Overview

overview

10

Static

static

be75c6fea5...c6.dll

windows7-x64

10

be75c6fea5...c6.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 10:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    be75c6fea5001d90d3847ec3a4fff40435d1315838da507addbab5c22229f2c6.dll

  • Size

    146KB

  • MD5

    121b47683a3e1b3e81c57f4c92400880

  • SHA1

    eb96a9d0faeeffa3a3a260012e845f8c3d45a78f

  • SHA256

    be75c6fea5001d90d3847ec3a4fff40435d1315838da507addbab5c22229f2c6

  • SHA512

    15dd1edb23c1ab44303cd1983885286b426971930d13fed64bb093336bf03c2c8ca3dff1622742161cbc59645b7b3e89bbba4e3451ebea2048dda642e95ab111

  • SSDEEP

    3072:Zacja0dCawg82wNaoBG3hSS1d4H5fqMSMFoO9CiTw9h:Z62ww50S1d4HVbSoN0

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 3 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\be75c6fea5001d90d3847ec3a4fff40435d1315838da507addbab5c22229f2c6.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\be75c6fea5001d90d3847ec3a4fff40435d1315838da507addbab5c22229f2c6.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4748
        • C:\Windows\SysWOW64\rundll32SrvSrv.exe
          C:\Windows\SysWOW64\rundll32SrvSrv.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:3184
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1988
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:376
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:376 CREDAT:17410 /prefetch:2
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2876
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1188 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2252

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7AF7C174-698F-11ED-B8D8-7A41DBBD5662}.dat
          Filesize

          5KB

          MD5

          8ada39ed982e499c363bff68fb352508

          SHA1

          9a3969b8dc7049e05157692badb06cd4661a67fb

          SHA256

          5a7b0db137cfc9eca83cd6a0d616150bf4b3f530087edcc7a79d8fd4c1174522

          SHA512

          dff1b13c1c21ce0962c5247711f45ac03dcdc06927b3d2da3cf464ac751f432a6ba31181914a2a81559e94acaa2bba5e51edf446f9d297cd2c087e3f30446c25

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7B03ACE3-698F-11ED-B8D8-7A41DBBD5662}.dat
          Filesize

          5KB

          MD5

          aacb02328092ce113dddf7848ddb4f53

          SHA1

          3564081d538e3bfe48a8f4baf97c53944f60f7d1

          SHA256

          a7f17a47e0a24d72581bf069d7099694558e06abe99c0601e430ee35b7d873cd

          SHA512

          a150b6e8b90b06ad1be1d4abe627bfc3495aad428ccf73709285ba7219989321ba50fddbb571cde40bdec0ab23f2cd16b4f83e6d1deca69d68cd1aadd5810a84

          Download Submit

        • C:\Windows\SysWOW64\rundll32Srv.exe
          Filesize

          111KB

          MD5

          16d7d52605c1d9a9f0e7d28d72e93e66

          SHA1

          837e7d3a8565f7baca2d734d4100326a3d0379e4

          SHA256

          24ea922c993c9f0fdaad956327f48434bd22b9c6c2a68ee1ec58074f1162ba02

          SHA512

          7339cecd164270856df735398f8b5b159f5d0658bc07ac953c237e6a07263b7bb1ebb46a061b763b247617af29cb866513973ef21e88b068c2b83be8047a4eec

          Download Submit

        • C:\Windows\SysWOW64\rundll32Srv.exe
          Filesize

          111KB

          MD5

          16d7d52605c1d9a9f0e7d28d72e93e66

          SHA1

          837e7d3a8565f7baca2d734d4100326a3d0379e4

          SHA256

          24ea922c993c9f0fdaad956327f48434bd22b9c6c2a68ee1ec58074f1162ba02

          SHA512

          7339cecd164270856df735398f8b5b159f5d0658bc07ac953c237e6a07263b7bb1ebb46a061b763b247617af29cb866513973ef21e88b068c2b83be8047a4eec

          Download Submit

        • C:\Windows\SysWOW64\rundll32SrvSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Windows\SysWOW64\rundll32SrvSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • memory/1988-146-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3184-143-0x00000000004B0000-0x00000000004BF000-memory.dmp

          Filesize

          60KB

          Download

        • memory/3184-142-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3184-149-0x00000000004B0000-0x00000000004BF000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4736-139-0x0000000010000000-0x000000001002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/4748-140-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download