Overview

overview

10

Static

static

d89720ade9...e7.exe

windows7_x64

10

d89720ade9...e7.exe

windows10_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-05-2021 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe

  • Size

    116KB

  • MD5

    78fd901508f5ab965aa00b6962d767df

  • SHA1

    67c5798691e4f6549eb7e9bbdef375fa2fdcbd14

  • SHA256

    d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7

  • SHA512

    6879bff3b313455c4cff0bcab6181f66528fda97b559c5e5e52b5694e32de2ca4750a0fc752da7203a7f5caef827dd0d37c441a6c2a327f49fea6fd2a0e1fd07

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe
    "C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe
      C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:800
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:800 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3916
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3044

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      ef07b2dc81b7fdcc01d8a9cce1261822

      SHA1

      535c60f61ed56d43a349e92b86dd5204a1b61859

      SHA256

      4f4d35e9bbae40c756cb82b60a2bbfe0dfe055b06ddf2494a953ce7565ff8eb6

      SHA512

      1a26ee805d55b252567caec75c0b75ec5493aa1865b4fd8a1cf6b18972e2ffd82ba778b4a6a80ed85c9d016d841d26be11d4bc6f4bf8d8b512e7261dc7ad3fe3

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      374de454d997d128e02284ae8f6223c8

      SHA1

      a948f23b1a7afddd347defd3b7c966eddf6ae102

      SHA256

      944ed21f6ff1de8f448cd380e170b97d4ef1258dc09bc08205e7f742750bfc7d

      SHA512

      765ad4e1c4efa596eb6b5e857bf5922e0457e2e6bf9ff89b0c63096105968125c5e65715848a140124a2f53e9ddee688ed50b233ce5e8c1de185eb3b62642e69

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LI51V1IZ.cookie
      MD5

      0e14c19e33621fc851c1ed4568cd0d5f

      SHA1

      ec53f709ec5526a878b7f331df5222b88ce15ba2

      SHA256

      3aed8c39e63bc523657c7bc3ea1e393eae9896678694a6c9e83c41662eae6e9e

      SHA512

      b50c9965494c1f26b25d49cee610d4e3b382939ca2c336ac4f77590049e00b0f793e2f2e9ab0ec55b25c3cec946a3497dd9232766bac6b5e318f68e4032a6d60

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\V556FYIT.cookie
      MD5

      0ce4b137212b7c7b6c316aea3bbd95a5

      SHA1

      2a34d2ab4e06bcd686d792b974d07f89945f408b

      SHA256

      12544c6d6447c9f340ecb345fc8c853f716043452874056daff1f175e40d6949

      SHA512

      d2dfa2f3d3f023cf32a8f442ae94254290d07d1fb8574df3fefa5cbaea0652b7003159170d9a6581a9eb50f51f0128f37909db3d373cabb2cbb5cf6bfb02df17

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • memory/588-120-0x00000000001F0000-0x00000000001F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/588-117-0x0000000000000000-mapping.dmp
      Download
    • memory/800-121-0x0000000000000000-mapping.dmp
      Download
    • memory/800-126-0x00007FF8581E0000-0x00007FF85824B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/3712-123-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3712-114-0x0000000000000000-mapping.dmp
      Download
    • memory/3712-122-0x00000000001E0000-0x00000000001EF000-memory.dmp
      Filesize

      60KB

      Download
    • memory/3916-127-0x0000000000000000-mapping.dmp
      Download