Overview

overview

10

Static

static

3

cd349c7333...e5.dll

windows7-x64

3

cd349c7333...e5.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd349c73339e052c6c4a22d0cb6349ce6d06ab4e25ae2f72691f07fedb9face5.dll

  • Size

    387KB

  • MD5

    8f0a38ad4bdc060fd1da2592ce6a928a

  • SHA1

    1582ffcc46e888eff6e23c5ef02a989b882beaff

  • SHA256

    cd349c73339e052c6c4a22d0cb6349ce6d06ab4e25ae2f72691f07fedb9face5

  • SHA512

    265031ef2b4935fe6f343e273364e5af89ccb981093f9b4339471f7f09b82d52b654c5810cbc27fb36f6af27be1ac6f39a47a22002dd8255cae886a37bf90f1f

  • SSDEEP

    6144:zMJOWK4l0wqOVq1gJTKeknYuASD7xJqinjExW:z2OWK4llSnbxAinQs

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd349c73339e052c6c4a22d0cb6349ce6d06ab4e25ae2f72691f07fedb9face5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd349c73339e052c6c4a22d0cb6349ce6d06ab4e25ae2f72691f07fedb9face5.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:8
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2956
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 204
                6⤵
                • Program crash
                PID:1216
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3440
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3440 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1304
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1496
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1496 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:5032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2956 -ip 2956
      1⤵
        PID:976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        e5e877bcc2542ab8629d8f34bafcd7f4

        SHA1

        8f618efa1584268e9eafd2b01c2a2ac006113c01

        SHA256

        5e63bcec102963b96b1f7d08ec512431a0ba748f90134dc51a05046296541e9e

        SHA512

        79153f941ae2cc4a5649ac729f03dd3f98df24d5084e36d14467b2a859e6d63fc4167feac24e7b519a9e179fb243447fe6d09519169b11e3151d5cc467e4c9d4

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        fc9bc0a0eb6c994b643fc80a7a498926

        SHA1

        3f24a01771577e47430dd1c6806fd4f0677ded29

        SHA256

        672b7c4d88f7f9831fac6f3fae61bb14211f5ba73b1dea9fff70c0499f24c2a7

        SHA512

        b4189d0732f4f2640f51a6475427f2c550ff85edbbefc7e4988e16c18b4354d43fcffeefdaa7b63773468510009038d01d57eb8eb365104961f45b58cc1c25b7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ACD0575D-C6C2-11EF-B9D5-FAA11E730504}.dat
        Filesize

        3KB

        MD5

        930bfe659b476c5074e7c9859385d1ba

        SHA1

        75022619b9b1b26fd4ba39d430588ab075edac07

        SHA256

        cf9b16b104bfcedf625889eedf99ecab84acffbf0feb8a79ad5acd0f89e6356c

        SHA512

        24b48b532111f6cad1f32333af5e398bc76c65481b341656e873a0c4f46d80f5a54257072f61e0684371c88b817ea0871f0a8197f699d13485a3fed1949936d1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ACD51C35-C6C2-11EF-B9D5-FAA11E730504}.dat
        Filesize

        5KB

        MD5

        91dece468babee129532b523c1cc98ea

        SHA1

        c86c13951a796282e47fdc3445a34a34bc7f3154

        SHA256

        edeb5b55f1dfac2f8888204aad1d2454c3680875534666596ddd9b3d2f771679

        SHA512

        e8c2605552b8aa1f5748811de552db774664d3c602100fa3226d9c6016eae92abfaf5b492c25cf839a5a047960dd1c5e5586ba9fbf0b11fb80b086a01570a50a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA3C.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        236KB

        MD5

        1c5dc181a94377a493f0e0ab7a74be5c

        SHA1

        61902a1bb92ab25b69219c8e49a24f2e2067e7fe

        SHA256

        a4a9bebd22ec3c18d3a6f4b8c72523aa1a9a377a7779e274156b0772b38ecb49

        SHA512

        c4e746fea55b7a1332e82668fc415cb6b0856542871ad2d1bf47fd3c76abff6ad10a0300c3705e61ed4e4c401aef29b04d66fa18d6208f6a715c688cd936df14

        Download Submit

      • memory/8-28-0x0000000000430000-0x0000000000431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/8-35-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/8-41-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/8-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/8-21-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/8-31-0x0000000077382000-0x0000000077383000-memory.dmp

        Filesize

        4KB

        Download

      • memory/8-29-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/8-36-0x0000000077382000-0x0000000077383000-memory.dmp

        Filesize

        4KB

        Download

      • memory/8-32-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/8-37-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1520-12-0x0000000000A40000-0x0000000000A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1520-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1520-15-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1520-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1520-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1520-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1520-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1520-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1520-4-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2956-33-0x0000000000450000-0x0000000000451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2956-34-0x0000000000430000-0x0000000000431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4432-0-0x0000000010000000-0x0000000010065000-memory.dmp

        Filesize

        404KB

        Download