Overview

overview

10

Static

static

29233737fd...3b.dll

windows7_x64

10

29233737fd...3b.dll

windows10_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-05-2021 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29233737fd55f65b571c76132b43133c71ce5fede9825a03d2e2928fdb399a3b.dll

  • Size

    536KB

  • MD5

    3e096103e9228d6c68d53a66d5744952

  • SHA1

    655f73c6d6d61d5e3f7f135b6dc4ddf756a20385

  • SHA256

    29233737fd55f65b571c76132b43133c71ce5fede9825a03d2e2928fdb399a3b

  • SHA512

    22b35fdb2edd2c8c26adea0a2c53a5ee668f813eda76984f6f61ed4832b11623ea2e27d2dbf11e225dc9d2cb74cefd616aedcc4fe1b96e64232381932d7e9993

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\29233737fd55f65b571c76132b43133c71ce5fede9825a03d2e2928fdb399a3b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\29233737fd55f65b571c76132b43133c71ce5fede9825a03d2e2928fdb399a3b.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:208
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2248
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 672
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    ef07b2dc81b7fdcc01d8a9cce1261822

    SHA1

    535c60f61ed56d43a349e92b86dd5204a1b61859

    SHA256

    4f4d35e9bbae40c756cb82b60a2bbfe0dfe055b06ddf2494a953ce7565ff8eb6

    SHA512

    1a26ee805d55b252567caec75c0b75ec5493aa1865b4fd8a1cf6b18972e2ffd82ba778b4a6a80ed85c9d016d841d26be11d4bc6f4bf8d8b512e7261dc7ad3fe3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    a8029723e6c1f6125b95f208d025f2e0

    SHA1

    4a774c9df3131f386e8307d7801b1475fe33f9f6

    SHA256

    65a80c7f2f07954ed67f2d6c3e73b3d996020a36300d729edb8bf5386fc49e24

    SHA512

    128ce31f4dde80f3986ca15ac6b85d7562934c6ebd9a72efec85b84b783be234a69c775264a2ee77c475f313a60df20cfb1d5d439a9835e1738f603e716a4d7b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\C2Y5QFDX.cookie
    MD5

    86defddd001f6b844f6785e86ba2b10e

    SHA1

    0772218a967972770375a39c302de55f3394b77b

    SHA256

    47fc7a7965cefa106eb6806a02374e3f5b809450f382ee4fec2765d18aaf0da6

    SHA512

    c6a78f2c9ee4d4bb3a2db21c2fbab40d82ebd174c3f967496dfb562526092a173ba628f30626d2434b5464bd98df686f64166fc4aee7867cadd475f65cf461cc

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IC022UZH.cookie
    MD5

    71c146a6f239dc8ade235abf5dac6a15

    SHA1

    41843fbc6dcaff570bb779ee0090e6dd93fb8c0d

    SHA256

    4db31bb57a17880469a339707cfb7afc505612020833a8aa1b809cd4bd5f0b22

    SHA512

    2f751594c774da755521bef7b07f696e547cfcad81bfc6b8547b39982575da90834ab2aede25b91706579abd967c5b713dcce45268984c93d9a5c1c60c5554c5

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/208-124-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/208-123-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/208-118-0x0000000000000000-mapping.dmp
    Download
  • memory/216-119-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/216-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2064-128-0x0000000000000000-mapping.dmp
    Download
  • memory/2248-127-0x00007FFAE8E30000-0x00007FFAE8E9B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2248-125-0x0000000000000000-mapping.dmp
    Download
  • memory/3264-114-0x0000000000000000-mapping.dmp
    Download