Overview

overview

10

Static

static

8

范伟打�...PI.dll

windows7_x64

10

范伟打�...PI.dll

windows10-2004_x64

1

范伟打�...dm.dll

windows7_x64

10

范伟打�...dm.dll

windows10-2004_x64

10

范伟打�...dm.dll

windows7_x64

10

范伟打�...dm.dll

windows10-2004_x64

10

范伟打�...��.bat

windows7_x64

1

范伟打�...��.bat

windows10-2004_x64

1

范伟打�...�.docx

windows7_x64

1

范伟打�...�.docx

windows10-2004_x64

1

范伟打�...��.exe

windows7_x64

10

范伟打�...��.exe

windows10-2004_x64

1

范伟打�...��.bat

windows7_x64

7

范伟打�...��.bat

windows10-2004_x64

1

范伟打�...��.exe

windows7_x64

1

范伟打�...��.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    115s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    范伟打天下招财宝辅助/dm.dll

  • Size

    860KB

  • MD5

    0124de17de85c71d43e062b5c36501a4

  • SHA1

    fae128fd4743ce22b008acaf4ca0da0bc34182bd

  • SHA256

    94811d833c7af1de6247ef7de86518ddb74b944f597d62a76b2d73dba7e37d10

  • SHA512

    6e7f6605c202bb865f7c095d1e8f3db84cef78fcc9bf69ad994c83545a92c96f870aea432b19b0a979d08274696fc90168036d83e532fc42d7ebf08e6c3dfdc3

Score
10/10
ramnitbankerspywarestealertrojanworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\范伟打天下招财宝辅助\dm.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\范伟打天下招财宝辅助\dm.dll
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\regsvr32Srv.exe
        C:\Windows\SysWOW64\regsvr32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1200
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:612
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WZPCPCKO.txt
    Download Submit
  • C:\Windows\SysWOW64\regsvr32Srv.exe
    Download Submit
  • C:\Windows\SysWOW64\regsvr32Srv.exe
    Download Submit
  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    Download Submit
  • \Windows\SysWOW64\regsvr32Srv.exe
    Download Submit
  • memory/1200-65-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1200-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1660-54-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2024-63-0x0000000000000000-mapping.dmp
    Download
  • memory/2024-68-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2036-56-0x0000000075C51000-0x0000000075C53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-55-0x0000000000000000-mapping.dmp
    Download