Overview

overview

10

Static

static

df1cfb0304...34.dll

windows7-x64

10

df1cfb0304...34.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2022 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df1cfb0304da20e931a5d8e974e82461e9f435720cefa0b0d4143aa948333934.dll

  • Size

    228KB

  • MD5

    0b9dc555cc3576908a238763445354c0

  • SHA1

    f9a0a140311bb921d22a860f755d1f3e4e734f62

  • SHA256

    df1cfb0304da20e931a5d8e974e82461e9f435720cefa0b0d4143aa948333934

  • SHA512

    f4494f627a49bdd9069c4d0a024e84b14dd8e313d565177990f043efedda17a0982a06b4cb383c5e1fea89ec09a65f647543b94f80a50c9c0a9546eed555b28d

  • SSDEEP

    3072:Aen8Z3LQF3u/RvsU5ItqFjpgXJjbVor64Yfpijb745PzR+4S4T3oX1hIcQI7SpQv:F8ZbswvsUiQu/orN/4hvSPFhItQB

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\df1cfb0304da20e931a5d8e974e82461e9f435720cefa0b0d4143aa948333934.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\df1cfb0304da20e931a5d8e974e82461e9f435720cefa0b0d4143aa948333934.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:444
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:996
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1284
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 620
        3⤵
        • Program crash
        PID:2176
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 348 -p 4228 -ip 4228
    1⤵
      PID:856

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      4f630c01f9bf4c57d049a46ea616203c

      SHA1

      a2d06f097a95d9096f7e381d39e982c0c29aac25

      SHA256

      217bc1b6fd8b9b5987d428f164bde885ce60d24db297abd86c177e8595c30793

      SHA512

      1ae68ac255fe9b2c517425e8642fb630c178ea261e6e844fc27d7a9f8d3e6c92da594549284622aee09b96540e9fc6086fa32ba7f66c794c1c983ed7c526af45

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      fc52f58401119ff06b20fd80311e1a0c

      SHA1

      a2feba1c3b85307ce42aa66787a35044e251dcdc

      SHA256

      5a71bae737a6725bad5e13932bfc0522e4b642a8206f54cbd66eed29bf8d8d0b

      SHA512

      06632dc4e74a5ae4ecdaea8c636f0d07694b2669284d6e114df953e43252308c9d0bb1465c2d695167514d494efb115976aa35f208add37593d6e40863a17d4a

      Download Submit

    • C:\Windows\SysWOW64\rundll32Srv.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Windows\SysWOW64\rundll32Srv.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • memory/444-138-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/996-140-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4228-141-0x00000000752D0000-0x0000000075314000-memory.dmp

      Filesize

      272KB

      Download