Overview

overview

10

Static

static

3

030d8b849b...1f.dll

windows7-x64

7

030d8b849b...1f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    030d8b849b98ea6fddfc729b136977bbf368d4c78ff620a32eba2ed7ac79501f.dll

  • Size

    176KB

  • MD5

    e4ad52db977c6186edddd08fb7968cc7

  • SHA1

    3be8f2385f3ffe723d627c92a13b2062723e140b

  • SHA256

    030d8b849b98ea6fddfc729b136977bbf368d4c78ff620a32eba2ed7ac79501f

  • SHA512

    72a58204be91e61ae95e83799d59adad3693177a7e3b350e07fe14ddc18304d2e0d01f86541beb581ee2f66c345725c5a40280895f8327e07b957a387c021b00

  • SSDEEP

    3072:pgKKuiX63bw5dNjDh8pWVgTlFIYn9KTtpwXg9CMe7dKC:iKZp3KNjVGv9Ct9adR

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\030d8b849b98ea6fddfc729b136977bbf368d4c78ff620a32eba2ed7ac79501f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\030d8b849b98ea6fddfc729b136977bbf368d4c78ff620a32eba2ed7ac79501f.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:872
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3492
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 212
                6⤵
                • Program crash
                PID:3764
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3604
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3604 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1584
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1064
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4168
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3492 -ip 3492
      1⤵
        PID:2176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        30f59b20e935520badc298242cb4cff1

        SHA1

        00622b2054eb148a8459c2ccd0b22606c2d5c7f6

        SHA256

        4a981d199e551f2b8c8fa22f0e3fbc264e876e5ed243d83331b2a6083a753e3c

        SHA512

        f22ca09eb3266cee3f363e4f3f955745382679d136d61e7c27f81081cd77efa5f82f82220526928f73049e692b7c060f64032dfae0f967c579c6e6acfd2e8d21

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        454797c5babbea7d101680e30b9b35b8

        SHA1

        fcdf1607e2c2a01b8369e72350e8ab4720c2abf4

        SHA256

        7da2a3f1fcdd6c9601bd3d719afdfcf870eb533d8353b19a5b076d6bf2cefc89

        SHA512

        47dea02922dfaa76e86617affd5bc9c06e29c5bec39320d5ff1e74762bbf366b42758c7a8620023b3ab1710dfb9cf23d8358f0ec84c48eeff21f15b932ff2770

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        24a7a5743b7ef0b575ece8c6e7c06012

        SHA1

        3568f6df0fc96a455a08447926d5a55f4b8ce9f8

        SHA256

        bfb0adf03d9f9788e7f3b8820873b4063bd6d5f28681f1a176a95aa9e7c63a07

        SHA512

        9901e45840cc9df29ae38a3783021a510cf8f0eb3ab02534e0584e3b25ce5f8a246cc0b3ce7147b2757920e41bbcaacef321c010f2a53138ba554903ef3c8404

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        96e409b936756e4f1c5a5b58c658e846

        SHA1

        6ff04a6bfbf0581ec24c4f6408c8368726995974

        SHA256

        79155cbe422138341be0b4ad070f7c4fe8ff4e91671e7bb468ec1de6698d56bc

        SHA512

        04ab09d0ae46560747c60bd3febe60403dfd3cf32d2b1377bfa07ac1a4257330a261e81296d156850a511c20e589abff5359346c66505b9c4642dd13f15783d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06A9D79B-C874-11EF-BEF1-4A034D48373C}.dat
        Filesize

        5KB

        MD5

        146857ae71a5c9ed19fa262b9c171f6e

        SHA1

        91f2e2bde5cd6710e6cd8b52e8921243362c1e8f

        SHA256

        2569c13424b0adee20c8ef73dae00bbf1aed2f3e16681fe6438762319322ca1f

        SHA512

        8898b14c0a5d05ed3821f73591eabba659fb62caecdc0fc38091cfe773a5532fee439c450c285a09e964c6da31b10c7b9d24626302040579b1286a5287184e50

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06AC3987-C874-11EF-BEF1-4A034D48373C}.dat
        Filesize

        3KB

        MD5

        5df45ded71d82f33d153db4f85a9bf62

        SHA1

        3c9b42b8a4a1e56005627020b9a4258224beb9e1

        SHA256

        6b47627e6f815399df759f50e397232169ff3ece3eb70d543aa4a7f1639c0e89

        SHA512

        15f210869979c83334ffe40b977c70889e6c119444f44974000cfa2e16fcd0cc6b2fd2bb2ab41d39ede87662cde0155d09810c54dab803cfbf6eea2aff728832

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1DD5.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit

      • memory/872-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/872-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/872-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/872-5-0x0000000000401000-0x0000000000405000-memory.dmp

        Filesize

        16KB

        Download

      • memory/872-27-0x0000000000401000-0x0000000000405000-memory.dmp

        Filesize

        16KB

        Download

      • memory/872-6-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/872-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/872-11-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/872-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/872-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/872-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/960-35-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/960-36-0x0000000076FE2000-0x0000000076FE3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/960-34-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/960-39-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/960-41-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/960-29-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/960-30-0x0000000076FE2000-0x0000000076FE3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/960-26-0x0000000000900000-0x0000000000901000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1832-1-0x0000000010000000-0x000000001002E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3492-32-0x0000000000640000-0x0000000000641000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3492-33-0x0000000000620000-0x0000000000621000-memory.dmp

        Filesize

        4KB

        Download