Overview

overview

10

Static

static

fcaf8d356c...f7.exe

windows7_x64

10

fcaf8d356c...f7.exe

windows10_x64

10

Analysis

  • max time kernel
    83s
  • max time network
    94s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-05-2021 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcaf8d356cd9c31dc8c05093f18532a8ed9a356a435570554e6ac211f19a95f7.exe

  • Size

    230KB

  • MD5

    9dc135d8f028fb7c70933fdec936f419

  • SHA1

    d5e61fbc352fc2dc8d1b8f234801b96e7b3cd04f

  • SHA256

    fcaf8d356cd9c31dc8c05093f18532a8ed9a356a435570554e6ac211f19a95f7

  • SHA512

    95f2462cd33328ace30978f40619b0dfb329915bd68befa2cf62616658ee6444a367fd77ac2b8477eef0fcaf5a4c1c38191c1f07f511e34abd3bbe633fa6f4b7

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 17 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcaf8d356cd9c31dc8c05093f18532a8ed9a356a435570554e6ac211f19a95f7.exe
    "C:\Users\Admin\AppData\Local\Temp\fcaf8d356cd9c31dc8c05093f18532a8ed9a356a435570554e6ac211f19a95f7.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Users\Admin\AppData\Local\Temp\fcaf8d356cd9c31dc8c05093f18532a8ed9a356a435570554e6ac211f19a95f7Srv.exe
      C:\Users\Admin\AppData\Local\Temp\fcaf8d356cd9c31dc8c05093f18532a8ed9a356a435570554e6ac211f19a95f7Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4076
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4076 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fcaf8d356cd9c31dc8c05093f18532a8ed9a356a435570554e6ac211f19a95f7Srv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fcaf8d356cd9c31dc8c05093f18532a8ed9a356a435570554e6ac211f19a95f7Srv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • memory/1296-127-0x0000000000000000-mapping.dmp
    Download
  • memory/3184-117-0x0000000000000000-mapping.dmp
    Download
  • memory/3184-122-0x0000000000470000-0x0000000000471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-114-0x0000000000000000-mapping.dmp
    Download
  • memory/4060-119-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/4060-123-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4076-124-0x0000000000000000-mapping.dmp
    Download
  • memory/4076-126-0x00007FFD1F1F0000-0x00007FFD1F25B000-memory.dmp
    Filesize

    428KB

    Download