Overview

overview

10

Static

static

3

abe499255b...16.dll

windows7-x64

10

abe499255b...16.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016.dll

  • Size

    691KB

  • MD5

    b7e4578474a53fe33508f392c29fbc7b

  • SHA1

    3daa3c9b1d4a83b87de2f77e8a26760e35fde0ee

  • SHA256

    abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016

  • SHA512

    52aa6ac9c29533a37d75d7092f1ca9487159d2e4a29a9a92418b74946cf9867432105dd957286308774a1a17cab02cfe1cdb25bf5d60f910851c9775f5beb77b

  • SSDEEP

    12288:gh8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMN70Q6sihM0PNWjD:g8F+Pzr/Hfp4MIYwZckMQm70Q7WWf

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 10 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe499255bfe229639a85cc1dec863251c3489994f9445b9b3c3efea9e9c1016.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3888
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2044
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:1084
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 204
                  7⤵
                  • Program crash
                  PID:4840
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:5060
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5060 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3916
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:628
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2056
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4176
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:1672
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:1076
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  7⤵
                    PID:384
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 204
                      8⤵
                      • Program crash
                      PID:2212
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                      PID:2832
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      7⤵
                      • Modifies Internet Explorer settings
                      PID:3020
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  5⤵
                    PID:3328
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 204
                      6⤵
                      • Program crash
                      PID:5092
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:3188
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3188 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:2236
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:848
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:3436
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 384 -ip 384
            1⤵
              PID:440
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1084 -ip 1084
              1⤵
                PID:4928
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3328 -ip 3328
                1⤵
                  PID:4072

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  febff5e5b64433316ee5f116c5c14309

                  SHA1

                  55a533777edeed0d18304f073d59d5ca1e5c7737

                  SHA256

                  888dd735b3cf97e714243c7ecf44064128c4a97452b90ebbc66e317a113ef9a4

                  SHA512

                  cbadeca5bbd2528b4af7ad6d053483adac27db83bfcd8b75312a5aa4b09302f729b67a04bbb9af840cb3abd78ec668b5a6c8746685ba0f15780b5e0ea3dd88d8

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  ddeb627584bfd54c45ebd1c87a979dcc

                  SHA1

                  fbda60c39064f9c4de387884fbce09a814c35c56

                  SHA256

                  3e6d089ce7d7aa87477b1cfafdff1cfa44a478fe75ff5699397a5bfca9d62eb2

                  SHA512

                  94297554085843bdcbb45cac5086353aa8db2e3962df509c66227a7816acdf1273cdf58e1323b98d559acefa0e83a9647df2820932a4ed5eea9c6c352d6f31cd

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  989bf8540280d60bd46d205c2c9809ec

                  SHA1

                  8092e5510ecf4ddf9b9a27e855620369b49f710c

                  SHA256

                  74745034eaf745a1aa825fcf9d27de77450203c06019b20f3a2824a2a48f305f

                  SHA512

                  24edec56cbe897d95671679e42316e2c98c91bcd197213cdf414dad0710218e8d24a3f1cfa4fb4e7b0c3c335a5b619c108fa269d654396e145695ca5a8ef999d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1BC29F4F-C7E3-11EF-AF2A-D2BD7E71DA05}.dat
                  Filesize

                  4KB

                  MD5

                  4ec7f1e9e9230bd8e914ce2483c40da2

                  SHA1

                  5011b3970fdf1efd92d9d8555c73043b247d19e4

                  SHA256

                  b6086d4046c377073786933341843c7fc5cc8cf91610f28b44ed34738b8f1609

                  SHA512

                  2f70870b8ded603d48ce256615c4343bab9c5539dcce8618d520acb5fbb71b5ea1546e29776c5f069c5ca5614cd0315efb5f8a4cb0faa9d9a9580000461f78a7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1BC29F4F-C7E3-11EF-AF2A-D2BD7E71DA05}.dat
                  Filesize

                  3KB

                  MD5

                  c711f0efd25f3bcf7a0be4154b4c4a30

                  SHA1

                  f8b7f3466f659a0a5670d73fb3c63e229fb9ca6b

                  SHA256

                  3ada24866a7f258825ab3934f6b7798e89bbd9b7862d3697cf4023edd3b4dffb

                  SHA512

                  756fa20d224735016f11b95ef0cba02a4fbd7d513f06bf53e23961209f38854f2a2021168667cd353f0ef266c4a235f4b5c0d5ccba75a3d65e772c2d12611fa2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1BC501C9-C7E3-11EF-AF2A-D2BD7E71DA05}.dat
                  Filesize

                  5KB

                  MD5

                  328861858ba101b11fca7925825b0275

                  SHA1

                  b6388dd5e8fdaae4fa677b6e4c7854f9ad801cc4

                  SHA256

                  41d8404cf0b32b745b0abccf3dc11fb2f40bf2d69dcd5c7f94d99fd90dc2e993

                  SHA512

                  b12107de9c70c89e7eeb728a13d414b903ac883c86cda951c215097389f446d8b51384351c1d35d4ab2dac9e314725dfe4271120dd95bef71a8cf773418f723f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1BC78B48-C7E3-11EF-AF2A-D2BD7E71DA05}.dat
                  Filesize

                  5KB

                  MD5

                  ac2d53a40b76496c4071d7428b52f24b

                  SHA1

                  5b0128e2e576f4add76285d99201dfb5ca4b3e27

                  SHA256

                  ce462c7641b7a742d6d02f08c0495fb36dfba7205a1836b41b1ee047e80ce8e8

                  SHA512

                  fa571261ce29b8708753373d39ce735f4cdac1a96355282d6933d8fe529e59c82eeab796cc83b9cc6d8b9919a0fcb4da4974ee0b8180942d8968c750d6977544

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver41B8.tmp
                  Filesize

                  15KB

                  MD5

                  1a545d0052b581fbb2ab4c52133846bc

                  SHA1

                  62f3266a9b9925cd6d98658b92adec673cbe3dd3

                  SHA256

                  557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                  SHA512

                  bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\suggestions[1].en-US
                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgr.exe
                  Filesize

                  255KB

                  MD5

                  6ea88d3eaa4dc3511a4bcc65fb8537a9

                  SHA1

                  79158ba5448805d6d1bef347b7c4838ae474e10e

                  SHA256

                  34d1d22466de36804d7e1a7313c0a6fd966675846eb59cc1f205d37d1db71093

                  SHA512

                  26dbb5b5caa158b70ae15090b0909938e658c6847ff207273d45eaa7b9f6196bbd40d73fabe76f5e26962f1784f1e39b0839b418b96c5f8d424148a12e8256ad

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                  Filesize

                  126KB

                  MD5

                  036dca3575c999ae72229f418a5f0882

                  SHA1

                  cae8eae8bd130555eeed7d32fa93d074f134b0a6

                  SHA256

                  323c53cb996602a9a145e1e18fbe04320a465c96e3d5f2bea7ab70b3b00cad63

                  SHA512

                  3943d34e53ab2092927d08c91be2838ca59140c62d2b46a5cea960b14c080f2adc406150e8c9c0d7683b6b5f206e84eda6c219e25e9065080271caa7ecd417a6

                  Download Submit

                • memory/1076-70-0x0000000000400000-0x000000000044D000-memory.dmp

                  Filesize

                  308KB

                  Download

                • memory/1672-49-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/1672-63-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2012-17-0x00000000008E0000-0x00000000008E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2012-5-0x0000000000400000-0x000000000044D000-memory.dmp

                  Filesize

                  308KB

                  Download

                • memory/2012-11-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2012-15-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2012-12-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2012-22-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2012-24-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2012-13-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2012-23-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2044-59-0x0000000000430000-0x0000000000431000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2044-82-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2044-84-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2044-75-0x0000000000070000-0x0000000000071000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2044-62-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2840-0-0x0000000010000000-0x00000000100B2000-memory.dmp

                  Filesize

                  712KB

                  Download

                • memory/3888-28-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3888-10-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/3888-16-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/4176-83-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download