Overview

overview

10

Static

static

8

382693e103...d1.exe

windows7_x64

10

382693e103...d1.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 02:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    382693e103272f575075d138544d2d2a2c08344ded01621035b2ad4b3adeb5d1.exe

  • Size

    193KB

  • MD5

    6b14303e1bce59b6ec5d316588a11667

  • SHA1

    ca1e99756646f0102f4acc588e964f4a9e35c35b

  • SHA256

    382693e103272f575075d138544d2d2a2c08344ded01621035b2ad4b3adeb5d1

  • SHA512

    f3f10568a749c7a571e3c21f52366b1293170d3ec70040bc7ed7757fa700f4975aef367e18058312d8ca20c4b8f7225b5bbc6fffc9dec71fd1fb6cf7ffb5987c

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\382693e103272f575075d138544d2d2a2c08344ded01621035b2ad4b3adeb5d1.exe
    "C:\Users\Admin\AppData\Local\Temp\382693e103272f575075d138544d2d2a2c08344ded01621035b2ad4b3adeb5d1.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:192
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:192 CREDAT:82945 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    6b14303e1bce59b6ec5d316588a11667

    SHA1

    ca1e99756646f0102f4acc588e964f4a9e35c35b

    SHA256

    382693e103272f575075d138544d2d2a2c08344ded01621035b2ad4b3adeb5d1

    SHA512

    f3f10568a749c7a571e3c21f52366b1293170d3ec70040bc7ed7757fa700f4975aef367e18058312d8ca20c4b8f7225b5bbc6fffc9dec71fd1fb6cf7ffb5987c

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    6b14303e1bce59b6ec5d316588a11667

    SHA1

    ca1e99756646f0102f4acc588e964f4a9e35c35b

    SHA256

    382693e103272f575075d138544d2d2a2c08344ded01621035b2ad4b3adeb5d1

    SHA512

    f3f10568a749c7a571e3c21f52366b1293170d3ec70040bc7ed7757fa700f4975aef367e18058312d8ca20c4b8f7225b5bbc6fffc9dec71fd1fb6cf7ffb5987c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    57010df1ded674ce061f8af29a2e6fbb

    SHA1

    83e50ef272059dc3fab93e694d5e220dc48bf0c4

    SHA256

    68492169f14b36562d813f4ae7506f4b324b85f0e6aec352a37faba29b289616

    SHA512

    211ecb686dec8e8dd57cc8aeebdb8953f81aa56eebec9b463df4d41d98942317ed001ae5ffc9cc0c3ce5c542317cd0838447b885016697411b99f68190bd430b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    45c6b61f352c5c871adeaee3cd4d89e2

    SHA1

    9dad7189df50eaa8d3f07b265a097105a920cff7

    SHA256

    e7769a861fbd605a51f6bf4997f36f2dcf7c061d46dcf75bd26fc0af37362483

    SHA512

    eee6c0a13a3538d85bd03e635282ce21a6605c805f3eb2acf8709a5e2beb8f4ec21d6ec0eb578e30f9e15e337884d719f602938715b9cf45e70f95dc93d31720

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RJ5C141L.cookie
    MD5

    870cb9789308704d0b423c764813058d

    SHA1

    13517b0e8d56cb3638bde96bfd113d89a0b74b3e

    SHA256

    017f4afb664ea306a63ae6ea828b4f92cc0c66ba45fbbdaf1a45cc79a163a39b

    SHA512

    da048e879ccd48a55bec13835d977372feb77c18cdcb6df839f7d6dd3c83166800ab94f721bb3eef606e7262944a4afc196e3beb07019094579e68f301abccee

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SRZHW5DD.cookie
    MD5

    b726193aa2cca4018cdef6df9c5e2b1e

    SHA1

    5a791a4d4149ca3a001744e31641bcf3e41b87f4

    SHA256

    891a36964c3d123e9de7ab3f4b466c49ba26b4d812361e1b9a82f538cdff5e4e

    SHA512

    aec096334884d9bc4419e673474277fd817b6aee15e584a492e4ab8c5c895280e015ff31c92eeda89ae14d25753c812dbe3faec89536de578d7fe18142bc4d56

    Download Submit
  • memory/192-118-0x0000000000000000-mapping.dmp
    Download
  • memory/192-123-0x00007FF97CBF0000-0x00007FF97CC5B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/512-120-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/512-119-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1356-124-0x0000000000000000-mapping.dmp
    Download
  • memory/2660-114-0x0000000000000000-mapping.dmp
    Download
  • memory/2660-117-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download