Overview

overview

10

Static

static

b50c7c5497...ca.dll

windows7_x64

10

b50c7c5497...ca.dll

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b50c7c5497f14f981be644ef82928255a7789fd5ce578cb3e410ec980e62ccca.dll

  • Size

    400KB

  • MD5

    7fd8a4f47cbaa168e2657c34133ea6c3

  • SHA1

    48cfbaf56fc25b47436d2639d2f44ad346684259

  • SHA256

    b50c7c5497f14f981be644ef82928255a7789fd5ce578cb3e410ec980e62ccca

  • SHA512

    ddfffdf47bacfe2d1cdee77694a5522c760d423f23a70a320413a67a8baad0ee5dd582e6a6c78298625cc3d77cd9c666e3489c7343f25e2f6e658698e382000d

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b50c7c5497f14f981be644ef82928255a7789fd5ce578cb3e410ec980e62ccca.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b50c7c5497f14f981be644ef82928255a7789fd5ce578cb3e410ec980e62ccca.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1288
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1732
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2828
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 624
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    57010df1ded674ce061f8af29a2e6fbb

    SHA1

    83e50ef272059dc3fab93e694d5e220dc48bf0c4

    SHA256

    68492169f14b36562d813f4ae7506f4b324b85f0e6aec352a37faba29b289616

    SHA512

    211ecb686dec8e8dd57cc8aeebdb8953f81aa56eebec9b463df4d41d98942317ed001ae5ffc9cc0c3ce5c542317cd0838447b885016697411b99f68190bd430b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    5cdf77fccb70ad59cdff029d0b87faa5

    SHA1

    748758a5cfdffdbfffb3ba4745cb74b9045dbdff

    SHA256

    79c0ea0d6ec674004a1e7984c019a957d1752f58a8aae7324a17122301642468

    SHA512

    9de26d3aff319612c5f9195f99e822effb185b416de4c3eb72a942ca6dc68781d697396613fd586694ea01480b38242982b59e5d144f4a18a665fb692432b7b3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\4R9Y1C5N.cookie
    MD5

    712c96134bbc2826e9b23ef13fc78dd0

    SHA1

    76783fd682bf9329c687551cb54363d3407a2f87

    SHA256

    ba549f0ebd08f873e6a5445e9f5b05bae72ea6dd8b5a33023bcc3ad0d842daea

    SHA512

    44ecf9d83013af940df8a00f02eb0885504005d4285f9e396e9cb2850995b414f89e4685b2e5b7600bb440f1a30a31a44c237b305eacf3af5b6f23cbc5bca8aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\69KR9U7B.cookie
    MD5

    bb2fa5242b7ae15aac14c3bd79dc8096

    SHA1

    35ce1d72cde03191b360d148a47c0cc418585e49

    SHA256

    9b176c22aef1860ec156614ce1cefa6ba2ba61c232f66364765bc9550ed42c18

    SHA512

    ff4c2e8d5270d289f8c9cd56316aebe902373270b4565c3dea37574d1c57423c79f70a533a504f4f8cb68cfd09476fcd48583311b88764b12addbd03a890e58b

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/1084-124-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1084-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1084-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1288-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1288-121-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1732-122-0x0000000000000000-mapping.dmp
    Download
  • memory/1732-123-0x00007FF86BB00000-0x00007FF86BB6B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2828-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3172-114-0x0000000000000000-mapping.dmp
    Download