Overview

overview

10

Static

static

8

3a02ab67a8...71.exe

windows7_x64

1

3a02ab67a8...71.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a02ab67a8bfb6121f6968e932504759b462cf479f1834cd23b579ae1448dc71.exe

  • Size

    193KB

  • MD5

    03b17e1b56311e64852d5df83123e8d4

  • SHA1

    f4e96cfad1df5efa065e11388f094d7b5d686cbe

  • SHA256

    3a02ab67a8bfb6121f6968e932504759b462cf479f1834cd23b579ae1448dc71

  • SHA512

    77352fed7f7d1e5f7b3e8403c7caf66fbeccd426ff60029c43147b2932c6e7119f9bc54cd4a9fe0bdc2914f56cdfc3275c8bc66a58038c3bebfa6a58c16a17af

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a02ab67a8bfb6121f6968e932504759b462cf479f1834cd23b579ae1448dc71.exe
    "C:\Users\Admin\AppData\Local\Temp\3a02ab67a8bfb6121f6968e932504759b462cf479f1834cd23b579ae1448dc71.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:416
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:82945 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    03b17e1b56311e64852d5df83123e8d4

    SHA1

    f4e96cfad1df5efa065e11388f094d7b5d686cbe

    SHA256

    3a02ab67a8bfb6121f6968e932504759b462cf479f1834cd23b579ae1448dc71

    SHA512

    77352fed7f7d1e5f7b3e8403c7caf66fbeccd426ff60029c43147b2932c6e7119f9bc54cd4a9fe0bdc2914f56cdfc3275c8bc66a58038c3bebfa6a58c16a17af

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    03b17e1b56311e64852d5df83123e8d4

    SHA1

    f4e96cfad1df5efa065e11388f094d7b5d686cbe

    SHA256

    3a02ab67a8bfb6121f6968e932504759b462cf479f1834cd23b579ae1448dc71

    SHA512

    77352fed7f7d1e5f7b3e8403c7caf66fbeccd426ff60029c43147b2932c6e7119f9bc54cd4a9fe0bdc2914f56cdfc3275c8bc66a58038c3bebfa6a58c16a17af

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    57010df1ded674ce061f8af29a2e6fbb

    SHA1

    83e50ef272059dc3fab93e694d5e220dc48bf0c4

    SHA256

    68492169f14b36562d813f4ae7506f4b324b85f0e6aec352a37faba29b289616

    SHA512

    211ecb686dec8e8dd57cc8aeebdb8953f81aa56eebec9b463df4d41d98942317ed001ae5ffc9cc0c3ce5c542317cd0838447b885016697411b99f68190bd430b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    9f98fa55f005ab814b547ab8d436e243

    SHA1

    e1520caea00a9410079a3de311a0c5849e2143fa

    SHA256

    75004dc0d0af42e7f4e85a867b57f7a6f8b90c87ef63723183add65d384db378

    SHA512

    6813e92ce3f90f00710572a3175e03cc61f0e244bab774ac000170292c36b56154ec05cecfe72595465ffbaa325e53e22693ec8a3ba7461093f3c538f7d4919d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HP3K22YD.cookie
    MD5

    8e83bef31e58e9a96ecfb7d70f25e0dd

    SHA1

    e5b84fcc5440d5bd7c77f7af5fb0d5e43e22dd2f

    SHA256

    ec2e29e3fa7f6414ccb7c19189dea29893d20ea7868352075c4d3539a363a8e2

    SHA512

    9ab3b42a46abea18f4964e2d2a8ed9cb826a44a5ff8a3b7dab8e4bdb495efd9b7903e69e69a4d6f6a26ca0615198e9d79520388f12da8d9af1c96a19d1df3c6b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZMBVLF87.cookie
    MD5

    94c82da41d8112fc1ce8c0ff524c353e

    SHA1

    9c82e04de03c8cd75dac9461f1db5136f7373686

    SHA256

    14ce97f6439393ab252575f32deb0885f627129ddc77394ec01094494831e152

    SHA512

    32df8d13548c5c9fd25e010884b0d82556a167808cafc2c21415327bff577b1d5c6c21f294011d03903763311bdde80c3fe263fec39b84086508b94b27ec073f

    Download Submit
  • memory/416-117-0x0000000000560000-0x0000000000561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/416-114-0x0000000000000000-mapping.dmp
    Download
  • memory/1216-119-0x00007FF86C460000-0x00007FF86C4CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/1216-118-0x0000000000000000-mapping.dmp
    Download
  • memory/2116-121-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2116-120-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/2676-124-0x0000000000000000-mapping.dmp
    Download