Overview

overview

10

Static

static

5

JaffaCakes...aa.exe

windows7-x64

3

JaffaCakes...aa.exe

windows10-2004-x64

3

$PLUGINSDI...nt.dll

windows7-x64

3

$PLUGINSDI...nt.dll

windows10-2004-x64

3

$PLUGINSDI...nd.dll

windows7-x64

10

$PLUGINSDI...nd.dll

windows10-2004-x64

10

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

10

$PLUGINSDI...te.dll

windows7-x64

3

$PLUGINSDI...te.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...om.dll

windows7-x64

10

$PLUGINSDI...om.dll

windows10-2004-x64

10

$PLUGINSDIR/xml.dll

windows7-x64

10

$PLUGINSDIR/xml.dll

windows10-2004-x64

10

$TEMP/$_89...in.dll

windows7-x64

10

$TEMP/$_89...in.dll

windows10-2004-x64

10

flashplayer_11_sa.exe

windows7-x64

flashplayer_11_sa.exe

windows10-2004-x64

Analysis

  • max time kernel
    133s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/$_89_/MyNsisSkin.dll

  • Size

    384KB

  • MD5

    a6039ed51a4c143794345b29f5f09c64

  • SHA1

    ef08cb5dfa598d9d5b43b8af49f54b2c7dac00d4

  • SHA256

    95ae945504972cadcf2ccfb2b3d02ea8cade3ee53f2f2082e8b40b61f660877a

  • SHA512

    0ed3d0c070bfd91e2355aec5a30ad5cbaf6949c965af5e0ee1ecf2edd5f5aeba3819b4667a0301f8b52c8fd56d3bae35fa4f77063d56c8f89055784d0c0a30a8

  • SSDEEP

    6144:yOrNKQjNQnWqJolkFucBm1fXr9ICcYerKJbYm3IyU5qVvWIdjI:y4NKQjNQfqOuEm1fXncdrKJbJgtIdj

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\$_89_\MyNsisSkin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\$_89_\MyNsisSkin.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2684
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    54a7db0d9896e6cf4796ea43d5c20874

    SHA1

    b671bb9abe34566688e995619a8ba58919b042e3

    SHA256

    6607eab5d3de139f2d5293ee1444d8fb9d7aea94f25bb7caa831ea49401b6c67

    SHA512

    6414eb9d0ac7007ff12bfc6d90cd2525e91ade69dc48c956186e179a5bae2bdad35a00555e019215c685aaf9d819318970be546203744541e5f3a3db7aca6a19

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8e072ca29526fbaee4c7013381c57253

    SHA1

    a92315488f19542f427aabfd93a0182fd9687e5b

    SHA256

    2c0a0a3bbb478e7ef5ebd903788e2bb33dd1be892a5d6d6ab58476ee2edc69db

    SHA512

    a485a1bbb35b62b48a7a79d4456e109df4a219ceb1723725ab441215f7808499ee95062832eb4928d5f200b91c01d112a79e19899bee71f22bb917e680dc22f1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    559b9f2177a34381f4117d27dc0a4e9c

    SHA1

    fc0e760de1365dcd54b3d10c0f3bbc9083af186d

    SHA256

    1f134280e4119678507d8334cdcf2188cb6c2ed5d3784a1aeccb3fa05ca13055

    SHA512

    15579f7c639ecb1ccace942264503bb476d8230566a7af313875e5a693320e6d822c296979d7bda7b2e691de2481272ef2567b4c0ea80d08f1a3c61991d0519c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1693c4f0c2dfd6b06cc6c1c59b648f62

    SHA1

    0a79a2a1c0dbdf337110d2f8fa84d5ee0399a735

    SHA256

    b423be2dec367c0bc21c17ac577556b34184dfa6e7276361e631c657bfb71e56

    SHA512

    a888a92543a0c970f7488d6f7f5f9c1d60d4e980118c0fb13e1fa25eafcda44247126fc5d534defcc7b7e643db033cbdb2b7e89054b0814fcf41582830c334ec

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    89332c3484bd37747e29299bbd6ff001

    SHA1

    62c8603d50c844e1410994fd38e145480fb8efe6

    SHA256

    8ed4a118b1483d4a35e30832f2868d8de0c6886507f056d5df53d8c4a0644c4a

    SHA512

    16f4a7d71ac5473451b80b10807079ff6afdf5eeba4a14dafc2d82496dec089a91faf6cc6d35053ce52354df6f7c42d3afa65b0b2753db5caf3436f41744a372

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5c65f8ab9069ba36f0480b759c76c9a8

    SHA1

    8277f1e8fe6f5ed4ada558b8df212aa8f3182dcd

    SHA256

    cc77646e7e5e2b495051f6396eb7fb0b83be3237b82fc9ba6d5c35a71dd7a7f3

    SHA512

    529151fed517db0485a642f81a0a5a419528ee531c6684d54831e7cc9bdbdf90a240ddc39206241a3365f12897d7bbc3e9d46dc755ff512e882b4bb886de40a3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fcd817ed92ecb88b357c51720fb4a7a2

    SHA1

    47fff40a393341758bed62e974dc52cf5986e6ee

    SHA256

    0618466b88361f04609027329c82531e12f335be9965f1ffd72edc86548984cd

    SHA512

    9740e9b241e7705a7339d0626061fbc49f4cdb8e6f9cf9d435e8b09da01f969f8300782bb293f11571ca71b442a54c70cf6b73df0a407e3a7e8897aa0720a1d3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e565472e4685fa6fad846ce434455b37

    SHA1

    ebd02d1d21de9882b5cc7ac5459d418d83c8536e

    SHA256

    fa90222a0d11a5da70eb5ce59713beea2782a8a60c18ca9fa93a90041f23db6e

    SHA512

    a1f2daf850c7558f209e018c7113f2baab2c8944de9d554a71ddddf996b78897f2303f26b112bc14efc2c96ce25a149d363aa4067c9638c75f82c2e1d906460c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    108ad4752620634a1b7ed16aa6081a26

    SHA1

    f9add1cf88c251edbff31a8075a9e946c2321a50

    SHA256

    25f610798c911014bda132a489de4c9f15f7faa80787ae4447fcb14073a3f2b3

    SHA512

    5799ec58f63dce9d1fb06f53623ef7ee293e11afb31b4ad609aa87ed7c41092ad5528d7e53a20ac0949587ee7a9655b385246a3c4c1cd74e9bce6fe0c1f46344

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8c5b1e064ec9ce6872021ad5e12f0020

    SHA1

    560b1cf28831db1bf0a2aa34832e4bc8e1a9b738

    SHA256

    ff9c90bd1c53eeb22d66c1e399601328916c1759fe79a36f56fd2edb4902e97b

    SHA512

    924ceb724a16106d0e48a45918ba9c53493761727a5757a566817373600184fa8f5451ef41be9c348f9f51c279c3d7ef574f9d0ce53b1de3687eebb9f44defac

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    783ece41faa4238809f7eccbeb965149

    SHA1

    54beeb4ffbe04b07497c7904bea82a23129ad070

    SHA256

    a34f6ccba82ebdb0fb34dcf2d49a8e15bd800b365c91cdaaa8742dea0d917972

    SHA512

    9aacc3dd6563a4d242bda0ff97f873959bb6b9853402e2f982fac4c64dd505b12711c0a7ca819c87247e44323a8b2ad90e3ca3e134f01b40ef2f14d96e4aee19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab34E.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar3CE.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\SysWOW64\rundll32Srv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/2396-1-0x0000000010000000-0x0000000010062000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2396-3-0x0000000010000000-0x0000000010062000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2396-6-0x0000000000180000-0x00000000001AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2692-10-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2692-14-0x00000000005C0000-0x00000000005EE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2692-11-0x00000000003C0000-0x00000000003CF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2912-25-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2912-22-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2912-23-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2912-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2912-19-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2912-18-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download