Overview

overview

10

Static

static

5261bf6c5a...4d.dll

windows7-x64

10

5261bf6c5a...4d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2022 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5261bf6c5a4f164a30a156228fcb462ef494b13f09e0118281e4bab09bf85b4d.dll

  • Size

    146KB

  • MD5

    3db02f7484620ed80e7a061b404e9670

  • SHA1

    1cc1fcd5ad4016fe6c8a0d818f8689c0974f48ba

  • SHA256

    5261bf6c5a4f164a30a156228fcb462ef494b13f09e0118281e4bab09bf85b4d

  • SHA512

    42019f6522df70772c1b8e2a6eb3a075abd79cc332d8101f504bcf0030568a46df0cfde90fc69488398feb8d9a22b50d6ed99d7e5aef5848268b1a18afe271ab

  • SSDEEP

    3072:i0X2G5DFaSgjvVdtThFK8+eN0YsNHC8G9ciejdsZC7H:io2iMj5h+dRHpKcOg

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 5 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5261bf6c5a4f164a30a156228fcb462ef494b13f09e0118281e4bab09bf85b4d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5261bf6c5a4f164a30a156228fcb462ef494b13f09e0118281e4bab09bf85b4d.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\rundll32SrvSrv.exe
          C:\Windows\SysWOW64\rundll32SrvSrv.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:580
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:520
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1788
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1112
          • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
              "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1808
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1528
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:2
                  8⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1344
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    111KB

    MD5

    309d79d766e9b9025d15adc1aa5ecf52

    SHA1

    cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

    SHA256

    3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

    SHA512

    63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    111KB

    MD5

    309d79d766e9b9025d15adc1aa5ecf52

    SHA1

    cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

    SHA256

    3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

    SHA512

    63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E473D9A1-6993-11ED-9D71-7AAB9C3024C2}.dat
    Filesize

    5KB

    MD5

    9658019074d5cfbcfe2ec7fd8b1d586c

    SHA1

    01e559f281edcdd081f55ac918681c6ab0c714ac

    SHA256

    198b6a62036ece71a865f83e38a8ab44c77991ba13143ff5c927b09eecfef5a2

    SHA512

    e91e5e15b0ba4abd545cc2875e14d2123c5ebe304e55781aa69bd26a895dbed05fca7a48b44bd07f23aa887ff24177434c86e56df214b73ae7066538c2f4b5fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E478E2B1-6993-11ED-9D71-7AAB9C3024C2}.dat
    Filesize

    3KB

    MD5

    9ef24c6e989ab0b14003b26c8ad0f723

    SHA1

    ed2989c30aea97e00101e2acd1561e5126824319

    SHA256

    3b9b0816b92965469e76e6cb33cae44b87fc8bfbe9fa0887010156884190c7a5

    SHA512

    097d13db1036f6888746d7e4bfe93f50a5d24c46370cc4c9ce8b801255335dfb8de7578af2884d208f41bb0cfd1d140b8feec4e0a469086b0ef6da28e7e039b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E4947161-6993-11ED-9D71-7AAB9C3024C2}.dat
    Filesize

    5KB

    MD5

    05293777b49e4395484c8b48008c3bf1

    SHA1

    8f4637cb6de05b31c64a5f91aca5954222711d52

    SHA256

    2879017a6e32d12765729f196c74eea029941e820c6f2ff6bc2c252d14d7497f

    SHA512

    ae25e1dde881867e8d52200d26c2d5196f4e349475fcc2dc2c4fb4c35b36e923e95983017b241ce6cd9b3f1ba07c5b7f75dcac0a2b128d128f774e0b7296dc89

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N9G2NDRJ.txt
    Filesize

    600B

    MD5

    8a3dfc687c39a435fae72657f8f0484a

    SHA1

    6c7376a404d7b2bbbd81fdd011357955a874f8c3

    SHA256

    4af9281a60bff4b7164f49255cc1759e044851420d53656e95cf3e6b2f509797

    SHA512

    c7bdb30f3a2ffb7b703bac4b7aa747c9672956f1af6d0961b3c7e5561d261aa7d5f7ee0d8e6a90fcbf7cb613b6bf42b7af7bfe865e0945467740fee417d486de

    Download Submit

  • C:\Windows\SysWOW64\rundll32Srv.exe
    Filesize

    111KB

    MD5

    309d79d766e9b9025d15adc1aa5ecf52

    SHA1

    cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

    SHA256

    3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

    SHA512

    63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

    Download Submit

  • C:\Windows\SysWOW64\rundll32Srv.exe
    Filesize

    111KB

    MD5

    309d79d766e9b9025d15adc1aa5ecf52

    SHA1

    cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

    SHA256

    3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

    SHA512

    63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

    Download Submit

  • C:\Windows\SysWOW64\rundll32SrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Windows\SysWOW64\rundll32SrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    111KB

    MD5

    309d79d766e9b9025d15adc1aa5ecf52

    SHA1

    cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

    SHA256

    3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

    SHA512

    63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • \Windows\SysWOW64\rundll32Srv.exe
    Filesize

    111KB

    MD5

    309d79d766e9b9025d15adc1aa5ecf52

    SHA1

    cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

    SHA256

    3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

    SHA512

    63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

    Download Submit

  • \Windows\SysWOW64\rundll32SrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/580-71-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1112-75-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1656-68-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1808-85-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1904-81-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2016-87-0x00000000001C0000-0x00000000001FD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2016-86-0x0000000010000000-0x0000000010029000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2016-55-0x00000000767D1000-0x00000000767D3000-memory.dmp

    Filesize

    8KB

    Download