Overview

overview

10

Static

static

e8deae0f08...63.dll

windows7_x64

10

e8deae0f08...63.dll

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-05-2021 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8deae0f08daebd9b02d23e8073abe607d64c04bbb2495e07c60bc4e754bf763.dll

  • Size

    412KB

  • MD5

    ce09ce2fb5859e55537294397c3dc0e8

  • SHA1

    6c7a23161ee8d0ffa22a6e86bf481c74f135549d

  • SHA256

    e8deae0f08daebd9b02d23e8073abe607d64c04bbb2495e07c60bc4e754bf763

  • SHA512

    e2ec74329b5b2880862f7c1e3d697feefa39e7a5d094969e2b5d3c476cb2a03cd8f5b5c654582ca0336b6a52ca855277ebe3f75e920f44a31e0f211ffaf5e8f9

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Modifies registry class 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e8deae0f08daebd9b02d23e8073abe607d64c04bbb2495e07c60bc4e754bf763.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\e8deae0f08daebd9b02d23e8073abe607d64c04bbb2495e07c60bc4e754bf763.dll
      2⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\regsvr32Srv.exe
        C:\Windows\SysWOW64\regsvr32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3976
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3224
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    06165dea77d5d10217992bd74f065006

    SHA1

    964d97611d8050aaf7d8a3a5e641cd20df6afd92

    SHA256

    9b125647f3ede14fa37214fe956f3b906f8bf58510bdc1eecfdf2ca4c827fe8f

    SHA512

    e126e1fdd45d2b08c37724b568a1ee9eef95895f2c31f5626186032293eb7f2a62f907fea96f1f0fca4c7de3cd9bac45df28bb69d42b2cd7ea5468e1aefdfee2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    3b2636a0d14fbe6ad0d291af2270744d

    SHA1

    bda08040ffd8ae197309bcfc339ab9b19246258b

    SHA256

    cbf4dc316d4e7573c4a650f41bdf55a257672347044bd9ba6ea0c85ff0705daa

    SHA512

    86746c882688c9861871531ad7225b71bb51e04a18af0f66ca8f60aea9494b58190e294d1649e76321d46d2716b8956c88975eb091c4fb1413baf7b52eff5c78

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\U8DMW95I.cookie
    MD5

    d96d55e128160c58936993a1380298c3

    SHA1

    ed11b1ad2b8ea8e97fa5cf33118d6c5a65946519

    SHA256

    086bf1f13bad7168cd6ed999be91d331c3e9c6cba92ff7a8b735580ade59190a

    SHA512

    f84f6aa8ab11d8aa409972f4e144866d6e4e6a120ee168cd127ac142b987ade95330e5b59cb3366e33ded01c4331e9e0d770617be75e489c9ed16b9ad6f1e740

    Download Submit
  • C:\Windows\SysWOW64\regsvr32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\regsvr32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/2416-128-0x0000000000000000-mapping.dmp
    Download
  • memory/2696-114-0x0000000000000000-mapping.dmp
    Download
  • memory/2868-122-0x0000000000000000-mapping.dmp
    Download
  • memory/2868-127-0x00007FFD5E1D0000-0x00007FFD5E23B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/3224-121-0x00000000004B0000-0x00000000004B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3224-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3976-123-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3976-124-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3976-115-0x0000000000000000-mapping.dmp
    Download