8f34bafcd7f4

                  SHA1

                  8f618efa1584268e9eafd2b01c2a2ac006113c01

                  SHA256

                  5e63bcec102963b96b1f7d08ec512431a0ba748f90134dc51a05046296541e9e

                  SHA512

                  79153f941ae2cc4a5649ac729f03dd3f98df24d5084e36d14467b2a859e6d63fc4167feac24e7b519a9e179fb243447fe6d09519169b11e3151d5cc467e4c9d4

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  b9d24c5824099a392534f34934c71ad4

                  SHA1

                  2ee8eceba2ca9eb553512b4184c82a4f63d6e5b0

                  SHA256

                  4d95b518039e1089571aa1732692d1c5c83b7e80641321cd31a63d1dc0b9662f

                  SHA512

                  2ea0f91b4379b8f6147772e61d6daf298b821a4abdad35e767ae0692ff95146c5c2f940c4824458d2376e986db31028a76abeb688adea3f6ff5ecea1f14fedc9

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  cd8046f2fc2c54106b1c21dbda37d3d9

                  SHA1

                  9330dabdc1c206f6f43e3a8ab595884735d76b22

                  SHA256

                  76b1d16be8eead08bb57543e0df2675bcb993afdd97e1ec2aac185202f0258ee

                  SHA512

                  acc82825889591b5cb35a12ce63e6128fa946730b55c8601841ee37b61defd04eaa32a5a2b417c8c7e26b79c9c3f91d7f5d699f67218917939bb6f4483ddd15f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{570B1757-C702-11EF-ADF2-CAFD856C81B1}.dat
                  Filesize

                  5KB

                  MD5

                  2a61eb84185df1d6819ebb19f0bba6d0

                  SHA1

                  7d6bb57ddf31fd0ec3787eeddc2be092c80cee12

                  SHA256

                  ab6762ca2e4bdf445d257734366f423c2e24795f70be9de542c0c9d73e95f9e3

                  SHA512

                  e4f2cb6e69c6906cd4181400fb4f955602d2bba516155fe19d1b7e15718fe883b19ab3eeeb87f904203719a00e8ce53863e30be54d9b2cb1fc20225cc96cad36

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{570B3E67-C702-11EF-ADF2-CAFD856C81B1}.dat
                  Filesize

                  3KB

                  MD5

                  173785a8ff9671e4c51c408577bdcd2e

                  SHA1

                  e59afcfcc7849542bd1a64524083205b3f47d165

                  SHA256

                  a423770035927a63eaf325102516d5a288c1c82891f89e65c65db4aeae2f2d72

                  SHA512

                  b893e50aef4430e31e1d06e8f3bad279375d2fffa58806ac319f5561ee5073581786968ba5d65cf384240f11fc0b922ba89aadffb11663e9e2473f5f1b361034

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{570B3E67-C702-11EF-ADF2-CAFD856C81B1}.dat
                  Filesize

                  5KB

                  MD5

                  99ee082ec8590388ab36d62df2112f1e

                  SHA1

                  6296752c7540a05645d2c20b5ad92da7afa0d1df

                  SHA256

                  a16f273bcc5a8df4bc82b30622e8fade585bfc00d9654af81f6bc568c2cd7fe2

                  SHA512

                  1da8679b352529acb607d43179c774ea0698407ed34a6eb0758cf40facc280316670dc93ad5758f500b628fa42b80f1f26834263449e560e56d15a8871acffc4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{570D7A0F-C702-11EF-ADF2-CAFD856C81B1}.dat
                  Filesize

                  3KB

                  MD5

                  985d32e1b185cb3b62d72b523a837c7c

                  SHA1

                  c9bacf82a4b7baf54cc6718c9ad9406bd4b6893a

                  SHA256

                  48e934bf0f76de35dd6232c099a85028e714f0cc83df6d04672e1acb03a285dd

                  SHA512

                  f3a9c6298b07dcdc3dc324b7e73cc3dee39abf3972f514b782c6a6607aa494f83906a6ccfd8c47931438454edde62679f7a6c94ad6fc3b1fe0e7db84c76d5c3b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3321.tmp
                  Filesize

                  15KB

                  MD5

                  1a545d0052b581fbb2ab4c52133846bc

                  SHA1

                  62f3266a9b9925cd6d98658b92adec673cbe3dd3

                  SHA256

                  557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                  SHA512

                  bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US
                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgr.exe
                  Filesize

                  233KB

                  MD5

                  7816267b885055210f56ea4fa2b6df2a

                  SHA1

                  9dffc3317e685cc65f3d458799ca7c36e4966a09

                  SHA256

                  bcd868b32cb2e9954cbca19e2348653fa9cd5ad52b933c9a871dca6341733311

                  SHA512

                  14c9d98ef827a5df6d99f4678d392da634a7200997b775f713d6f418f32ce2ae01197a6ef9003b6a52e11a539e32402edd9a9129a330523ae4b8d78f423050dc

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                  Filesize

                  115KB

                  MD5

                  42772a782bb1c6444f6e4d4b5c51bed9

                  SHA1

                  57663c9f055ffc52d46b4dd2a91ffa8c191be33b

                  SHA256

                  aac7bc007ae051fb71fb735ad4e92a6be8ec48ade1a3bf3b40746949a4dfd125

                  SHA512

                  cb7cd3b5f18f1834b6eccf5be5858614b154ae8d146aa746dddc74bea14c7daf4a7833d3a9ed4f0d32c9821d85901f74a367a830d3b7f0bf379fa1fdd5fae6cf

                  Download Submit

                • memory/564-67-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/564-62-0x0000000000400000-0x0000000000438000-memory.dmp

                  Filesize

                  224KB

                  Download

                • memory/1156-94-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/1156-76-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/1392-11-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1392-8-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/1392-18-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1392-24-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1392-17-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1392-16-0x00000000001B0000-0x00000000001B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1392-12-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1392-49-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/1392-10-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1392-15-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1556-86-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/1556-43-0x0000000000404000-0x0000000000406000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1556-69-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1556-68-0x00000000001D0000-0x00000000001D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1556-46-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/1556-88-0x0000000000404000-0x0000000000406000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1556-89-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/2396-61-0x0000000000400000-0x0000000000438000-memory.dmp

                  Filesize

                  224KB

                  Download

                • memory/2396-30-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2396-14-0x0000000000400000-0x0000000000438000-memory.dmp

                  Filesize

                  224KB

                  Download

                • memory/4212-87-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4212-42-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/4212-59-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4212-60-0x0000000000060000-0x0000000000061000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4212-85-0x0000000000400000-0x0000000000456000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/4212-83-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4212-95-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4212-81-0x0000000000070000-0x0000000000071000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4780-80-0x0000000008000000-0x0000000008276000-memory.dmp

                  Filesize

                  2.5MB

                  Download

                • memory/4780-1-0x0000000008000000-0x0000000008276000-memory.dmp

                  Filesize

                  2.5MB

                  Download