Overview

overview

10

Static

static

ae0b8d2002...63.dll

windows7_x64

10

ae0b8d2002...63.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae0b8d2002bbca55a482f67b85d170cf7c3c5546374929ccd43c384682975363.dll

  • Size

    393KB

  • MD5

    4485f23735f3057e24da267cc72fea88

  • SHA1

    2a626cb5d23a80187febab6a10b7d6c17677d62a

  • SHA256

    ae0b8d2002bbca55a482f67b85d170cf7c3c5546374929ccd43c384682975363

  • SHA512

    191000f7ee2b4de64c4ff075d9307b0bcd474b6cc3b50e0d6c907d1f6ebec2dbb97e25fa34c965d73e5d399115bdc1347b6a27fe9a20dddc38919693a569ded5

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae0b8d2002bbca55a482f67b85d170cf7c3c5546374929ccd43c384682975363.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae0b8d2002bbca55a482f67b85d170cf7c3c5546374929ccd43c384682975363.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4636
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4328
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4328 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 648
        3⤵
        • Program crash
        PID:3104
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 540 -ip 540
    1⤵
      PID:1568

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      dc2534ae51bacd2b58aafd4dc7760ede

      SHA1

      9d7b667e5691637f454576525af4ec0a90c86815

      SHA256

      dd4cecb59bfdcd77b2a8f783e744a92f35f55464b28770a9ae4b1c7d88bfae03

      SHA512

      832d8f7e1a0e0400bc6774faca45aa1931994e343e4d3e5adb82f8448a59b3c301bee8238c911039d55624d4e5cea1bc99fd08dd80a87d4dbd574a0bb07ab08c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      fc2630ab44aaf2a25ff9a9477f915d8d

      SHA1

      77f371476dc3689ac13c91b76c4e593ccd3b7136

      SHA256

      debcb88a6f3ef0e2b0f74112f46aa398bc20bc3a60400b300b1a474c876b072e

      SHA512

      7cf9751d08cf713de673e83f49b1bc0f5ba10ebb5a94cccbb85e10d540474fe646c00ca8a4f33bd889ae4a01c93f8d2322a48ecfcc148a21d7444ce91ba16b48

      Download Submit
    • C:\Windows\SysWOW64\rundll32Srv.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Windows\SysWOW64\rundll32Srv.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • memory/540-136-0x0000000010000000-0x0000000010069000-memory.dmp
      Filesize

      420KB

      Download
    • memory/540-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3896-137-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3896-138-0x0000000000580000-0x000000000058F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/3896-131-0x0000000000000000-mapping.dmp
      Download
    • memory/4636-139-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4636-141-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4636-134-0x0000000000000000-mapping.dmp
      Download