Overview

overview

10

Static

static

6ce16b648b...e4.dll

windows7_x64

10

6ce16b648b...e4.dll

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-05-2021 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ce16b648b49190f133f5948f8c86ad1d1135c072ce941138b6900294bbf89e4.dll

  • Size

    1.5MB

  • MD5

    2507920ca64efc7134b92cd0f1dbbc83

  • SHA1

    b6941eab4191584630351496dc0b0723ef9afb24

  • SHA256

    6ce16b648b49190f133f5948f8c86ad1d1135c072ce941138b6900294bbf89e4

  • SHA512

    b265c1b2a557efa2dbce7774a69963519f9b0af01eac0b7e0447a14be5e6fe05ba989da34952f226e56ad1646640d9dcda691aa1798b48f87ee938324f18b917

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce16b648b49190f133f5948f8c86ad1d1135c072ce941138b6900294bbf89e4.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce16b648b49190f133f5948f8c86ad1d1135c072ce941138b6900294bbf89e4.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3956
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3956 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 692
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4052

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    ef07b2dc81b7fdcc01d8a9cce1261822

    SHA1

    535c60f61ed56d43a349e92b86dd5204a1b61859

    SHA256

    4f4d35e9bbae40c756cb82b60a2bbfe0dfe055b06ddf2494a953ce7565ff8eb6

    SHA512

    1a26ee805d55b252567caec75c0b75ec5493aa1865b4fd8a1cf6b18972e2ffd82ba778b4a6a80ed85c9d016d841d26be11d4bc6f4bf8d8b512e7261dc7ad3fe3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    9af4485e7da7fc5c3eaa0456543c8771

    SHA1

    21b3172832d923c61ecbadba71fdb585b80136c8

    SHA256

    b2b975757580f9bd12bbb272b05ebc662c987a0094b84f327c6d646f2e0279f4

    SHA512

    4d689c7610311d7f362d93a1ef855f51c9d96dfc12011154c3e4494d4850e466a6f4c6149826ff294cc387bb4d1a0a70122a6c2cc367a2ad6b48f2731c35739e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\17FEAGIZ.cookie
    MD5

    4098c314dc2e51c0db969980e4611cd2

    SHA1

    ff645fd2b90af640a77ef5a8c42c0d41d8924169

    SHA256

    2a4c83d68be9cf67c73fa1808283d9586549057cf95ab2bb991055e20ee8bdde

    SHA512

    21da2623fb24904aeded5294e8f0e01920afde75c9bc193a1bc11c41dc3313efa8596f2006967fe904b4ba5f2afbe1fcf68ed3a91460677ec82344cd0a91d146

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JYH4Z67O.cookie
    MD5

    7069dddea8783757ec5a2aa0e2d0d323

    SHA1

    64eb4ff0fcfd84e6a75eafe4e850889b769ec407

    SHA256

    467cc22ebde69a97e8b1e73c7617e1774273e3a7b314d0a96cf6f38cfc70578e

    SHA512

    68f0771bd9d1fa3523ccbd8b824fb72f3e45e842acccf83217bbff550ede474eda291d241f67cfd822e627cad94503029e5e2b24e54c6f84b77298e93fd715db

    Download Submit

  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/200-124-0x0000000000000000-mapping.dmp

    Download

  • memory/2116-126-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2116-115-0x0000000000000000-mapping.dmp

    Download

  • memory/2116-125-0x00000000001E0000-0x00000000001EF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2796-118-0x0000000000000000-mapping.dmp

    Download

  • memory/2796-121-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3848-114-0x0000000000000000-mapping.dmp

    Download

  • memory/3956-123-0x00007FFE28C20000-0x00007FFE28C8B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/3956-122-0x0000000000000000-mapping.dmp

    Download