Overview

overview

10

Static

static

9921f21834...3d.dll

windows7-x64

10

9921f21834...3d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 02:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9921f218346c1fb5540b87f24fd2193238ceebc035fe146b538bc694791fa13d.dll

  • Size

    212KB

  • MD5

    9292cd79e4b449b63188f47f76baaf60

  • SHA1

    590a85f99140b93b980af15cac488cd7a1b6559c

  • SHA256

    9921f218346c1fb5540b87f24fd2193238ceebc035fe146b538bc694791fa13d

  • SHA512

    67e736e3f8089da07c7932ca344c633091e477c70a80bb6b1ce27b1502ab20939721fcceee370a7327003615c4bbbffa354c230140c71e79291fc0a0d240fb00

  • SSDEEP

    3072:02UxPvVKNiNz1a2JRC+Tq/Ko+t8+SgNKCBnaQkxUxg68rCv262cS8e1o3:3GvQ4Nx9RHTVt3PNv9mNCvOcSd1o

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9921f218346c1fb5540b87f24fd2193238ceebc035fe146b538bc694791fa13d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9921f218346c1fb5540b87f24fd2193238ceebc035fe146b538bc694791fa13d.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\rundll32SrvSrv.exe
          C:\Windows\SysWOW64\rundll32SrvSrv.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:108
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:388
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1320
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:2
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1308
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:864
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:864 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1760

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          111KB

          MD5

          7d2a3d6778f4a74f97e7b6f045b6f941

          SHA1

          fc674983986d5dad4c3d2f70ec9bf71f6e3a9c54

          SHA256

          a0b3b299491da8d3d20e546e894455c205fd5249cb8d399c082760908041302c

          SHA512

          ecb13d4ebde47b8c4e5d57df44da7c318569882c64fa04c99e53606772561a4fe58d891c35070db18032ffc354631dbd820baa72ae59285a2f8305fd6e50ae90

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          111KB

          MD5

          7d2a3d6778f4a74f97e7b6f045b6f941

          SHA1

          fc674983986d5dad4c3d2f70ec9bf71f6e3a9c54

          SHA256

          a0b3b299491da8d3d20e546e894455c205fd5249cb8d399c082760908041302c

          SHA512

          ecb13d4ebde47b8c4e5d57df44da7c318569882c64fa04c99e53606772561a4fe58d891c35070db18032ffc354631dbd820baa72ae59285a2f8305fd6e50ae90

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          111KB

          MD5

          7d2a3d6778f4a74f97e7b6f045b6f941

          SHA1

          fc674983986d5dad4c3d2f70ec9bf71f6e3a9c54

          SHA256

          a0b3b299491da8d3d20e546e894455c205fd5249cb8d399c082760908041302c

          SHA512

          ecb13d4ebde47b8c4e5d57df44da7c318569882c64fa04c99e53606772561a4fe58d891c35070db18032ffc354631dbd820baa72ae59285a2f8305fd6e50ae90

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CBB76CC1-585D-11ED-A6C3-FE72C9E2D9C9}.dat
          Filesize

          3KB

          MD5

          85a578252f15cc5c86795fc0e9454ceb

          SHA1

          dc7e5dde4649fcc6bbfc9605ff0a5b54e61be4aa

          SHA256

          4af52452b45a843d67cdef1564b2e447526852de31a2c63139468ed6a77433b1

          SHA512

          7656e28bacb4b039c1d9a42689ea90b768ea2533fc98074b4dbb4943d2eb2be6df9bf7566c7c0d49eb6749d0fcc0e004484c6ac723c12ed0dcbf1f8ec30706c0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5IFD2HBA.txt
          Filesize

          608B

          MD5

          0b5e6038ec2055e83db0b9f08a9cb1a0

          SHA1

          626835aa99eb9cba918f8b8911702956f90706e0

          SHA256

          7d0f9960228365b67a75f1dce15cc1d525378495d06c577f85b2d25fafbe71e4

          SHA512

          df36a96ab50e471bd5fa02567ed2efd2d16224acd2871db6f94e8236e3579262d7b05a83d457e2d9fcfbf41824290eedd0c1d0f57a5e16cc41c9957dd6b7626b

          Download Submit

        • C:\Windows\SysWOW64\rundll32Srv.exe
          Filesize

          111KB

          MD5

          7d2a3d6778f4a74f97e7b6f045b6f941

          SHA1

          fc674983986d5dad4c3d2f70ec9bf71f6e3a9c54

          SHA256

          a0b3b299491da8d3d20e546e894455c205fd5249cb8d399c082760908041302c

          SHA512

          ecb13d4ebde47b8c4e5d57df44da7c318569882c64fa04c99e53606772561a4fe58d891c35070db18032ffc354631dbd820baa72ae59285a2f8305fd6e50ae90

          Download Submit

        • C:\Windows\SysWOW64\rundll32Srv.exe
          Filesize

          111KB

          MD5

          7d2a3d6778f4a74f97e7b6f045b6f941

          SHA1

          fc674983986d5dad4c3d2f70ec9bf71f6e3a9c54

          SHA256

          a0b3b299491da8d3d20e546e894455c205fd5249cb8d399c082760908041302c

          SHA512

          ecb13d4ebde47b8c4e5d57df44da7c318569882c64fa04c99e53606772561a4fe58d891c35070db18032ffc354631dbd820baa72ae59285a2f8305fd6e50ae90

          Download Submit

        • C:\Windows\SysWOW64\rundll32SrvSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Windows\SysWOW64\rundll32SrvSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • \Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          111KB

          MD5

          7d2a3d6778f4a74f97e7b6f045b6f941

          SHA1

          fc674983986d5dad4c3d2f70ec9bf71f6e3a9c54

          SHA256

          a0b3b299491da8d3d20e546e894455c205fd5249cb8d399c082760908041302c

          SHA512

          ecb13d4ebde47b8c4e5d57df44da7c318569882c64fa04c99e53606772561a4fe58d891c35070db18032ffc354631dbd820baa72ae59285a2f8305fd6e50ae90

          Download Submit

        • \Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • \Windows\SysWOW64\rundll32Srv.exe
          Filesize

          111KB

          MD5

          7d2a3d6778f4a74f97e7b6f045b6f941

          SHA1

          fc674983986d5dad4c3d2f70ec9bf71f6e3a9c54

          SHA256

          a0b3b299491da8d3d20e546e894455c205fd5249cb8d399c082760908041302c

          SHA512

          ecb13d4ebde47b8c4e5d57df44da7c318569882c64fa04c99e53606772561a4fe58d891c35070db18032ffc354631dbd820baa72ae59285a2f8305fd6e50ae90

          Download Submit

        • \Windows\SysWOW64\rundll32SrvSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • memory/108-69-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/388-82-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1740-73-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1876-81-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2040-57-0x000000006D280000-0x000000006D2B5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2040-58-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2040-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

          Filesize

          8KB

          Download