Overview

overview

10

Static

static

51c9a8bf68...5a.exe

windows7_x64

10

51c9a8bf68...5a.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    94s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-05-2021 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe

  • Size

    511KB

  • MD5

    568f9531fe2064351f3447cd400e5624

  • SHA1

    92388449c52d5fa0fee4aabbde3347620a2845ac

  • SHA256

    51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a

  • SHA512

    1ffd7d3f4f3b54b895b7b762549c824974c93f7db161ea54d87906845228a1c0393f9631d9eb70fa94ee4b29fb9a6429e9da8fdd4cbbf6ac18a3eb1cdd6b3f00

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 5 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
    "C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
      C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3176
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3176 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3684
    • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
      "C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe" C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:188
      • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
        C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:652
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3744
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3744 CREDAT:82945 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3504

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{092C244E-B49B-11EB-B2DB-EA801B2465EB}.dat
    MD5

    971def53a999feee259d11cbb4149fe7

    SHA1

    dd98cb9fef0425a0eda6312efaed7542b9c63f15

    SHA256

    d1a47b28c2a27269dba41cc8574c1b46ec6adf0820c911335d96e0cc1248601e

    SHA512

    5ad9646eb13e84d75d8aa9a8d3f4883459d56193587eed2d43356f00e267ad1593f22be41bc03e2d2aec54c27f83ff03d6401e6031ede7c673327320b4722815

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tencent\Logs\QTUninstall.txt
    MD5

    e71bdbfe4d54bae0e956c90c0c636b78

    SHA1

    0ba286d2c1b79075e8530cfe62f16b82f61eae95

    SHA256

    55650b220f99a96628eab5dc1fa491e2b3f0c28caa1bd4598e97ae2765dfe7fc

    SHA512

    8fba6895fa24bf5f8dbf22d452538039abc178fa5f9778a2bf483f3b785d5ce882d6da0be4175830a55f99eaee369c11c70e3ec524fb4900550b9cd889050bc2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
    MD5

    568f9531fe2064351f3447cd400e5624

    SHA1

    92388449c52d5fa0fee4aabbde3347620a2845ac

    SHA256

    51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a

    SHA512

    1ffd7d3f4f3b54b895b7b762549c824974c93f7db161ea54d87906845228a1c0393f9631d9eb70fa94ee4b29fb9a6429e9da8fdd4cbbf6ac18a3eb1cdd6b3f00

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a.exe
    MD5

    568f9531fe2064351f3447cd400e5624

    SHA1

    92388449c52d5fa0fee4aabbde3347620a2845ac

    SHA256

    51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5a

    SHA512

    1ffd7d3f4f3b54b895b7b762549c824974c93f7db161ea54d87906845228a1c0393f9631d9eb70fa94ee4b29fb9a6429e9da8fdd4cbbf6ac18a3eb1cdd6b3f00

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tencent\QTalk\AUTemp\51c9a8bf68a322bbdeb955121828a115ce7ec9994145eb2cddbb26fe17f2ce5aSrv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/188-128-0x0000000000000000-mapping.dmp
    Download
  • memory/652-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2304-131-0x0000000000000000-mapping.dmp
    Download
  • memory/3176-121-0x0000000000000000-mapping.dmp
    Download
  • memory/3176-126-0x00007FFD157E0000-0x00007FFD1584B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/3504-145-0x0000000000000000-mapping.dmp
    Download
  • memory/3684-127-0x0000000000000000-mapping.dmp
    Download
  • memory/3744-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3744-140-0x00007FFD157E0000-0x00007FFD1584B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/3932-120-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-117-0x0000000000000000-mapping.dmp
    Download
  • memory/3956-123-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3956-122-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3956-114-0x0000000000000000-mapping.dmp
    Download