Overview

overview

10

Static

static

4468df5ce6...40.dll

windows7-x64

10

4468df5ce6...40.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/10/2022, 20:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4468df5ce667100d39e6c5af5e360de1e8e3b701256d97a8d7348631da66de40.dll

  • Size

    120KB

  • MD5

    0c9b095d0b071ed2e4bf638e5e328b40

  • SHA1

    80c6597024c71b975adc6c5e4b6068c00206022f

  • SHA256

    4468df5ce667100d39e6c5af5e360de1e8e3b701256d97a8d7348631da66de40

  • SHA512

    bf8536e33be4d9f37b7e71440f9a7b0398585d09dbb21c67518e534427474e9abd3aaf6b10ba715b913f83c73b618a80eeffbbc7e3be532dbe6b21f49b1014df

  • SSDEEP

    1536:C8jP1X9rgysEk/PQ85epgHHbxgykGHuBrW5Q6Z5794FqnicCykLeeaxWH:ZjdtCQ858gnOf/blEi/R/QW

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 14 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    1⤵
    • Modifies Internet Explorer settings
    PID:1724
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2
      2⤵
        PID:876
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2032
    • C:\Windows\SysWOW64\rundll32Srv.exe
      C:\Windows\SysWOW64\rundll32Srv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2008
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4468df5ce667100d39e6c5af5e360de1e8e3b701256d97a8d7348631da66de40.dll,#1
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1748
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4468df5ce667100d39e6c5af5e360de1e8e3b701256d97a8d7348631da66de40.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1244

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            Filesize

            50KB

            MD5

            f4a9d36a6be7999e659c51e98fdcce9c

            SHA1

            9fd6cd011ab7960aa79f1c522f436ee45339af4e

            SHA256

            ba53c7bcc85eec10006257643e61b5f7002809a82047bbd29d1dab4ab7eb8932

            SHA512

            1f085bc20a94fae6d437c53beaa604623e7149db0b5f5ad30d167ccb352fd310cbbdc6f95bfd501d06e1807b22064a66474fb0392f75245300a3c1806473f6b5

            Download Submit

          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            Filesize

            43KB

            MD5

            c0b9167f5d3f538397f5a32a09e23fb6

            SHA1

            23be9800b57ab37cb27e5873b2e220175afc5791

            SHA256

            cd49ccbd221bdfd1a98407acaff8ac555209baf06872ec7b415f156a13661f47

            SHA512

            4602546953f9ebbef18b48332c874a4b8541a08a330cf3e0e95b51124727a188d2d18eaa875b1d6258f514ef829c98fb060958784e563ded3d3dbfed5f722953

            Download Submit

          • C:\Windows\SysWOW64\rundll32Srv.exe
            Filesize

            40KB

            MD5

            23bbb97a0fe8b4f941c560e52d9836b8

            SHA1

            04326d166a7ba0b1dd445a8cd42f5b62b4ea7d99

            SHA256

            840535e1229ddd745eea452e3c77a3b68d9dac8b6b89a2111fc38720c4428c10

            SHA512

            2af0b646e755fc3d1bc1d1f3a8ed9a4e482e51400f6d81dec72c4775ba8ce51758f9681fba531f0a2145d0f1d76628446495e2c666ad690171ce78c524015e51

            Download Submit

          • C:\Windows\SysWOW64\rundll32Srv.exe
            Filesize

            47KB

            MD5

            5f9abed55d12f85e1821e9f1803f963e

            SHA1

            4053449172dc9c3dadceac807a62123b2d312ba6

            SHA256

            e50f75a54414ac67fd5b07a6394f92dd330264e302153925557b9fa8d47319fd

            SHA512

            5207b11119fbd88e1dd473dfccc497de06b9c7d87d924ed405c7ec93f58c27009783a692751280dd56088ae700c607c098e20226d66887417a8a5a2da4d163d1

            Download Submit

          • \Program Files (x86)\Microsoft\DesktopLayer.exe
            Filesize

            55KB

            MD5

            ff5e1f27193ce51eec318714ef038bef

            SHA1

            b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

            SHA256

            fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

            SHA512

            c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

            Download Submit

          • \Windows\SysWOW64\rundll32Srv.exe
            Filesize

            55KB

            MD5

            ff5e1f27193ce51eec318714ef038bef

            SHA1

            b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

            SHA256

            fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

            SHA512

            c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

            Download Submit

          • memory/1748-55-0x0000000076321000-0x0000000076323000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2008-64-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/2032-67-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download