Overview

overview

10

Static

static

facef372e4...3c.exe

windows7_x64

10

facef372e4...3c.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    facef372e4fdf2e90cb32a0100219bda77e714e741e9b45820f7ca111b91fa3c.exe

  • Size

    728KB

  • MD5

    d33dfa9f7716a4ff7867dda2b8437bf7

  • SHA1

    77973958bf9749d0a7dc4a042ce1bdf28189c9a3

  • SHA256

    facef372e4fdf2e90cb32a0100219bda77e714e741e9b45820f7ca111b91fa3c

  • SHA512

    1991864ea9a4c92157e6ad051182ce9689a697031b2e7c66b17afee1a53157d8d907a65dc5f37d54e5202cc61943ce2a3fb86a22ba571a3cbb3b8bc19f31569e

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\facef372e4fdf2e90cb32a0100219bda77e714e741e9b45820f7ca111b91fa3c.exe
    "C:\Users\Admin\AppData\Local\Temp\facef372e4fdf2e90cb32a0100219bda77e714e741e9b45820f7ca111b91fa3c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Users\Admin\AppData\Local\Temp\facef372e4fdf2e90cb32a0100219bda77e714e741e9b45820f7ca111b91fa3cSrv.exe
      C:\Users\Admin\AppData\Local\Temp\facef372e4fdf2e90cb32a0100219bda77e714e741e9b45820f7ca111b91fa3cSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    a0a5a4d72ad62fd610b043c84033deaf

    SHA1

    aa5c3deaba3b479e004880b369f63f2b59b23b9a

    SHA256

    35d20d28885d84fef2a2e06125bf9626fbab13b99d1238a435a444a8db1cb9c6

    SHA512

    20dd0d4276e854bca2767bd4cf7f04068a23742ff33926a7ba5296d2b0a453d456f37662e443c4df2fc3027bbead658a8ca6f8be40a61c82e3d6085cf85b9243

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    fad3320f34ac445862a17a3bea50f3e8

    SHA1

    3b3f82205017584f487c729887e855e3a29d123a

    SHA256

    673fa401579fd33164f8b6781258907367dffbcfe0e0b1498c3968231fd0e747

    SHA512

    ff4619fdcd68e68fbb63300467de260358a75d034b9eb081180dda2cf06732cbb074c8bdcd4a934e4f68e5eb051df7d3f04f5ec84561dd0f22919ae7fff46e8f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9ZCTC1FH.cookie
    MD5

    6d0595281b4c3aa114fc0f27a2a58b07

    SHA1

    ea70df2e6ce698fdbd2e7a8c9dbc370af23a9b19

    SHA256

    466887b9b583422e826b9f4e44cab33dfe8b9b6134a16d571663f8ca7c4206e5

    SHA512

    a8aebf9575b253e26f3b40f38744040c6a54090c17241b23a0fd459a22f72ec391f5e3d7fa507c389eba12bcc38e368e12c54d74dc9f2963312b37515a24b83b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JAOCP4SP.cookie
    MD5

    c2eac7bff8a41422d1001704438f5d31

    SHA1

    76c13b01e8ad568da178f4b1eb36ebb939d5e9b1

    SHA256

    35fe7c71fb9670d57917b1ce734baa859f486a48b1a79df4b0f7900dbdb070aa

    SHA512

    6cda589884e2ca4d0e2c91343a8d06c4e12389f1696f09186c5d1a5b5d9084702b1bc48a4d63c1252bb966b54329fbafcb5aa81e2542623dfb40ee4e49e9a293

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\facef372e4fdf2e90cb32a0100219bda77e714e741e9b45820f7ca111b91fa3cSrv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\facef372e4fdf2e90cb32a0100219bda77e714e741e9b45820f7ca111b91fa3cSrv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • memory/924-114-0x0000000000000000-mapping.dmp
    Download
  • memory/924-124-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/924-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1784-120-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1784-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2172-122-0x00007FFFCA510000-0x00007FFFCA57B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2172-121-0x0000000000000000-mapping.dmp
    Download
  • memory/2520-123-0x0000000000000000-mapping.dmp
    Download