Overview

overview

10

Static

static

2311cb6789...7e.dll

windows7_x64

10

2311cb6789...7e.dll

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16-05-2021 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2311cb678943fec4fc9c32e56131a8ef3efdacec75f7d06b4e38bab904ab4b7e.dll

  • Size

    348KB

  • MD5

    4493bece2dd411fc8767699130c0120a

  • SHA1

    654685701ebc17a606ed23ec3321cbf8c058c62e

  • SHA256

    2311cb678943fec4fc9c32e56131a8ef3efdacec75f7d06b4e38bab904ab4b7e

  • SHA512

    d41a23ce035bbb731178288715c34ca85837fde2b3b4f4a324f6813e1ce5c59fd8f6e14af5dd65bbf487f72fa1687c1d46d2e32686b22c454ff9f298d0a1fed4

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2311cb678943fec4fc9c32e56131a8ef3efdacec75f7d06b4e38bab904ab4b7e.dll,#1
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Windows\SysWOW64\rundll32Srv.exe
      C:\Windows\SysWOW64\rundll32Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3996
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:868
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1964
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2311cb678943fec4fc9c32e56131a8ef3efdacec75f7d06b4e38bab904ab4b7e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    55205f68311ba681b087489576566937

    SHA1

    6365b0130e0cab1958461376ea7058b69a89740f

    SHA256

    e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03

    SHA512

    06dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    79893d6cc678ec1cd4f2177f62ee0b4e

    SHA1

    5cd5c2a4ff9cb96569a5ef9832eb2a2c832605d9

    SHA256

    791b40ec81ed35ade2619fc39b8fb48547b5eff86febbe4d9c98e8e5e8aab3f8

    SHA512

    0a00bbe0cc1f7a80985785e65e2fc63865476ed30a98ce90afff60da0a731f4712ecb2189f34855766ba170d204b9c6089926e603f36002673793eada7efe6d3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0LJWDOKE.cookie
    MD5

    5c9efd3ecdc88b90b2676030c302bfa9

    SHA1

    a0695b35fcfc541b486ce403ad63bef4d1d7d72e

    SHA256

    48967247169116fa59e428e06ac525051549079798565cbc8aa72fcfcfd28a78

    SHA512

    f9594bf656e76c7e23ad283abe6a40bc18132edf74dcb2770ea5f4bfe614dd596eca8e48f34bbcd6685774c4b3cb1b5ea493f2504b46564f6fadcb390fd864c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VXJ0GDBH.cookie
    MD5

    75d89833a2d718c67b3a7013cc320321

    SHA1

    21dbc5b135167ad26ad93dd5f5530e725e845194

    SHA256

    55f7fe654b46fd8ba624fe3217c134d98f8e8b5cb4251301d8fcd4c91a63e2b0

    SHA512

    2f5b7eb5a82b8d260adad7f80c4452f80ae2e42b36f1a458c627dfa196648dd6701f1cb429400b7a8075680ae97211f1f14f9aba19c6dae393f6d0eada5f3d83

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/592-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/592-119-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/592-115-0x0000000000000000-mapping.dmp
    Download
  • memory/868-124-0x0000000000000000-mapping.dmp
    Download
  • memory/868-127-0x00007FF900F20000-0x00007FF900F8B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/1964-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3164-114-0x0000000000000000-mapping.dmp
    Download
  • memory/3996-122-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3996-118-0x0000000000000000-mapping.dmp
    Download