Overview

overview

10

Static

static

dbaf937469...24.exe

windows7_x64

10

dbaf937469...24.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    08-05-2021 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dbaf937469e41d451ab2f36e2237707870d207792d5d625e7b30f2faa0fb6224.exe

  • Size

    157KB

  • MD5

    32e56b248e5e1aabf2d896b4bfa6c946

  • SHA1

    90511bc6bf4acacec5c8774931d1ff45408373cc

  • SHA256

    dbaf937469e41d451ab2f36e2237707870d207792d5d625e7b30f2faa0fb6224

  • SHA512

    e66f1fbb37bc14d02fab021ec9e775fd191f02e1ccd0ef5122d9bb1a3786fc4ed967ce46ef82c751428aa2f92403668e68f0128aab9830aafec6b6f3baadb099

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dbaf937469e41d451ab2f36e2237707870d207792d5d625e7b30f2faa0fb6224.exe
    "C:\Users\Admin\AppData\Local\Temp\dbaf937469e41d451ab2f36e2237707870d207792d5d625e7b30f2faa0fb6224.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\dbaf937469e41d451ab2f36e2237707870d207792d5d625e7b30f2faa0fb6224Srv.exe
      C:\Users\Admin\AppData\Local\Temp\dbaf937469e41d451ab2f36e2237707870d207792d5d625e7b30f2faa0fb6224Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3936
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    f24c21cc3be7daee3b2334dfbf6cc685

    SHA1

    3f5fc1985d1e6396c501c2b1529ba2b3974433a5

    SHA256

    9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

    SHA512

    e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    018f339144c5d3c7d7393ed5a8a41117

    SHA1

    776d029bbc5c112697e2891cec19325733596a3d

    SHA256

    30080429539607610072d9dbb3dde1d32d607b43f225dc1826fac44968e93eec

    SHA512

    d5534e458cc621af04c9d573c510e0e594149a3f9345c2dc6c341f43e15a326b988b191175ff0f939db27c0a89c382d13365317a7f26dfaa490e0fb1f1f30f5d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3W4K0JXU.cookie
    MD5

    9a87fd1b3e74622689bbed7a80b07360

    SHA1

    7b6bf76102348cbf0fd5794bc0fe624198d55a91

    SHA256

    63081ca1831da9386467f6f70a4d309edb7d6741096ad23c95d0072c57fb7ed5

    SHA512

    a17126e8b3d711ab09e142325aeeeac431833275ad68b74a6ffceb087967dd17061dad8c81d50a734a5b6290a798e1b59b7486f93baa281ebd5326582b7d7a73

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BKT2R237.cookie
    MD5

    b5f7c3d95c2200aea609917bf77c9fab

    SHA1

    78bb0460bca5eb110778d2db8fa4d32ec80964d9

    SHA256

    b8d403eaf02b0137486069d065e3eb149c41b2f882f571b540b0d4ea2cce507d

    SHA512

    ef60eee3c3b39b22a8450f4ce3878fb44003d7c82cdf4d96089a32752993ccc18b145603ee008429a84d0a598aa611af54eb32706057a8f7b3947b5f692cfc92

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\dbaf937469e41d451ab2f36e2237707870d207792d5d625e7b30f2faa0fb6224Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\dbaf937469e41d451ab2f36e2237707870d207792d5d625e7b30f2faa0fb6224Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/192-127-0x0000000000000000-mapping.dmp
    Download
  • memory/2968-121-0x0000000000000000-mapping.dmp
    Download
  • memory/2968-126-0x00007FFC5DF40000-0x00007FFC5DFAB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/3936-120-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3936-117-0x0000000000000000-mapping.dmp
    Download
  • memory/4028-122-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/4028-114-0x0000000000000000-mapping.dmp
    Download
  • memory/4028-123-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download