Overview

overview

10

Static

static

a82cb5c306...6d.dll

windows7-x64

10

a82cb5c306...6d.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2022 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a82cb5c3067514188a1449438d4cb562a73478192d6c457a52ac02c660100b6d.dll

  • Size

    395KB

  • MD5

    2f780ed707c91e8d5eb20bf7c9c20490

  • SHA1

    389d1c07c0261b6bef21e48435e3eb599b82f728

  • SHA256

    a82cb5c3067514188a1449438d4cb562a73478192d6c457a52ac02c660100b6d

  • SHA512

    c9a005cf9c8bc343e8dd5a5d18951eb4ce5bbb959c53ac435469053ad4d14f475b501e749717515a42c444c31aaa034f10d8f0cf5279625da5a247ec2005a104

  • SSDEEP

    3072:GwWT5BaRUlyHKwWT5lTpb6NkqlX5ANlAxon1u4f8UbVMdUvpmxd:waRUlyHAp6NjlXZeu4f8U6iGd

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a82cb5c3067514188a1449438d4cb562a73478192d6c457a52ac02c660100b6d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a82cb5c3067514188a1449438d4cb562a73478192d6c457a52ac02c660100b6d.dll,#1
      2⤵
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:268
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:692
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1012
      • C:\Users\Admin\AppData\Local\Temp\hrl22FC.tmp
        C:\Users\Admin\AppData\Local\Temp\hrl22FC.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:940
  • C:\Windows\SysWOW64\nyrtuc.exe
    C:\Windows\SysWOW64\nyrtuc.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    PID:560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2AFF9BF1-5E51-11ED-9201-42465D836E7B}.dat
    Filesize

    3KB

    MD5

    c94faa4343fadb64f90279594b72a704

    SHA1

    52dd676b67ee030aa67ffac09aeff7ecddec0e7e

    SHA256

    443e057cbe282d9fbd6fd7b445b22ca73c10b47d218f05a8bc8b9013b9eee694

    SHA512

    581012c92de616b1ceda5e969bd015b7e636a83941c494bcc2d260963184d846ea129114befe18e5788642d80bafbc80151721a2f99f8694c73775478720a1d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2B001121-5E51-11ED-9201-42465D836E7B}.dat
    Filesize

    3KB

    MD5

    5beced220a64b9346e0580766dedc000

    SHA1

    498511a5340bfca451be886d21431ca393de0312

    SHA256

    6a3aaee2c3e9cf72085c637887f8766b49e8db6ae759b6d07ae7354c0a2e209a

    SHA512

    ced9108ba39878afe1c2c77a6ca8f7c516f3e15e01eee55257d181e92b17ed4ddda83620bcb489775593065f1bdf1b3758c28521d09f29639f0264aaf0b07e5f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hrl22FC.tmp
    Filesize

    39KB

    MD5

    bfad4a122152bc246aed2d3799341888

    SHA1

    01f92cf4deba34df9449aec96ba7b95241475d1a

    SHA256

    917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

    SHA512

    dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hrl22FC.tmp
    Filesize

    39KB

    MD5

    bfad4a122152bc246aed2d3799341888

    SHA1

    01f92cf4deba34df9449aec96ba7b95241475d1a

    SHA256

    917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

    SHA512

    dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9YZ7G180.txt
    Filesize

    603B

    MD5

    83cbfc172931f9f0cce6a9da6f6aa0e6

    SHA1

    b49fb3808c554572869df181012152a37dc0d3af

    SHA256

    75f8a97e2c1ff2f60d294348b07f5c7ccc249677d8275971ed6e09aa67531f8d

    SHA512

    c9c06e13d5f73dca37ad845fa6a8d8338ac67adfb36376f376c238eb711c1d17d5da620ccc0c0f859f3c73983a29dc180a7b34048285863c4aaa6f97279e3754

    Download Submit

  • C:\Windows\SysWOW64\nyrtuc.exe
    Filesize

    39KB

    MD5

    bfad4a122152bc246aed2d3799341888

    SHA1

    01f92cf4deba34df9449aec96ba7b95241475d1a

    SHA256

    917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

    SHA512

    dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

    Download Submit

  • C:\Windows\SysWOW64\nyrtuc.exe
    Filesize

    39KB

    MD5

    bfad4a122152bc246aed2d3799341888

    SHA1

    01f92cf4deba34df9449aec96ba7b95241475d1a

    SHA256

    917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

    SHA512

    dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    340KB

    MD5

    a335e0d50da877e39944d999f990e82b

    SHA1

    9db3ae5b5140756838b023ff3ac11b853023162c

    SHA256

    154eb0e8adea973590f21c50913fcdd1618ebc292ebe1e60df20e067c81b4666

    SHA512

    52eaf1f00a4846c34825cde6942dc349feb78da57fe0639bc42ba328bf4756898cafa026a5c56c8b762c0dc5b44485e1f9b12de529819b81af7f4e7b25b40981

    Download Submit

  • \Users\Admin\AppData\Local\Temp\hrl22FC.tmp
    Filesize

    39KB

    MD5

    bfad4a122152bc246aed2d3799341888

    SHA1

    01f92cf4deba34df9449aec96ba7b95241475d1a

    SHA256

    917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

    SHA512

    dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

    Download Submit

  • \Users\Admin\AppData\Local\Temp\hrl22FC.tmp
    Filesize

    39KB

    MD5

    bfad4a122152bc246aed2d3799341888

    SHA1

    01f92cf4deba34df9449aec96ba7b95241475d1a

    SHA256

    917731805cfe3a03bf587dc360886a9980a4d699d8a4ef7fad9d5c4516eac488

    SHA512

    dad0bfcf69e5b00386ee2352be91a58d31d7a4351a7ea868a13b5d2f2abdbee47a326190fb3b6aa68956d8ab19e198d84cc0fde6aa3d3bd5c2ae26bb5c534174

    Download Submit

  • \Windows\SysWOW64\gei33.dll
    Filesize

    52KB

    MD5

    d1dbfc3af07e8ab980b9046d1b13ae10

    SHA1

    4191ba60232182e6f077401bd571e46082bfa74d

    SHA256

    4e2f0d8b42fd9487052a9fd6a683df8afc4006009a74610823b1d056810bbb11

    SHA512

    e4755f5ff6e5cda299c3df333753d84cfdbe9e7c215acb2c45cdde5096947d495bbe741bbd669c81e02308a7ca4cbbe56b925190fa6459309ff025ee43265f2c

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    340KB

    MD5

    a335e0d50da877e39944d999f990e82b

    SHA1

    9db3ae5b5140756838b023ff3ac11b853023162c

    SHA256

    154eb0e8adea973590f21c50913fcdd1618ebc292ebe1e60df20e067c81b4666

    SHA512

    52eaf1f00a4846c34825cde6942dc349feb78da57fe0639bc42ba328bf4756898cafa026a5c56c8b762c0dc5b44485e1f9b12de529819b81af7f4e7b25b40981

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    340KB

    MD5

    a335e0d50da877e39944d999f990e82b

    SHA1

    9db3ae5b5140756838b023ff3ac11b853023162c

    SHA256

    154eb0e8adea973590f21c50913fcdd1618ebc292ebe1e60df20e067c81b4666

    SHA512

    52eaf1f00a4846c34825cde6942dc349feb78da57fe0639bc42ba328bf4756898cafa026a5c56c8b762c0dc5b44485e1f9b12de529819b81af7f4e7b25b40981

    Download Submit

  • memory/944-69-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/944-76-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2012-67-0x0000000000770000-0x0000000000801000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2012-66-0x0000000000770000-0x0000000000801000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2012-65-0x0000000075230000-0x0000000075298000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2012-64-0x00000000752A0000-0x0000000075308000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2012-77-0x0000000000770000-0x0000000000801000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2012-55-0x00000000762E1000-0x00000000762E3000-memory.dmp

    Filesize

    8KB

    Download