Overview

overview

10

Static

static

8

930ae1c20c...f4.exe

windows7_x64

10

930ae1c20c...f4.exe

windows10_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    930ae1c20c55661b2460195b8e648b14e8f958758b7f92391e0a413e0ae358f4.exe

  • Size

    153KB

  • MD5

    00716c11dd91010a77582e9674866eeb

  • SHA1

    ec9839a9ae05bd23810c7bd3ef5e549a8d114843

  • SHA256

    930ae1c20c55661b2460195b8e648b14e8f958758b7f92391e0a413e0ae358f4

  • SHA512

    f0b6fd4009ae0ab2f1127e3771cfbc66fecf9b582822308b6b77d6719002bcf5c9903ade3b180620784acb03bf77342e4d16fc2087b8b380bb906d1b45da212e

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\930ae1c20c55661b2460195b8e648b14e8f958758b7f92391e0a413e0ae358f4.exe
    "C:\Users\Admin\AppData\Local\Temp\930ae1c20c55661b2460195b8e648b14e8f958758b7f92391e0a413e0ae358f4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Users\Admin\AppData\Local\Temp\930ae1c20c55661b2460195b8e648b14e8f958758b7f92391e0a413e0ae358f4Srv.exe
      C:\Users\Admin\AppData\Local\Temp\930ae1c20c55661b2460195b8e648b14e8f958758b7f92391e0a413e0ae358f4Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:356
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3792

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    a0a5a4d72ad62fd610b043c84033deaf

    SHA1

    aa5c3deaba3b479e004880b369f63f2b59b23b9a

    SHA256

    35d20d28885d84fef2a2e06125bf9626fbab13b99d1238a435a444a8db1cb9c6

    SHA512

    20dd0d4276e854bca2767bd4cf7f04068a23742ff33926a7ba5296d2b0a453d456f37662e443c4df2fc3027bbead658a8ca6f8be40a61c82e3d6085cf85b9243

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    bbf02291a2dc180ebc608d9a5c3c4d3e

    SHA1

    66794f45596d2a6cefd7e01091628515416c1d06

    SHA256

    67d2d7aed097ae41fc20dbe2d6ec1b0cb0456db55aad89a5c8db6e24009b8d54

    SHA512

    78fcf4102b107453d729318b9a6a772f22f36e068625b9542ae75b4e274960ebb97186f2721b2b2dbb57a679dcbf8e096ad1fa2e9c1789800ff949f705e8eca6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BWTZ3Z2I.cookie
    MD5

    d2ebc6871cf7972a4a9975988df02f43

    SHA1

    aa4da8391de033d1fae36940aec8a4f4e5738271

    SHA256

    c4d8752af3ee5f854170cec1f0cb3e1aeee4e57fac349c4b63b3eac58e6b7c68

    SHA512

    d8c65b77b0c5319deb1ae3b76a72d514c0a3d073248106fd6a3c7a3df7c197200afb358f6a1527a57dbcb394d73209e437976deda79559aa4d0bf42e8e6d0109

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G4M0KZS3.cookie
    MD5

    39fef85f096906c078d058cd79653bc6

    SHA1

    b606b65d2aca6df63ce17592289048d18aff7596

    SHA256

    f689bff9f3b48ea45f549e40653488ea45dff34c39a4257f3adfd9c7842d3d31

    SHA512

    daf0b1ff0b12ce3b515965072a410af1d90ea4e523605ee173a004043b6089604a88d9bab5602ce1cee04da4973814e96ff02ca891895e768184792f430a8dc1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\930ae1c20c55661b2460195b8e648b14e8f958758b7f92391e0a413e0ae358f4Srv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\930ae1c20c55661b2460195b8e648b14e8f958758b7f92391e0a413e0ae358f4Srv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit

  • memory/356-114-0x0000000000000000-mapping.dmp

    Download

  • memory/356-124-0x00000000001F0000-0x00000000001FF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/356-125-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1172-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1172-117-0x0000000000000000-mapping.dmp

    Download

  • memory/1540-122-0x00007FFA3B350000-0x00007FFA3B3BB000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1540-121-0x0000000000000000-mapping.dmp

    Download

  • memory/3792-128-0x0000000000000000-mapping.dmp

    Download

  • memory/3952-123-0x0000000000580000-0x00000000006CA000-memory.dmp

    Filesize

    1.3MB

    Download