Overview

overview

10

Static

static

a5058b9528...d3.dll

windows7_x64

10

a5058b9528...d3.dll

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    09-05-2021 00:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll

  • Size

    332KB

  • MD5

    015e11b88afcd635d409dd37d63b34ee

  • SHA1

    efdccbe4280d4f8f635bb2bd74c912bab6a0bf38

  • SHA256

    a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3

  • SHA512

    ef7c3c6b9462e33437b83b93bdc3a193b9bdc951f14483c072362491747551aefca4238085bdf4410ebf429c74f6366cee8b081090c0a65a171969f18f524957

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll,#1
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\SysWOW64\rundll32Srv.exe
      C:\Windows\SysWOW64\rundll32Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\SysWOW64\rundll32SrvSrv.exe
        C:\Windows\SysWOW64\rundll32SrvSrv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2968
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2704
        • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 644
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3532
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2116
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    f018e9eb66dc53d840ee98c5926f1e2e

    SHA1

    8e736010173688f982e5713fa8b70c978f17ba42

    SHA256

    8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

    SHA512

    30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    f018e9eb66dc53d840ee98c5926f1e2e

    SHA1

    8e736010173688f982e5713fa8b70c978f17ba42

    SHA256

    8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

    SHA512

    30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    MD5

    f7dcb24540769805e5bb30d193944dce

    SHA1

    e26c583c562293356794937d9e2e6155d15449ee

    SHA256

    6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

    SHA512

    cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    MD5

    f7dcb24540769805e5bb30d193944dce

    SHA1

    e26c583c562293356794937d9e2e6155d15449ee

    SHA256

    6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

    SHA512

    cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    f24c21cc3be7daee3b2334dfbf6cc685

    SHA1

    3f5fc1985d1e6396c501c2b1529ba2b3974433a5

    SHA256

    9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

    SHA512

    e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    f24c21cc3be7daee3b2334dfbf6cc685

    SHA1

    3f5fc1985d1e6396c501c2b1529ba2b3974433a5

    SHA256

    9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

    SHA512

    e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    f24c21cc3be7daee3b2334dfbf6cc685

    SHA1

    3f5fc1985d1e6396c501c2b1529ba2b3974433a5

    SHA256

    9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

    SHA512

    e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    MD5

    556f0dc1d0c07922d39923d1a6b97d6f

    SHA1

    a72de011d0a389df129f815163c2d93c0c8b2b05

    SHA256

    6e7de1b8bd0d541c112df6685f7d63aa0052a4b9bf477cbd27d64dfe9f5e45d4

    SHA512

    5951ddeaec1deeb53efb69f97cefc9406957216da2a4de0c6de0e9969d1d4adb9749643d6827b5b7e72120a675dda754287158394a66e3a2a6decee6de31beb2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    MD5

    af13ae4320cd826a0dfb9582785d4bc2

    SHA1

    94641ed05740c801509fee197ac7665acd2f7045

    SHA256

    6a1d338571481a7136c298f03940408e91a2ab6d697788cbb4e242fe73daff66

    SHA512

    17fc34505adf452a13f1709910673c1a7fd9026296b1786fee49119fb8cc86e6c3722c431b0d0c2fb0bd9be64abf88ef1a1f4e9b330bfdd652a9f9b32107c8b1

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    8f65d0c8273865b7eb3ec82542b6c73b

    SHA1

    5e2fd17b4642ed717d03c63197d28456a7301900

    SHA256

    1ce187680b7d3f4bfaa44312273021fdadb0955e4c3f6fe577a5e29f9c1de076

    SHA512

    e476091563de6f866de1585e1ce3bcf54d0a236596b63d019edc31f9d4267c364129310594cad3ae5b937e999e17b3880c4e3cc83d073a1a7a846f16b7229a78

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    65630676729f09acc154a19c84c19d51

    SHA1

    c296e5c7dbeeec6bad516dc24b839872c72f3bac

    SHA256

    f83d45cc315b66b99d3ce443bf8205550456d450af774a3e0df227a996c52b2a

    SHA512

    7817b23d7cf7ed39123ddd8417a5c7cd39e9c45c3622b60747985f21d9af853b101b17cbb2770a1eb8ff0f39bc56add9f11e4da2c2a6126f5d9287ae1439c106

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    b4fe99535f89ebd7554ee2c1ef8bedec

    SHA1

    0748142f2592bd67771fa3529237f3ca10ad9732

    SHA256

    59bac376a05455025cad0c0514b4028391cc30d253083dd2710d665ae5805409

    SHA512

    98bffbbb1de315c04e0000c0430980f8a2e60e60fce8c17a0275877c55adf7c488388400bfa4fdbbccf52665464cc7d1e2d983d2ee619cb580195d34a0412b53

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A3BB585F-B099-11EB-A11C-F682FE25733D}.dat
    MD5

    a8a8e556575519bb4bb140c6eb23434f

    SHA1

    39362353fd787a7f70284504af11d88274c114d6

    SHA256

    a7f063c72ed04d925176117630c09a4b97e8de0295cb33b630540f77090fd382

    SHA512

    003b850fdc7b430c09b1eacf22d46278d9f01ea35d56752e4ea2c241b97a6cf38b43662263938f1d12f62a717721884fb28450cda57560315b331ef807b9351f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A3DA531F-B099-11EB-A11C-F682FE25733D}.dat
    MD5

    2bf1ac2aefa1b3b1b87dbbf0919f52ac

    SHA1

    cc445c43501a49b03b75c7cd3ba9076da80853c5

    SHA256

    4d79951e32d64db31a631f1d6d9cafa8f95bbe97b21b66092a5cd157935a6178

    SHA512

    3e21d3a0a3ee0be923c5312c779cf2dfaba56c464d806beb279760271f29967773f1a6c98f8776b75952b9b2c9470778e1ac95ec4e38d4d9cbece23b4baf721d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A3E2B593-B099-11EB-A11C-F682FE25733D}.dat
    MD5

    39b01129dfe4a3f81d3c06a3d31dc852

    SHA1

    588e0247ae011c831f182b40085ffa9acd98c5db

    SHA256

    8909837dd797f0f4ca1c3dd8242a7ec4c227d2e752baf80a45d293285a74b395

    SHA512

    20edab41c4f5c089546c641820726f3c7621098f35ce46e5610b0660e5496e03152f06455f3edba649d3fac1f0473431e9952626708e6ea2ce122b1befa5a448

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9F1419FX.cookie
    MD5

    69feb1c9bd08cdbf9c7aeb3c13cc1de8

    SHA1

    852fd092d3bc0ef0324a795484f2b70a633ab42e

    SHA256

    50dbb77d72a0bd97f112b3b622b950e66e9939d7ec7b6ed7f84d40346afbccbf

    SHA512

    90e0cc3606058ecd118d938bfa5f8778eedaa4e11849c2f49c4c6d545f3c5c3ed94756bbdf609e98340132cd00e187c8cb39be2b05124c60f3e601c11cc1371c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q06JJ1TI.cookie
    MD5

    93f9d96d2bb49292e39efa4516558445

    SHA1

    afbc9c224754821a6dc90e979ba45d1a4c996357

    SHA256

    904b778063009e7a16e4eaef56695a9db29b0deb04e909b26689286e3a233664

    SHA512

    3d5e8b2975c69edd0e1c625832201faf677baa3549afb93407643dd49503db5ac6c9da5d1d3e53b9051c8d6280a303960ac2b83c66f751657497045133d1ef74

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    f018e9eb66dc53d840ee98c5926f1e2e

    SHA1

    8e736010173688f982e5713fa8b70c978f17ba42

    SHA256

    8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

    SHA512

    30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    f018e9eb66dc53d840ee98c5926f1e2e

    SHA1

    8e736010173688f982e5713fa8b70c978f17ba42

    SHA256

    8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

    SHA512

    30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

    Download Submit
  • C:\Windows\SysWOW64\rundll32SrvSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32SrvSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/376-127-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/376-115-0x0000000000000000-mapping.dmp
    Download
  • memory/376-123-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1004-145-0x0000000000000000-mapping.dmp
    Download
  • memory/1380-142-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1380-117-0x0000000000000000-mapping.dmp
    Download
  • memory/1380-122-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1592-120-0x0000000000000000-mapping.dmp
    Download
  • memory/1704-126-0x0000000000000000-mapping.dmp
    Download
  • memory/1704-137-0x00007FF86B9C0000-0x00007FF86BA2B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2044-125-0x0000000000000000-mapping.dmp
    Download
  • memory/2656-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2656-139-0x00007FF86B9C0000-0x00007FF86BA2B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2704-146-0x0000000000000000-mapping.dmp
    Download
  • memory/2768-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2768-141-0x00007FF86B9C0000-0x00007FF86BA2B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2968-144-0x0000000000000000-mapping.dmp
    Download
  • memory/3216-114-0x0000000000000000-mapping.dmp
    Download