Overview

overview

10

Static

static

3

7dbb68c035...7N.dll

windows7-x64

10

7dbb68c035...7N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dbb68c0352c945a6094c1160c8936f33347b88902db8924ecf055a94e2f19c7N.dll

  • Size

    782KB

  • MD5

    a2c4d1b592436aecb8de221b96e6c3a0

  • SHA1

    3bb3abb98d5fa4bdb8b2fb261f0f26041bd4b6f8

  • SHA256

    7dbb68c0352c945a6094c1160c8936f33347b88902db8924ecf055a94e2f19c7

  • SHA512

    4ae7551e126d916fd812b0d2e36e590b7f58c2d86de408981dbfb15292a05f028c6c20f5c912d27c8f0e1ed4fe0687abf4e2d61d5041bce40066084be533ab7b

  • SSDEEP

    24576:4zb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwP1F:4zbKsUmjtcdPGgIwPL

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 10 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7dbb68c0352c945a6094c1160c8936f33347b88902db8924ecf055a94e2f19c7N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7dbb68c0352c945a6094c1160c8936f33347b88902db8924ecf055a94e2f19c7N.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4264
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2448
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:4944
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 204
                  7⤵
                  • Program crash
                  PID:4832
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4400
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4400 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:860
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4712
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4712 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2348
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2216
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:2984
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:1428
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  7⤵
                    PID:3152
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 204
                      8⤵
                      • Program crash
                      PID:892
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                    • Modifies Internet Explorer settings
                    PID:2156
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                      PID:2556
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  5⤵
                    PID:3576
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 204
                      6⤵
                      • Program crash
                      PID:3268
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:1432
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:740
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:4484
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4484 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:872
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3152 -ip 3152
            1⤵
              PID:2656
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3576 -ip 3576
              1⤵
                PID:3208
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4944 -ip 4944
                1⤵
                  PID:3452

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  a242c16707ddb2e8d8cdc25c90105a56

                  SHA1

                  9b89a87ca70fd62da5d616640802babc7edf8f6e

                  SHA256

                  cc4f0c341edb160871fc365d7d6c69d4ad8aba356a3ed1c4b7edbe938a318d73

                  SHA512

                  40664796a563b766485552f7f4c5084c185ada5bc25556d155041443ad6257a396692fcb667d0ab69e3f666aa2940d7f28e39eaded9762240a24ed40d7ec0291

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  a73a31e34cf8db09c7be588ea76c2c5d

                  SHA1

                  5b9ce08b0724c191d5d1b303f39556d3fb70beeb

                  SHA256

                  744e3d0426f1f5fb0f0e9c3842a58a5f35a9329561e8a2f00e6cdacb6aabd7f2

                  SHA512

                  92bd4d8e3c3a5b92993f80c9603ef8a8781e1ec965c8a96c26209d0cec8cb46904986ebeb4f7b4c52a9ba769ddab7d0578f945bd75fbf537172aa7b1a281256b

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  16503e25107dfab3db10acc626301f44

                  SHA1

                  cdcb5fcf9f843fb3b4118b00137062880376a93a

                  SHA256

                  da99a3834b4f80242f5267c0f917f2df7e858cc65ca1ff660466465d5e5d1b95

                  SHA512

                  207eb28c5fb0260b25c3d67a916ded82128708aff5a832a6caab3e27023c7dd179a33627b1baa617d7a6c6863c8c8c8fa86588f9f0087db1510b2786effca900

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  733e7a6f0e24c5927c737d9bad00f552

                  SHA1

                  fa20e15806e19f6d3c5e1eaffe6b055b753c394f

                  SHA256

                  0dd204303b89fb57f76220b26c0d7d8d0bbeb3f4a493519a11fbec31d97d0eaf

                  SHA512

                  7a572c74935a5fb80e696504da1739a6dd05a921fb8f15341cbd8ab5f9d2bf26b4c6baff4232d9961f10c651eeffc4578680b62c2ed0166dd42b95e1e396b4bb

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  6d763468beef29adc446cccfe0d6a73e

                  SHA1

                  fe332323fadc794b270cac151bd1e55f1a1d27b6

                  SHA256

                  60d80cf5e8de253b471d776af9d62be8b069a96b40272536453441fa150b29a6

                  SHA512

                  84ab98d03977460f8c96715d321e6ea7753353fd990a0e68a6a1dae8a80d0cab02ac2c752276ec861db0b9b4c130e3b503c121920bdebd4ce1480e4b9d8c13c8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{88A5C395-CAD0-11EF-ADF2-DEEFF298442C}.dat
                  Filesize

                  3KB

                  MD5

                  38df8f1b6b796fc2d1475c8ce4a5f001

                  SHA1

                  e5d6ad484133aad45fe14d1fc5c143cddcfd3ca9

                  SHA256

                  bd4b4c006fa9c4c65ce19ea4cfaad893a0bd1e462bf79a25d519836a4bd2ef45

                  SHA512

                  27b4fcee40f23440b4eb7d9a8756ad3f90b9cfa815c6e304e5cd62694cd5bc349bf6f5884e2b3f0413574007c81d19d7d5929bc7374f252fc3b39743c3ce889d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{88A8269F-CAD0-11EF-ADF2-DEEFF298442C}.dat
                  Filesize

                  5KB

                  MD5

                  2600037bceafb779bc19fbde980eeed2

                  SHA1

                  7780103c54e4abe72714a20ba8769e00de84f62f

                  SHA256

                  6d38e4c2311cb75a70d8ee97c19c9e5a2274449b07424094b3300447d6e833cf

                  SHA512

                  9a1f7a57e23f6d112df2569be5174338bd2e39cc17ccf8992528a097795f0e42eb0ce18f6292c4b152c2c657c83fc36df49f3c0123cd52f44593ed7f7660f242

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{88AA8844-CAD0-11EF-ADF2-DEEFF298442C}.dat
                  Filesize

                  4KB

                  MD5

                  bbb40a315e34961028e49eac2f45d974

                  SHA1

                  84ed6630e0c8ae1ee033753ce7aaf81ef654ce28

                  SHA256

                  11497a94455158f706922576ae43b364d46945829252f97106ce502ca21c81de

                  SHA512

                  d344ca775016451df3250a3aeba56be4faab5d115c2cdf79c145f13933575b814f1e9cf7b7a0832795ac7f0f26a80491e2c0563c42de847311eeae8a91ac4563

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{88ACEA93-CAD0-11EF-ADF2-DEEFF298442C}.dat
                  Filesize

                  5KB

                  MD5

                  1bc85687b2062e5fbcb19835e34ef9eb

                  SHA1

                  c06242c53ab8f94727b72819f8c5092b3a480d2d

                  SHA256

                  4f540d2e80631eb40d1f1055a7350f6a2e29f605d62fd3a938d5b12fdf8f4e93

                  SHA512

                  6b526eede8da76b5847e7a9d83b68c0085be6a4299e4d86d5d92e0281f77ef46df978bed6cf1e5bf623deb7f4eb287b63a1d9bb49deed6b828c66038447428a6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF240.tmp
                  Filesize

                  15KB

                  MD5

                  1a545d0052b581fbb2ab4c52133846bc

                  SHA1

                  62f3266a9b9925cd6d98658b92adec673cbe3dd3

                  SHA256

                  557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                  SHA512

                  bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US
                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgr.exe
                  Filesize

                  123KB

                  MD5

                  ebd1cf7321469f950e09540bc68e1e2c

                  SHA1

                  8004bb6e2f7db1336b25d3fc68b80ed02bfbe071

                  SHA256

                  c962d63cce6dd7e2793cf2b05ebe53bcad6f1c2ba98ac76cd60ad8374981c285

                  SHA512

                  6fe6999c24b0d3ed3cf667217d5accb7493f473843d73008a8084e0910c33d90b676ebe9ee9d4adbbd602ae4d4b0384b3f52a628ad9f411fd1728e204bcc554a

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                  Filesize

                  60KB

                  MD5

                  f5383b8d76b434cd45caad3697c5acc7

                  SHA1

                  36736c3eda9aeb4d0b5aca229865b62190b73da5

                  SHA256

                  eac31cbfe560c4bdf1a3b859862b034585962c8fed6bfbdd8e6bdb710abc3fc8

                  SHA512

                  0f259ef90e3c3bdf398508552edaadaf48ae517204c3c8094404b712d5613abd75fab120ea3c4c0a0df44092475cbff0a037c39c757f8851adda17d673d8d0ec

                  Download Submit

                • memory/1428-88-0x0000000000840000-0x0000000000841000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1428-84-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1428-85-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1428-79-0x0000000000400000-0x0000000000444000-memory.dmp

                  Filesize

                  272KB

                  Download

                • memory/1428-82-0x0000000000830000-0x0000000000831000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1428-93-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1704-0-0x0000000005000000-0x00000000050C9000-memory.dmp

                  Filesize

                  804KB

                  Download

                • memory/2216-55-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2216-78-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2216-41-0x0000000000400000-0x0000000000444000-memory.dmp

                  Filesize

                  272KB

                  Download

                • memory/2256-11-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2256-12-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2256-13-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2256-22-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2256-19-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2256-21-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2256-26-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2256-20-0x0000000000160000-0x0000000000161000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2256-6-0x0000000000400000-0x0000000000444000-memory.dmp

                  Filesize

                  272KB

                  Download

                • memory/2448-42-0x0000000000400000-0x0000000000444000-memory.dmp

                  Filesize

                  272KB

                  Download

                • memory/2448-86-0x0000000000070000-0x0000000000071000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2448-72-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2448-94-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2448-54-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2448-53-0x0000000000060000-0x0000000000061000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2448-56-0x00000000777A2000-0x00000000777A3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2984-68-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/3576-71-0x0000000001290000-0x0000000001291000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3576-70-0x00000000012B0000-0x00000000012B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4264-27-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4264-10-0x0000000000400000-0x0000000000434000-memory.dmp

                  Filesize

                  208KB

                  Download