Overview

overview

10

Static

static

51c9a8bf68...5a.exe

windows7_x64

10

51c9a8bf68...5a.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-05-2021 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe

  • Size

    511KB

  • MD5

    568f9531fe2064351f3447cd400e5624

  • SHA1

    92388449c52d5fa0fee4aabbde3347620a2845ac

  • SHA256

    51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a

  • SHA512

    1ffd7d3f4f3b54b895b7b762549c824974c93f7db161ea54d87906845228a1c0393f9631d9eb70fa94ee4b29fb9a6429e9da8fdd4cbbf6ac18a3eb1cdd6b3f00

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
    "C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
      C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2000
    • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
      "C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe" C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
        C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1364
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:756
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:275458 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{41444FB1-B489-11EB-8EA8-5EDBF02B0D68}.dat
    MD5

    ea3dd15302a89ec86811ac20cfc020a0

    SHA1

    4a4f2a7ed778a1fbc5e8995dfd2a849924597f12

    SHA256

    0a901caa9d1b9868b9f5f81dceafd7267e820c5e1f7f52ddcc9fadd925a9b0f9

    SHA512

    f3041585274f0e5a365051e6bf5152e462a4830cb68b0d034d22ec69783330d84b0f3f5f0d617295ee72807381c3ddeb7a218243477b4e65c063b3f51d676b9b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9TM24M9G.txt
    MD5

    0a17fdefd67f6d0d8f23c32cf3960afa

    SHA1

    2f1585e3cedf7c045869db2fbe546782bb23ddb9

    SHA256

    03b24ebea6265516ca018ff7693e79f82c6d1872c349c94b4506024bcc87573f

    SHA512

    a535821b29d8573637a0573f1a2a51d93d6e4d41a6cbd6640eb88b499d34bc52ffb004f81624ef693a814f6dae19f146167b783909970f3219941e6985ad91c0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tencent\Logs\QTUninstall.txt
    MD5

    8ebe1662d31e05d564696decdf8f7740

    SHA1

    c7f2ee90dc48d0f0d4d91f6d0bf276202927f40a

    SHA256

    c062c90d46d4cd468d21dae6bf5da3aaf2d06c1c703aa6fd4a342157a406f37b

    SHA512

    2acb6e21904f2a0ad3d9c0af509c113d022780904fbc68788eb2ed29b6f3cdbf72167467264e20ebcc4c8df1c64872ed731d6fb2559b1c3ac029fdb0dcaa3e71

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
    MD5

    568f9531fe2064351f3447cd400e5624

    SHA1

    92388449c52d5fa0fee4aabbde3347620a2845ac

    SHA256

    51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a

    SHA512

    1ffd7d3f4f3b54b895b7b762549c824974c93f7db161ea54d87906845228a1c0393f9631d9eb70fa94ee4b29fb9a6429e9da8fdd4cbbf6ac18a3eb1cdd6b3f00

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • \Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
    MD5

    568f9531fe2064351f3447cd400e5624

    SHA1

    92388449c52d5fa0fee4aabbde3347620a2845ac

    SHA256

    51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a

    SHA512

    1ffd7d3f4f3b54b895b7b762549c824974c93f7db161ea54d87906845228a1c0393f9631d9eb70fa94ee4b29fb9a6429e9da8fdd4cbbf6ac18a3eb1cdd6b3f00

    Download Submit
  • \Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/756-91-0x0000000000000000-mapping.dmp
    Download
  • memory/1060-70-0x00000000001D0000-0x00000000001D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1060-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1096-59-0x0000000075281000-0x0000000075283000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1364-83-0x0000000000000000-mapping.dmp
    Download
  • memory/1400-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1540-90-0x0000000000000000-mapping.dmp
    Download
  • memory/1740-82-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1740-77-0x0000000000000000-mapping.dmp
    Download
  • memory/1964-73-0x0000000000000000-mapping.dmp
    Download
  • memory/2000-85-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2000-84-0x0000000000230000-0x000000000023F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/2000-61-0x0000000000000000-mapping.dmp
    Download