Overview

overview

10

Static

static

8e2303df9b...2e.dll

windows7_x64

10

8e2303df9b...2e.dll

windows10_x64

10

Analysis

  • max time kernel
    95s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    08-05-2021 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e2303df9b9627df01542e5a3d1d13de2d3af4f4a41343ac17bc1e4f2f165c2e.dll

  • Size

    276KB

  • MD5

    24fd1996b7ec7062ebf9d247e9cb29bc

  • SHA1

    9c96250e9cac166be885ea69772e19ddf83b6f4e

  • SHA256

    8e2303df9b9627df01542e5a3d1d13de2d3af4f4a41343ac17bc1e4f2f165c2e

  • SHA512

    a2a533ae11aa76fd78214fe48a423278a3ad84809934ecec91cdcf5d12e80c0b8c7d1f62a5af90529275f7643f693a4e27d9e4ff9bc4e8d679ce2398e6c34554

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e2303df9b9627df01542e5a3d1d13de2d3af4f4a41343ac17bc1e4f2f165c2e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e2303df9b9627df01542e5a3d1d13de2d3af4f4a41343ac17bc1e4f2f165c2e.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4248
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3204
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:636
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 648
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    f24c21cc3be7daee3b2334dfbf6cc685

    SHA1

    3f5fc1985d1e6396c501c2b1529ba2b3974433a5

    SHA256

    9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

    SHA512

    e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    08e2b0fece192b09a06fe0eff5939e42

    SHA1

    8336bdf9a83bd66bd77d3861d3188f1b6b86a00c

    SHA256

    c183f8acdb2088728c46ddfe0d95f99c3955480e84ba0ad4f60e35375b0b8c07

    SHA512

    cd2dd06012c109b5122980a0a4f411d58137b84efe724351af97a820c87518205b36b672175ca2a201203361576e413107d2b5f7b8ee19a0852484f45950ecb0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AV5MLI0V.cookie
    MD5

    227b16d4e85bbaa277eafd9a9576883a

    SHA1

    af6c8defbea66b2998acce9c646853515a4c4766

    SHA256

    0fb76ea9f9e876d5d3689affb50bee689751344e83181123118a4d386396c918

    SHA512

    3d47c86217a8a38fb6f5db159ec10c20ac70f1f7d1085492a2c6185f1b9abf09c1a39739d7bc189d4584093a0b8ec626e9550e3d1245743e2fdda0addaea221f

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/636-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3204-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3204-125-0x00007FFD99430000-0x00007FFD9949B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/3676-120-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3676-119-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3676-115-0x0000000000000000-mapping.dmp
    Download
  • memory/4248-118-0x0000000000000000-mapping.dmp
    Download
  • memory/4248-123-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4844-114-0x0000000000000000-mapping.dmp
    Download