Overview

overview

10

Static

static

c2c2b5396c...28.dll

windows7_x64

10

c2c2b5396c...28.dll

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16-05-2021 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2c2b5396c067f2f9af045b664c1f7ec3ae1cc13668acd8b04860a39063d3e28.dll

  • Size

    303KB

  • MD5

    07893c856a2df7acd180f570ee546c15

  • SHA1

    212df564993b9890ceca5a2598d5cee0d29ac347

  • SHA256

    c2c2b5396c067f2f9af045b664c1f7ec3ae1cc13668acd8b04860a39063d3e28

  • SHA512

    209388795aea439d47b018763dd64ab28ab9b38fc14da9c7763332a5b8bcf3ffa67de700f7e62c994bcb716ebf1869321c98743f5e5db0432befdb13aed0ed9b

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c2c2b5396c067f2f9af045b664c1f7ec3ae1cc13668acd8b04860a39063d3e28.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c2c2b5396c067f2f9af045b664c1f7ec3ae1cc13668acd8b04860a39063d3e28.dll,#1
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:500
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3568
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1448
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    55205f68311ba681b087489576566937

    SHA1

    6365b0130e0cab1958461376ea7058b69a89740f

    SHA256

    e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03

    SHA512

    06dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    eead734551acac08876abf162ab2d206

    SHA1

    b35e522bd882b48c9856dda82a2d27224c49331e

    SHA256

    4ed9983f3d7496208737f7d0a7ff276bc271c8f0f217dfe2cbe7aa598e83a8df

    SHA512

    f914fbd97484f9295a32d5aab904d05367a05f15850388e7a3c3d3303b611a3dabaf82ef57e4b5e7c70ec78f9cd150de74fe1894a2d2cc5f7af77c361c08afaa

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\700ESFZB.cookie
    MD5

    0af3a23f0405bbf5ca3f7971997af98c

    SHA1

    6898999a584dc2e4232df470d86cf571733c0296

    SHA256

    e9f0c7083011cfa962cd219646bd32a2ed87638951a530054ff85d43ef196d67

    SHA512

    4f441cdffddfa07d61f1e5237eac60345796c249db7a6b94b35c0cf56b81cae06ea3c29199a20733b209238bce58b3b5054d2a192e631c41b3019aed7971a9f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\D48IQRQY.cookie
    MD5

    b7ea5f3352d9559482cbe1aed176e2d3

    SHA1

    d61167866b802a04993ec48559f533c146cb205c

    SHA256

    6ab0454c074fda451085214999bff9e9fc13758f2980124b6efa6bed9678450d

    SHA512

    dd653c6a256237c70dc1b49fc08bf900f1285bf7e787c3d2184f798b7704cb49e8b12eb2e9507f788215e647dd9d1dbcaf131735ce02096c02e62e71dd462451

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/500-114-0x0000000000000000-mapping.dmp
    Download
  • memory/1448-122-0x0000000000000000-mapping.dmp
    Download
  • memory/1448-123-0x00007FFD68B30000-0x00007FFD68B9B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/3568-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3568-121-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3696-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3940-126-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3940-125-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3940-115-0x0000000000000000-mapping.dmp
    Download