Overview

overview

10

Static

static

13baa9d117...0a.exe

windows7_x64

10

13baa9d117...0a.exe

windows10_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-05-2021 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13baa9d117db2adc7c25cd88e4174882fa4db731989c9f495dc32102c53ebe0a.exe

  • Size

    542KB

  • MD5

    cace70bb5d66a63c075aaade115ea984

  • SHA1

    bbbd2950f54acab4039858adef7344ffcf8aaba8

  • SHA256

    13baa9d117db2adc7c25cd88e4174882fa4db731989c9f495dc32102c53ebe0a

  • SHA512

    894e3dbdec47ba8f6f7e043247133d0a4555bdde23a6a8c02d45095796f7df16d2ba181249711b44deb8d39af32bfd696523b09a69716165389946fe3f75adc4

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13baa9d117db2adc7c25cd88e4174882fa4db731989c9f495dc32102c53ebe0a.exe
    "C:\Users\Admin\AppData\Local\Temp\13baa9d117db2adc7c25cd88e4174882fa4db731989c9f495dc32102c53ebe0a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Users\Admin\AppData\Local\Temp\13baa9d117db2adc7c25cd88e4174882fa4db731989c9f495dc32102c53ebe0aSrv.exe
      C:\Users\Admin\AppData\Local\Temp\13baa9d117db2adc7c25cd88e4174882fa4db731989c9f495dc32102c53ebe0aSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:184
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    ef07b2dc81b7fdcc01d8a9cce1261822

    SHA1

    535c60f61ed56d43a349e92b86dd5204a1b61859

    SHA256

    4f4d35e9bbae40c756cb82b60a2bbfe0dfe055b06ddf2494a953ce7565ff8eb6

    SHA512

    1a26ee805d55b252567caec75c0b75ec5493aa1865b4fd8a1cf6b18972e2ffd82ba778b4a6a80ed85c9d016d841d26be11d4bc6f4bf8d8b512e7261dc7ad3fe3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    34a87c5ea674ec50320ba46f3fe6ab66

    SHA1

    b37be336ef0baf74c40f9079d4f26a4179be98c3

    SHA256

    4b725fa6a431970aa827fa0a2587bcdae096ff7af1d64a784dfc75c6709707b8

    SHA512

    60d93be4d731f2d68d677dc1513ff8229278368a4a3d75b69e036d587746eea82167fa75f220ddd96b0bd0620357590ab0e0315b352d4bceb9558af2d05724aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5WNADUN7.cookie
    MD5

    8a4e2434f82d626cd1d6eb32ccb8dd5a

    SHA1

    064ed16deaed76061acc88b11b0b4563ff055c71

    SHA256

    18e58769b11a4169711cbeb30b9de8cca57dbf1b71a1333198593acaf5bb430c

    SHA512

    6d7d3d92b3769d9f06d17ba4bb73be6e3c30c4206c732b4048d02c58a646420e297b1bb551488bdfb39bb1068b4019441c7f419f9c4248b78e809f9e37a6df46

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\NWFB271E.cookie
    MD5

    d184473e403d2646620ba103817a2ec4

    SHA1

    c82cdfec5099a550c0c2ab26fccd157716457614

    SHA256

    16a00dac76f0ea34751345600b89b1bd1c0e52b4f513f190415c5304576dd5fa

    SHA512

    772ef8014d39138cb9f3a739495bf058befa024ff0d3dc0fa6f3daa5cfee7e2ecc57066fbcbba9d1329001c1d7aaf130966d2d13a0f72ae825a5698ebf59a863

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\13baa9d117db2adc7c25cd88e4174882fa4db731989c9f495dc32102c53ebe0aSrv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\13baa9d117db2adc7c25cd88e4174882fa4db731989c9f495dc32102c53ebe0aSrv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • memory/184-122-0x00007FFCEE4A0000-0x00007FFCEE50B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/184-121-0x0000000000000000-mapping.dmp
    Download
  • memory/1360-123-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1360-124-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1360-114-0x0000000000000000-mapping.dmp
    Download
  • memory/1440-120-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1440-117-0x0000000000000000-mapping.dmp
    Download
  • memory/1708-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3768-125-0x0000000000490000-0x000000000053E000-memory.dmp
    Filesize

    696KB

    Download