Overview

overview

10

Static

static

c55a8c23a5...67.dll

windows7_x64

10

c55a8c23a5...67.dll

windows10_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16-05-2021 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c55a8c23a5d7c29bb2de05ab999ad3cecaa23f4ad35e0192ced1b74a8328e767.dll

  • Size

    303KB

  • MD5

    d2549fffa3b22d2e481a0947996f7f0b

  • SHA1

    bc6d945740b1e0488122f18751e0655635ed7e58

  • SHA256

    c55a8c23a5d7c29bb2de05ab999ad3cecaa23f4ad35e0192ced1b74a8328e767

  • SHA512

    7cc079904f1615ddd52338a673259ae4564ac817ec0f598ce8aed56049d625851b18024850fd24184fb8291d46242d5c2b30ea07080dd0e5e5eba6f572e73bce

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c55a8c23a5d7c29bb2de05ab999ad3cecaa23f4ad35e0192ced1b74a8328e767.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c55a8c23a5d7c29bb2de05ab999ad3cecaa23f4ad35e0192ced1b74a8328e767.dll,#1
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2168
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    55205f68311ba681b087489576566937

    SHA1

    6365b0130e0cab1958461376ea7058b69a89740f

    SHA256

    e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03

    SHA512

    06dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    c29567d1b33de341e048b6743144eb14

    SHA1

    537a29851c7251f95001bfb03645efb442602540

    SHA256

    ba3882419ce6bfe9447b5f0a251b18671e797a5165912d4e02c745425ee023dd

    SHA512

    63d57b5f87cb9e786cc9568e73263838f9c4c61d5888d8b7e8a21ea87484d125761d464ed44c28bb4fcb848491a7629a080809137aaa0e12750b2612879abcb1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\WAY7F3FZ.cookie
    MD5

    c43e6a4d211f1cbdd243cfc419245d0a

    SHA1

    6c9b9c1eaade2c65a46295b0833b97c0c5c20678

    SHA256

    44de49a4e50ea408fc74cea8695bec768a57219800545fbdf87daca55d352622

    SHA512

    643641f211f3017ab2beb68b72f94db14739ac8677f6621463645402aa03cdaa2ce631cc8be489a4295dfd67a8c2afe840f582d54e2744cb8331e50324e380cf

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZD5W76EM.cookie
    MD5

    c3e75e4d42672f40efc22f5e8a3bc70c

    SHA1

    00880a3a01844ebbaba12afa0fa9cca14d74a4fc

    SHA256

    1040fe144379291e9175af769576695eb8e2caaed01bef91764861563c40203c

    SHA512

    2f56136e5d91a4e9fa02849553ffc27fc0eebf4e8478701a1db9eeab78655708acda202e5115105a16a2fcef716087ecb85679ea5d35c81acf05077c2ed46ebf

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Windows\SysWOW64\rundll32Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/1732-125-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1732-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1732-126-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2044-118-0x0000000000000000-mapping.dmp
    Download
  • memory/2044-121-0x0000000000540000-0x0000000000541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2168-123-0x00007FFA588F0000-0x00007FFA5895B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2168-122-0x0000000000000000-mapping.dmp
    Download
  • memory/2572-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3204-114-0x0000000000000000-mapping.dmp
    Download