Overview

overview

10

Static

static

2eb52465f0...4b.dll

windows7_x64

10

2eb52465f0...4b.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    213s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-06-2022 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2eb52465f0bb9e6b47743d99d6c9ef71b6623bd73af95381c12e268d30630a4b.dll

  • Size

    191KB

  • MD5

    d65954ecfc969928cdfd32f883d25751

  • SHA1

    a943447d15357773a4ad35d37bb1d4ad04cab1b4

  • SHA256

    2eb52465f0bb9e6b47743d99d6c9ef71b6623bd73af95381c12e268d30630a4b

  • SHA512

    277d287bb69e2052204eee00474ae645d036b7de49e12a2a1b49e16fb1896977b662f3fd0ab723274c2846e9f28e51e6bbda5691f87f797347fa13115f3e11e0

Score
10/10
ramnit��������bankerspywarestealertrojanworm

Malware Config

Extracted

Family

ramnit

Botnet

��������

C2

google.com:443

Attributes
  • campaign_timestamp

    1.537806959e+09

  • compile_timestamp

    1.537806137e+09

  • dga_seed

    2.53879977e+09

  • listen_port

    0

  • num_dga_domains

    100

xor.base64
rc4.plain
rsa_pubkey.base64

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb52465f0bb9e6b47743d99d6c9ef71b6623bd73af95381c12e268d30630a4b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb52465f0bb9e6b47743d99d6c9ef71b6623bd73af95381c12e268d30630a4b.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
        "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1320-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1320-58-0x0000000000160000-0x0000000000160318-memory.dmp
    Filesize

    792B

    Download
  • memory/1320-59-0x0000000000120000-0x000000000015F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1940-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1940-55-0x0000000075941000-0x0000000075943000-memory.dmp
    Filesize

    8KB

    Download