Overview

overview

10

Static

static

fb0ba2f663...f4.exe

windows7_x64

10

fb0ba2f663...f4.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-05-2021 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb0ba2f663482572e870512c591e87c605ef211f5e8a3f87e34671bfb2e465f4.exe

  • Size

    18.1MB

  • MD5

    24b6950158373444b274e5acabd87510

  • SHA1

    e91cf0d3eb318b3d2bdddc5452b631f44b682f9d

  • SHA256

    fb0ba2f663482572e870512c591e87c605ef211f5e8a3f87e34671bfb2e465f4

  • SHA512

    29d4a71d938faca70d4ccfab7b2aa7942831dc7a37c1200208cc1dbc0db29a68539ab369f9b816e89f5cc6000d9a49f08334de03ad2490662ab56052912e2bce

Score
10/10
ramnitbankerspywarestealertrojanupxvmprotectworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 7 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb0ba2f663482572e870512c591e87c605ef211f5e8a3f87e34671bfb2e465f4.exe
    "C:\Users\Admin\AppData\Local\Temp\fb0ba2f663482572e870512c591e87c605ef211f5e8a3f87e34671bfb2e465f4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4660
    • C:\Users\Admin\AppData\Local\Temp\temp1.tem
      C:\Users\Admin\AppData\Local\Temp\temp1.tem
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4128
    • C:\Users\Admin\AppData\Local\Temp\temp2.tem
      C:\Users\Admin\AppData\Local\Temp\temp2.tem
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Users\Admin\AppData\Roaming\M762.exe
        "C:\Users\Admin\AppData\Roaming\M762.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3240
        • C:\Users\Admin\AppData\Roaming\M762Srv.exe
          C:\Users\Admin\AppData\Roaming\M762Srv.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4204
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:412
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:412 CREDAT:82945 /prefetch:2
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2200
      • C:\Users\Admin\AppData\Roaming\2.exe
        "C:\Users\Admin\AppData\Roaming\2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Users\Admin\AppData\Roaming\2Srv.exe
          C:\Users\Admin\AppData\Roaming\2Srv.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4180
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1440
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2620
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:3180
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{01AD378D-B42E-11EB-B2DB-52F460BD0637}.dat
    MD5

    8884027161f4c15324116e381bc3babc

    SHA1

    c6e7c11ba596b9fb20d9e07177394c06264a2786

    SHA256

    db883e7ee1c73774e73d77eea8675827360555f36c5d93f1e8b40cbc565cde7f

    SHA512

    7dd7dc17b7d08a96fc8d948147471a79ef8e23baf174575c3506d42c51af44f012a9932bb2b3b8138387922bd2d6bc2821ad862f339acdd9b697dcb07c20b35c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{01AD5E9D-B42E-11EB-B2DB-52F460BD0637}.dat
    MD5

    5a35f0abad7ba6e97b9eb6225058f528

    SHA1

    fce850891e487cf7514b6678fe2eb06705cfd2b7

    SHA256

    e12c099436786f211166782faec1a15054d70dd5ed533d5f27a39e4e46fdafdd

    SHA512

    c6c41d3920e3896771f9544bf38d5accd475c29cd258260e0cbcb75f2c4ea62ec0416c63f5186ffc0c0aa321fcf29ec446065b9424b04e6881b8af9a74c8dda1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp1.tem
    MD5

    127195325dd7b2829451bb6ad6e06270

    SHA1

    784786b3b4de8c1fcbdc96a47e092070e251d828

    SHA256

    6f02534cbd5f85f54eafd5646356ce30639d45ebe0e60a89f0eef88a471b42be

    SHA512

    d0f8e3655cd161acc707f27a574ae179ef524267fdf1b3339c2311c270501cad20aad1acd1d76e7ee3930ee998dc36bda980765fa17ddcf74aa090684bf3ef6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp1.tem
    MD5

    127195325dd7b2829451bb6ad6e06270

    SHA1

    784786b3b4de8c1fcbdc96a47e092070e251d828

    SHA256

    6f02534cbd5f85f54eafd5646356ce30639d45ebe0e60a89f0eef88a471b42be

    SHA512

    d0f8e3655cd161acc707f27a574ae179ef524267fdf1b3339c2311c270501cad20aad1acd1d76e7ee3930ee998dc36bda980765fa17ddcf74aa090684bf3ef6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp2.tem
    MD5

    172a6db591c702bec0af1a288cb461fa

    SHA1

    64cebf0e3e1afdf0b8baa18758f755cea5db5d94

    SHA256

    0e5fed4587bcd7b9383eaf25121c75b4816ae94d2acad5d0addda921e80dca1a

    SHA512

    9398af07867f24154c9cc0d1a619c34960b25f2937b07ccaf5e38a6205307a7e717603b352a5da4c64ba1319825f22ed2d16230cadbb28ee7c88e32f4b926d86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp2.tem
    MD5

    172a6db591c702bec0af1a288cb461fa

    SHA1

    64cebf0e3e1afdf0b8baa18758f755cea5db5d94

    SHA256

    0e5fed4587bcd7b9383eaf25121c75b4816ae94d2acad5d0addda921e80dca1a

    SHA512

    9398af07867f24154c9cc0d1a619c34960b25f2937b07ccaf5e38a6205307a7e717603b352a5da4c64ba1319825f22ed2d16230cadbb28ee7c88e32f4b926d86

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2.exe
    MD5

    5e1e34373e984dd98209be687ef57a17

    SHA1

    86ca48115e1639737ad6370434b7d5620be4a4ef

    SHA256

    8e4987b7440048c01734d7c128c4b226f49e37ca656db5a60821e81f28d8e874

    SHA512

    f5782d2c8a9cb683773384488ac25d47f5ea3ec7d859bc77d952ad5b3edcbf272ce487a12eb2e2813e442c5222ad38c8e907d5f72f621abd813c5e6e1199860c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2.exe
    MD5

    5e1e34373e984dd98209be687ef57a17

    SHA1

    86ca48115e1639737ad6370434b7d5620be4a4ef

    SHA256

    8e4987b7440048c01734d7c128c4b226f49e37ca656db5a60821e81f28d8e874

    SHA512

    f5782d2c8a9cb683773384488ac25d47f5ea3ec7d859bc77d952ad5b3edcbf272ce487a12eb2e2813e442c5222ad38c8e907d5f72f621abd813c5e6e1199860c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\M762.exe
    MD5

    482e97154b85aa82239cfcf4ae7e5465

    SHA1

    f2fba8dbd01e62dcf171686e4f3707fa6d234fba

    SHA256

    a5b998c0584be4c74779d4f8c2c7a09e0b515bfaffd97152f1f017aa979062ac

    SHA512

    d420f60e65f1deeb646174ae790b569315edaded8a0cd9d4f1aa2738dc6ba5b58412e84046a7022e86308bbd671b9ad88c073d0550e14d41a512d89824b028df

    Download Submit

  • C:\Users\Admin\AppData\Roaming\M762.exe
    MD5

    482e97154b85aa82239cfcf4ae7e5465

    SHA1

    f2fba8dbd01e62dcf171686e4f3707fa6d234fba

    SHA256

    a5b998c0584be4c74779d4f8c2c7a09e0b515bfaffd97152f1f017aa979062ac

    SHA512

    d420f60e65f1deeb646174ae790b569315edaded8a0cd9d4f1aa2738dc6ba5b58412e84046a7022e86308bbd671b9ad88c073d0550e14d41a512d89824b028df

    Download Submit

  • C:\Users\Admin\AppData\Roaming\M762Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\M762Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\E_4\krnln.fnr
    MD5

    97c8fe752e354b2945e4c593a87e4a8b

    SHA1

    03ab4c91535ecf14b13e0258f3a7be459a7957f9

    SHA256

    820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

    SHA512

    af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

    Download Submit

  • memory/412-142-0x0000000000000000-mapping.dmp

    Download

  • memory/412-150-0x00007FFA67860000-0x00007FFA678CB000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1440-151-0x0000000000000000-mapping.dmp

    Download

  • memory/2200-152-0x0000000000000000-mapping.dmp

    Download

  • memory/2668-141-0x0000000000000000-mapping.dmp

    Download

  • memory/2668-149-0x00007FFA67860000-0x00007FFA678CB000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2928-127-0x0000000000000000-mapping.dmp

    Download

  • memory/2928-143-0x00000000001E0000-0x00000000001EF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2928-144-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3240-124-0x0000000000000000-mapping.dmp

    Download

  • memory/3364-119-0x0000000000000000-mapping.dmp

    Download

  • memory/3956-128-0x0000000000000000-mapping.dmp

    Download

  • memory/4128-123-0x0000000077710000-0x0000000077711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4128-122-0x0000000074560000-0x0000000074561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4128-118-0x0000000000400000-0x00000000006F9000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4128-115-0x0000000000000000-mapping.dmp

    Download

  • memory/4180-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4180-139-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4204-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4204-140-0x0000000002470000-0x0000000002471000-memory.dmp

    Filesize

    4KB

    Download