Overview

overview

10

Static

static

2eb52465f0...4b.dll

windows7_x64

10

2eb52465f0...4b.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    174s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    22-06-2022 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2eb52465f0bb9e6b47743d99d6c9ef71b6623bd73af95381c12e268d30630a4b.dll

  • Size

    191KB

  • MD5

    d65954ecfc969928cdfd32f883d25751

  • SHA1

    a943447d15357773a4ad35d37bb1d4ad04cab1b4

  • SHA256

    2eb52465f0bb9e6b47743d99d6c9ef71b6623bd73af95381c12e268d30630a4b

  • SHA512

    277d287bb69e2052204eee00474ae645d036b7de49e12a2a1b49e16fb1896977b662f3fd0ab723274c2846e9f28e51e6bbda5691f87f797347fa13115f3e11e0

Score
10/10
ramnit��������bankerspywarestealertrojanworm

Malware Config

Extracted

Family

ramnit

Botnet

��������

C2

google.com:443

Attributes
  • campaign_timestamp

    1.537806959e+09

  • compile_timestamp

    1.537806137e+09

  • dga_seed

    2.53879977e+09

  • listen_port

    0

  • num_dga_domains

    100

xor.base64
rc4.plain
rsa_pubkey.base64

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb52465f0bb9e6b47743d99d6c9ef71b6623bd73af95381c12e268d30630a4b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb52465f0bb9e6b47743d99d6c9ef71b6623bd73af95381c12e268d30630a4b.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2508-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2896-131-0x0000000000000000-mapping.dmp
    Download
  • memory/2896-132-0x0000000000CB0000-0x0000000000CB0318-memory.dmp
    Filesize

    792B

    Download
  • memory/2896-133-0x0000000000C70000-0x0000000000CAF000-memory.dmp
    Filesize

    252KB

    Download