Overview

overview

10

Static

static

eb13dd021c...cf.dll

windows7_x64

10

eb13dd021c...cf.dll

windows10_x64

10

Analysis

  • max time kernel
    93s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-05-2021 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb13dd021ce43db32bebac601ca166bcb4ac500600f59b80815400c8c63bcecf.dll

  • Size

    1.5MB

  • MD5

    57cf9612a55c03b3793a199ffa3e2034

  • SHA1

    6a84aa2aa4f00af3c9294989fa44ae52b7aa6777

  • SHA256

    eb13dd021ce43db32bebac601ca166bcb4ac500600f59b80815400c8c63bcecf

  • SHA512

    41256a75eb5cfbd29ca669e135f8e94534efb09e52ebc54a995f465c7db1a8cd1aece6370e50893e84c7140a5280e2dd7cbdb709f097f02e4f56e09356ab2481

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb13dd021ce43db32bebac601ca166bcb4ac500600f59b80815400c8c63bcecf.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb13dd021ce43db32bebac601ca166bcb4ac500600f59b80815400c8c63bcecf.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1360
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1560
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 692
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2196

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    ef07b2dc81b7fdcc01d8a9cce1261822

    SHA1

    535c60f61ed56d43a349e92b86dd5204a1b61859

    SHA256

    4f4d35e9bbae40c756cb82b60a2bbfe0dfe055b06ddf2494a953ce7565ff8eb6

    SHA512

    1a26ee805d55b252567caec75c0b75ec5493aa1865b4fd8a1cf6b18972e2ffd82ba778b4a6a80ed85c9d016d841d26be11d4bc6f4bf8d8b512e7261dc7ad3fe3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    0fb3bd4cb08b4e42396df98f6877ef36

    SHA1

    3ff8ffdf98b9e111ddaebc3692cc2362c369bc56

    SHA256

    9e400b9133860863dca838fe2c4a82062f24400760b37091ef1243f3acbdb217

    SHA512

    c3f7046b8ab471938b65f5dbbceadc98b13e50b146e7a7d362b893868039f9b2585b1aefd71fd5c6c6f030f83c26f4bc14aaf1cefc0fd93d28b6f04c0a61cda3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FQLPFMLG.cookie
    MD5

    355998cff60cc1d0118403bf1df8ed92

    SHA1

    ffa872d88da81524c7f9d054e1a8e6460c08f504

    SHA256

    45118302a9e110bf9b22629db426a39d31e7a83d061423aaf07e57e93b6cd59b

    SHA512

    023540da33552af2311a7758e3b191ba2c4b77bc2145117c23d412ddc378852cba475e328b7973cc72352e72379413e597c1452bf22f2cc96675b7976ee5a075

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O7C8U0WY.cookie
    MD5

    a54c7f379bdcd5b62b35fd19c44e5d80

    SHA1

    9aae143d31b256b563a87908dc3966a34fdd2bfb

    SHA256

    38ab7da534e154059419d6fdaec01355366f66ee4dd7bb4fc9aad9af94f6023e

    SHA512

    5f2a8384529a4796c22c8cabe200d98c609c6ac280872f9c0ecc8e7ef0554c34595de53177bc568237715937f7901d456fb76a1daf4659e3ad1ae9ef81ef4f67

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/748-114-0x0000000000000000-mapping.dmp
    Download
  • memory/1240-124-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1240-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1240-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1360-121-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1360-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1560-122-0x0000000000000000-mapping.dmp
    Download
  • memory/1560-123-0x00007FF857FC0000-0x00007FF85802B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2744-128-0x0000000000000000-mapping.dmp
    Download