Overview

overview

10

Static

static

2f9edad6de...4b.dll

windows7_x64

10

2f9edad6de...4b.dll

windows10_x64

10

Analysis

  • max time kernel
    93s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f9edad6de6ec7faada56c72b8ef3cb44d32163502e7e4d4b8213bb58005c04b.dll

  • Size

    898KB

  • MD5

    60e1e4c0109783cc4ead8797b9c82c62

  • SHA1

    7d311a616b3f2a8db54e740286a71a5a97df88f6

  • SHA256

    2f9edad6de6ec7faada56c72b8ef3cb44d32163502e7e4d4b8213bb58005c04b

  • SHA512

    f16aaaa6cacfdab65719cbbd54cd1c9ff0a6da79fd8a1e7802ccd9fb2f1b77f57316ae9dd79c46f7babb99643635e78ace4d891fb5c661991c65c8019b7816b8

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f9edad6de6ec7faada56c72b8ef3cb44d32163502e7e4d4b8213bb58005c04b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f9edad6de6ec7faada56c72b8ef3cb44d32163502e7e4d4b8213bb58005c04b.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2148
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2148 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    57010df1ded674ce061f8af29a2e6fbb

    SHA1

    83e50ef272059dc3fab93e694d5e220dc48bf0c4

    SHA256

    68492169f14b36562d813f4ae7506f4b324b85f0e6aec352a37faba29b289616

    SHA512

    211ecb686dec8e8dd57cc8aeebdb8953f81aa56eebec9b463df4d41d98942317ed001ae5ffc9cc0c3ce5c542317cd0838447b885016697411b99f68190bd430b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    bf5167fd70bd072f15244ee2cb3fbaa9

    SHA1

    0284292ff6d5945ac2af89a4ff030b599f943b07

    SHA256

    6d9310410ee09b71f07081a6107765c84600ea64662176b3ee30cd01145a652f

    SHA512

    a2b35a30e6cd3a5e6f37d4605611f6eaee5da48cf849e7712710d914f147a7aa2d4afd21686184bb6a4250f9bf2c2edbe3c04e0058c9174ab0860caf66a9ca18

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CO0EKYQ4.cookie
    MD5

    3b553b8f46577e3e4626df55e26f48a0

    SHA1

    1ab19754bccde24b14eeecd5f0d90083f9829dac

    SHA256

    349b40fe1713940a16f30398cc2213c6c22040346c382d3cb33da7e5683e2e2e

    SHA512

    ff6b9ed07cef7dc47ad3f562c7c64cd2ab24ffc9a2e73f38b043fc834ae9ccf465ea32bf172911d5ff5af22ad5c1618ded420639b316b1f683ca487ff2a2ed2a

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\K1ON38J2.cookie
    MD5

    fd734d409a326986008a3c6779671dc0

    SHA1

    6a4adfadb8eef568cb0d2d6b47f769325a38dc96

    SHA256

    ea1f2fa636aafc7ee0b05a97c1380c492d1357f6ab739b4ae3382e61457af668

    SHA512

    98d7ada1af456c6e02e2041ac7a64bf60dec6cef16aeae684593a1300d0116febcfdaf271eb8b2d6c38fe4fb5649dc55be2d7143d1c8a683e75c373a28cf92ad

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/1556-124-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1556-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1556-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1900-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1900-121-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2008-114-0x0000000000000000-mapping.dmp
    Download
  • memory/2148-122-0x0000000000000000-mapping.dmp
    Download
  • memory/2148-123-0x00007FF8438E0000-0x00007FF84394B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2976-128-0x0000000000000000-mapping.dmp
    Download