Overview

overview

10

Static

static

3

5b785757a1...cc.dll

windows7-x64

10

5b785757a1...cc.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b785757a1184e04ab625326f8e5aa4b94a16d3332a73da14de925f81eaf99cc.dll

  • Size

    256KB

  • MD5

    bd4aebf56c70da8339ac13607e33e156

  • SHA1

    532d81f4afb40a407d42f13d099454ce31fda35a

  • SHA256

    5b785757a1184e04ab625326f8e5aa4b94a16d3332a73da14de925f81eaf99cc

  • SHA512

    2470a7bf8e15493ba70e2c36ffc4246cb862b7d96a157ba8135a80cb2ee247b1c8825600019c0f7d24610e362040f507ea6d3b1dbac3e16b79f7f7f6a5b9f517

  • SSDEEP

    3072:zn4cV8gf2u41Z5tKlFxwHdIWKc8DAGhn8D5sAxvEbzNmBTq/lSKVtB/LFYYSNGGz:74y8gOl2COc8rWD5n+9sTq9TVbRYK6Bd

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b785757a1184e04ab625326f8e5aa4b94a16d3332a73da14de925f81eaf99cc.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b785757a1184e04ab625326f8e5aa4b94a16d3332a73da14de925f81eaf99cc.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\SysWOW64\rundll32Srvmgr.exe
          C:\Windows\SysWOW64\rundll32Srvmgr.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4748
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 528
            5⤵
            • Program crash
            PID:3604
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3184
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 492
              6⤵
              • Program crash
              PID:640
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2220
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1016
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3184 -ip 3184
    1⤵
      PID:1752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4748 -ip 4748
      1⤵
        PID:4056

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        Filesize

        163KB

        MD5

        7062dd643a846a0666e2661950daab70

        SHA1

        d47b95af9c24c1cb6a51f78fc303a1ab9e46191e

        SHA256

        adffde2de3be8bdacc200e1091f6f29d1559d5e9ea8d4002cdddf59cf370eb47

        SHA512

        2bf378ca6ae9162472f5c261f7a55aaa296c6cb77423f2413edff176880f7b1485d5100cd39acea2931f24666c4cbc568ea2850c764c740f0d4e037e64325c21

        Download Submit

      • C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
        Filesize

        106KB

        MD5

        dcd2cafa72c9d5bd898b636a18133d3c

        SHA1

        b55e85453de9254cbf4c21c0de92d82c6deefccb

        SHA256

        936b14fbbf629fcf92ac06673d974de2b2a44a109953e6664e1c36a4e5c9d27c

        SHA512

        59e475f668015b3a6372d79ea6459b21ae591d73305b7696ef139fe0e716f1038595ea5df079e1850535e6358aef4d8e92bdee68ffd07b44471bc7133041952c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        0ada2095c461df5a751955aa41dd491e

        SHA1

        8366c54b31e1ddc8016aa22aab8c83f73c690810

        SHA256

        80cd542688ed3a45669b53243c3f4922d6eb21a34d8dfeebc6c101484d3bac09

        SHA512

        135991affe343d4358bb15a693effa7a6813d6715e555729d2aa04a98555e13fded55d3100a41a92a5beb57c68fbdacb199a3e66407944e37880b28d42d79e7c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        dfdae34e7a430676ad491e68e2f524cf

        SHA1

        6bd3257ef1f000b4382bfa0ad37d74c9a6c01645

        SHA256

        74f2a31e0046885ff1a276645e2f40a5ad7b3d714e9bb33582da444411051b56

        SHA512

        f68e8662dab39b7a8779be6290d22e7c8f2f6cd3947c2f77d7f1007b5daeea7200e4409db372666ded8ee7e09bc8e71603f14debd862b4c5ef00f01915ce82cc

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~TM8EB3.tmp
        Filesize

        1.6MB

        MD5

        4f3387277ccbd6d1f21ac5c07fe4ca68

        SHA1

        e16506f662dc92023bf82def1d621497c8ab5890

        SHA256

        767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

        SHA512

        9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

        Download Submit

      • memory/2388-26-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2388-31-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2388-24-0x00000000004B0000-0x00000000004B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2388-18-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2448-13-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2448-7-0x0000000000570000-0x000000000057F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/2448-6-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/4748-19-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4884-0-0x0000000010000000-0x0000000010041000-memory.dmp

        Filesize

        260KB

        Download