Overview

overview

10

Static

static

7b945215c6...63.dll

windows7_x64

10

7b945215c6...63.dll

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-05-2021 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b945215c65146faea45ab75d8a842a56d0ecff0ec7ed4b7dde9caf8c6dc3963.dll

  • Size

    276KB

  • MD5

    d8422419e68cadb2283be20e88119ebe

  • SHA1

    d408afceb43ae005212de514add4a399bea0ed08

  • SHA256

    7b945215c65146faea45ab75d8a842a56d0ecff0ec7ed4b7dde9caf8c6dc3963

  • SHA512

    7ba20fd1dbd8c0f183f6c0ff55813538b2bb03d0c1c3bd7103a2f423f77f56f348c38b55a335e8dd45cbcf53695609def44610aed7d5aa7f298983e4b40f6a05

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7b945215c65146faea45ab75d8a842a56d0ecff0ec7ed4b7dde9caf8c6dc3963.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7b945215c65146faea45ab75d8a842a56d0ecff0ec7ed4b7dde9caf8c6dc3963.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4888
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4972
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3148
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 644
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    06165dea77d5d10217992bd74f065006

    SHA1

    964d97611d8050aaf7d8a3a5e641cd20df6afd92

    SHA256

    9b125647f3ede14fa37214fe956f3b906f8bf58510bdc1eecfdf2ca4c827fe8f

    SHA512

    e126e1fdd45d2b08c37724b568a1ee9eef95895f2c31f5626186032293eb7f2a62f907fea96f1f0fca4c7de3cd9bac45df28bb69d42b2cd7ea5468e1aefdfee2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    32e6c388ae0fe88feb8818568b5f92a4

    SHA1

    aead9ac1d31e68b6103dc3e8d474612ad0a4e2c4

    SHA256

    d193f6b59600795526e521d46c8ca2b093a65a72dc816c61b26cca94b745414c

    SHA512

    f17ddaf99ec570e32f9c019aed313a08c84b5671886102a6b0bd4eba5c1e28b42154829130b02185f5a89b510ddb4aa3afc0f3b34a5ccf1abfe9e612317aeb8d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0L6RP3TW.cookie
    MD5

    7822652d23368dca22093a1ce1da27ef

    SHA1

    0432886dde0c41b205c80e092a051313a10b3be2

    SHA256

    fb5367ee0bf986f39d6a9e6a83061abb180347097c33e07074650789fbf0f1ff

    SHA512

    312e0ebd364ef3c6229fdc22e4fc7dba3b83ad64003bc57eaa05f54e5ffd4574ec3e2ea8d199262bddd70d775ad95c1e579ef3961a495e992ba86c41e04188a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VNXCZ2TZ.cookie
    MD5

    3cf77efff5de71c12aeca57adab4f833

    SHA1

    ed8bb0fdf334f479d5263252afe1654cce1d8f70

    SHA256

    3cbd889a144fbc6fbde8441faa9f4adfb68f732cd9b50f68eb29a43f7c5e93b8

    SHA512

    f87e620f019b4137067446de9b715260f536a8ceef38804293159171510c51ce761207e641ff23491a2ff1d0bf93afc44ec9b21d6906c225d97b5468f894a100

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/3148-124-0x0000000000000000-mapping.dmp
    Download
  • memory/4472-114-0x0000000000000000-mapping.dmp
    Download
  • memory/4828-115-0x0000000000000000-mapping.dmp
    Download
  • memory/4828-125-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/4828-126-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4888-118-0x0000000000000000-mapping.dmp
    Download
  • memory/4888-121-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4972-123-0x00007FF9E3D90000-0x00007FF9E3DFB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/4972-122-0x0000000000000000-mapping.dmp
    Download