Overview

overview

10

Static

static

c0ecde99a9...ba.exe

windows7_x64

10

c0ecde99a9...ba.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    04-05-2021 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0ecde99a9fa77fc649aadeff683f2c7b800c81099de2c45eee6b85247c33cba.exe

  • Size

    1.7MB

  • MD5

    5c31c43c0b069f40ca31ad8cad7d06f6

  • SHA1

    60b8aa10f913c98307030fb899a36be2caf43b34

  • SHA256

    c0ecde99a9fa77fc649aadeff683f2c7b800c81099de2c45eee6b85247c33cba

  • SHA512

    614226cb3202015e7c951eac41631b1192e8bcaa6a0b551011e6af803543d2d5631135b2ff6c753c6e63df17cca45c6adadff50fb58c1a2addbfbb1bded70faa

Score
10/10
ramnitbankerevasionspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0ecde99a9fa77fc649aadeff683f2c7b800c81099de2c45eee6b85247c33cba.exe
    "C:\Users\Admin\AppData\Local\Temp\c0ecde99a9fa77fc649aadeff683f2c7b800c81099de2c45eee6b85247c33cba.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\AppData\Local\Temp\c0ecde99a9fa77fc649aadeff683f2c7b800c81099de2c45eee6b85247c33cbaSrv.exe
      C:\Users\Admin\AppData\Local\Temp\c0ecde99a9fa77fc649aadeff683f2c7b800c81099de2c45eee6b85247c33cbaSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:184
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    10987a1d727697d22e9613985bf39eba

    SHA1

    d92fa559cdea14bdc068eb5388f4a8725d9d290c

    SHA256

    8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

    SHA512

    31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    1e1c0dba38a2c6a0b1c71aae46ffdf24

    SHA1

    0c0bd94515f476d95273aad0c9c586a0dc3eafab

    SHA256

    9f7ae2656a9120fbbcb0fd4e9d1131652a85b62d44e26a8f54eebec0a38b5db2

    SHA512

    4fdd51f28e79b82902ff6b9440c11567e2aafda30a449d752459efe64c683203ebf10a25d49ac519d01fe86656cb639550c42078cf1685a0b091642b6d52da0f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3AQVALFD.cookie
    MD5

    2102f46774a45ba7cbac0a2c90fbcb70

    SHA1

    4e3b631db67215914df97b7f5ddeecec55660fb6

    SHA256

    633957497a259bd5741572c4591df83c141f231c9fdaee72a4baa10b1b71039e

    SHA512

    3ce96f3b0395ffc0c8b92b8300123d33b6bad18ff8c266e62e7ff39ece03ee4e987e74f257beaf604c1639e8a31c7c2dd83b685a9cfbcd1fad4c2d827a4915b7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HQ7Y0DFX.cookie
    MD5

    0dfd2d738c7d80cd0b07ff4fa3b292cf

    SHA1

    5150ceabf642151557a1c9bf264313d5eaf56213

    SHA256

    38acfe68274f8271ca8683f1f6be60681bb41f605f7b56fa6063546ab9ee1e8d

    SHA512

    281ed03606e0a5338904d9f62f7112a4724b4e31c71a5affc1bdbcc6454f6f99709636a9ab67524dedd1355d2523c228857d590f46f9fbe394f4478b16c1f088

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\c0ecde99a9fa77fc649aadeff683f2c7b800c81099de2c45eee6b85247c33cbaSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\c0ecde99a9fa77fc649aadeff683f2c7b800c81099de2c45eee6b85247c33cbaSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/184-121-0x0000000000000000-mapping.dmp
    Download
  • memory/184-126-0x00007FF9610D0000-0x00007FF96113B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2020-127-0x0000000000000000-mapping.dmp
    Download
  • memory/2416-120-0x0000000000740000-0x0000000000741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2416-117-0x0000000000000000-mapping.dmp
    Download
  • memory/3652-123-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3652-114-0x0000000000000000-mapping.dmp
    Download
  • memory/3652-122-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download