Overview

overview

10

Static

static

dc65fe33c7...d6.dll

windows7-x64

10

dc65fe33c7...d6.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll

  • Size

    764KB

  • MD5

    d9dd7916400113ae5042bdfbb22e21f0

  • SHA1

    8a849dc4dd182e8d886bfa81634fcfe4f2d3c5a1

  • SHA256

    dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6

  • SHA512

    e9e094297b2df93b98b54194e66c4cd45f8c932734cf486a324e52f914597fe7e3ac2528460dcd58237df024d504cecd1194e85f0e04129e7fe1f593b6b7abd9

  • SSDEEP

    12288:tPTv+CFW4hPdahP/RN2kU7fWS36pweWGJr619QV4qqxEnEk3D6qC5UjuRP4itUMP:tPSH4hQP/RN2fLqNK9QV4qBH1O4i9

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc65fe33c7659f52d30e22e6d5058c529602da3e3aff73a99f1956ab98fd9dd6.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1532
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1588
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1268 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5954FA51-6FC1-11ED-9351-5A21EB137514}.dat
    Filesize

    3KB

    MD5

    4f3500fde21c7f70a1e796ca6363c914

    SHA1

    8dfe6177539f94e380deacc60f71b29b59e56eb6

    SHA256

    2347311b6f64788f743e4a25a2f36f229b2cb310bcd97d951948bd20bfc03cc9

    SHA512

    40cfe6c9206e1b1770148bf071fcc152965f09286a420df8b43c16abdd8f62ee83f78a88be2209daa97b7d8c8799429f3f23879a652bfcb644da78d82d0382ea

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{59559691-6FC1-11ED-9351-5A21EB137514}.dat
    Filesize

    5KB

    MD5

    ecfd17b483f74d25e3549532f6d2e5e1

    SHA1

    466184240e738add3ebab6d69db0a84926f8e951

    SHA256

    98f06234b8372e65c31acac275d755d80a6bf5ecdbc77ebba7da1b4ee6c83a81

    SHA512

    db11c07c9cf398351d7c79011b400d4be5d23ce68aa53950024e38db43869e958f50d79b0f1beb1f3791ad5f07fb562ac2f30575640b915750d0772a674039d2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6J8Z2F5F.txt
    Filesize

    608B

    MD5

    b0e32791c4882721395cec843d6c5683

    SHA1

    81eb2fcc87500308d4c606f927f45c4a6ed188cb

    SHA256

    d88d797ed6bb559a76cf2ad3cd6190ebbedbc7a089572e7f5a2a560af0da41c1

    SHA512

    4c4e85c09766400727bcc323baa339aa6ca7250a87d9abaf691f741e64ef67037fc1e42dbbf0463471d3b06addf8b283f6f7840d0fba66ebb7a60ed2aadc51b4

    Download Submit
  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    101KB

    MD5

    162e85589a5dff74d7cf05dbc5d4e8e3

    SHA1

    12544e9343869586d1679db02119e127f43d986f

    SHA256

    9cdca823e0d9922662b093a4cb9f313ab4c7c8b9a9199acca683af332d914976

    SHA512

    7ed0c16b13f1863390cf0946538aab5d2f0ff9953fcf1a76fc0ea8aecefc002a31fffa347bb1f5fab8cfeae4777045fb562cc1af3100dcbad72b5db6e007f0f7

    Download Submit
  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    101KB

    MD5

    162e85589a5dff74d7cf05dbc5d4e8e3

    SHA1

    12544e9343869586d1679db02119e127f43d986f

    SHA256

    9cdca823e0d9922662b093a4cb9f313ab4c7c8b9a9199acca683af332d914976

    SHA512

    7ed0c16b13f1863390cf0946538aab5d2f0ff9953fcf1a76fc0ea8aecefc002a31fffa347bb1f5fab8cfeae4777045fb562cc1af3100dcbad72b5db6e007f0f7

    Download Submit
  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    101KB

    MD5

    162e85589a5dff74d7cf05dbc5d4e8e3

    SHA1

    12544e9343869586d1679db02119e127f43d986f

    SHA256

    9cdca823e0d9922662b093a4cb9f313ab4c7c8b9a9199acca683af332d914976

    SHA512

    7ed0c16b13f1863390cf0946538aab5d2f0ff9953fcf1a76fc0ea8aecefc002a31fffa347bb1f5fab8cfeae4777045fb562cc1af3100dcbad72b5db6e007f0f7

    Download Submit
  • memory/956-58-0x0000000000000000-mapping.dmp
    Download
  • memory/956-61-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download
  • memory/956-64-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1748-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1748-55-0x0000000076091000-0x0000000076093000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1748-60-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download