Overview

overview

10

Static

static

3

ed0b4d4e31...76.dll

windows7-x64

10

ed0b4d4e31...76.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed0b4d4e31f572bffa5c56c0c7677ec6b670e22af504a94d2e1830cab3f5c676.dll

  • Size

    3.3MB

  • MD5

    f58610835801009cf7ba115604f94905

  • SHA1

    03d36617604c72a22fb187a576504b4c2b594359

  • SHA256

    ed0b4d4e31f572bffa5c56c0c7677ec6b670e22af504a94d2e1830cab3f5c676

  • SHA512

    bb5736839cf7589c5e50394f2531e1a6047126dc489d02b66e2182918e06f499222cdb8ce9e600550811889ec5384a8b6063d2fd9c912e0a23a72686eba1bf7e

  • SSDEEP

    12288:CclekxppkfkjJ13OuHnsaxS7Z/d3QPn/6nwS+sByjgopluSZJ2yVsjmIG+3pF0AF:DJ13bsao/d3QH6nway/5Z5Ih09T

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed0b4d4e31f572bffa5c56c0c7677ec6b670e22af504a94d2e1830cab3f5c676.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed0b4d4e31f572bffa5c56c0c7677ec6b670e22af504a94d2e1830cab3f5c676.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3364
        • C:\Windows\SysWOW64\rundll32SrvSrv.exe
          C:\Windows\SysWOW64\rundll32SrvSrv.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4800
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4132
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4580
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4580 CREDAT:17410 /prefetch:2
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4024
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:876
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 636
        3⤵
        • Program crash
        PID:1112
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4576 -ip 4576
    1⤵
      PID:3104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      d3ef026dd88e6e5106ac84f80286c124

      SHA1

      75062b0190d63b6ee191c2d3fd7deed40520a363

      SHA256

      2ecb929a03fb648afd921206e9f84eebfe98b3b343061e6d2e5bbf3a1d02619c

      SHA512

      809dafd4a0fb9c3c22d3fff05ebb4c025b35a69b514ddb082565a14b3543581f1c430532b6dec2dd4da97a4c9b9818b57d91dcc6f91a3a5425f5a65a078cf64e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      0ae46aa3f6af107f51bb58fcfdf31728

      SHA1

      d1e889ef22b0971b633d30e6e15dffd06d768337

      SHA256

      400092e66b6477ea500edb336e8bcab8d69c833677842a438dec73923343a58d

      SHA512

      24887d8a6e9414aa521a0c1dd617de320e147f3977eecf9d3facee37d0146fcb433dd139817ca9a0e16dc47934ae99ca7d40f7339cfc9ad9b52399c5eccc876a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      99db31319335b3e9de6146ad098b3c56

      SHA1

      5b5a620f0cafbc26383da8a40e636d2bc7262a63

      SHA256

      15df5f3afe4f08c84294ba7ca60baf262541f9f90cc91ee8506411b532c4d997

      SHA512

      7c7f18b90c0b4310444f1a25a32a1d60e9fc60ce436a614bdf26968b5a86c7a1ced4faa4d90c928d8a8c26931fb8efd22c6e262840118a2ed67d603c2fe7a367

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0156EFB9-C98C-11EF-B319-4A034D48373C}.dat
      Filesize

      4KB

      MD5

      b5d23d0e74a2e4e81b6a5eac25daafdd

      SHA1

      d596484d8bf07a2c836caacbaaf07e44eb1e8e7b

      SHA256

      9eb9403afe6bfd7061703dc77ab7c331c67f35a111da7627d420fe9b3963c7cb

      SHA512

      e14ade0a7e2280adfc9b8f096d1ceb4a72442003de2606a1c7e8df675fa8611339b06bf04390d4f784124807713d373018134aaaebecfd85e69087f6788a0b38

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{015716C9-C98C-11EF-B319-4A034D48373C}.dat
      Filesize

      5KB

      MD5

      f81898ade5a683610a1390333de79e56

      SHA1

      4141f3e33ed63bb235a467edc64649455612ae43

      SHA256

      c14fa73a0c842e1b43e2fe33b3fc750d372d8a13030ea7027d249bb66b9c946b

      SHA512

      ddce7e32b479052781d47c81fac1612b12c85aa3c3ebb6897d7827be0ea23ec1632e6c975abdc5446cc2210da07a03826e62c25b68781dab6f7936228a2635fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver19EC.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Windows\SysWOW64\rundll32Srv.exe
      Filesize

      111KB

      MD5

      0807f983542add1cd3540a715835595e

      SHA1

      f7e1bca5b50ab319e5bfc070a3648d2facb940eb

      SHA256

      8b492fd5118993f8adb4ddbba5371a827fa96ff69699fe82286ad3a92758bf5f

      SHA512

      27161f765072f32977bfae3737a804492251514bd256336ed9eee985a760f11c8c778bfb45760bdbf94cb69ed49fa6831f2700548a290412a577fbc70a5b7d77

      Download Submit

    • memory/3364-5-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3364-9-0x0000000000520000-0x000000000052F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3364-16-0x00000000005C0000-0x00000000005C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-15-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4132-23-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4132-19-0x0000000000490000-0x0000000000491000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4576-25-0x0000000010000000-0x0000000010406000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4576-4-0x0000000010000000-0x0000000010406000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4800-8-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4800-13-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download