Overview

overview

10

Static

static

c0a68401f1...20.exe

windows7_x64

10

c0a68401f1...20.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0a68401f157e11bbaa8f00687410c74e0a92b3ac1c2c9ab0304bb1e8e98de20.exe

  • Size

    3.0MB

  • MD5

    6fb77db725e8348cc5f65d224a46a880

  • SHA1

    5cbf64bd67d8a2ae93f87c6b9988652448235cee

  • SHA256

    c0a68401f157e11bbaa8f00687410c74e0a92b3ac1c2c9ab0304bb1e8e98de20

  • SHA512

    c45a88884c3867a824832712f6fae8105eeeeac21b67934dcfe3d46efbe8b6d03ccd087e9c3df168d218769b116fddf5a2ffad697b95b36d0496078c09916492

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0a68401f157e11bbaa8f00687410c74e0a92b3ac1c2c9ab0304bb1e8e98de20.exe
    "C:\Users\Admin\AppData\Local\Temp\c0a68401f157e11bbaa8f00687410c74e0a92b3ac1c2c9ab0304bb1e8e98de20.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Users\Admin\AppData\Local\Temp\c0a68401f157e11bbaa8f00687410c74e0a92b3ac1c2c9ab0304bb1e8e98de20Srv.exe
      C:\Users\Admin\AppData\Local\Temp\c0a68401f157e11bbaa8f00687410c74e0a92b3ac1c2c9ab0304bb1e8e98de20Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 3148
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    a0a5a4d72ad62fd610b043c84033deaf

    SHA1

    aa5c3deaba3b479e004880b369f63f2b59b23b9a

    SHA256

    35d20d28885d84fef2a2e06125bf9626fbab13b99d1238a435a444a8db1cb9c6

    SHA512

    20dd0d4276e854bca2767bd4cf7f04068a23742ff33926a7ba5296d2b0a453d456f37662e443c4df2fc3027bbead658a8ca6f8be40a61c82e3d6085cf85b9243

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    76d1c5910ded0c58d265c0891c998e48

    SHA1

    8912a694792a37daeeea54df472b8b931de30f8c

    SHA256

    220d05a2aec2ff95604bdb9ed8fe9280e048ed1fff3a2f116fa1e210bc5d238b

    SHA512

    2d7f1221b1d379629916fce9fc22a9aeaec7249b2de8601fe0ab1d58b6cdcad4e85b124b69ff52f11192e0c8444966bd8d58650ae670b4fbe22143598cb35293

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1ZESOZ9G.cookie
    MD5

    92b216eab0b6b943c263e571ae0f68e1

    SHA1

    9db893be964d04152229df1816fc5183a3c7473b

    SHA256

    739bb81b3b7f74f066aaf1f024ad29a0d0a32a442f03561f1d30d86989055c02

    SHA512

    81c471a58eb65e576022dea3a854239a9836775c1c2a64d584574abb329843f55f7b85356c62780d3d14497d6c74cba81470e6e2e29321858cb659dd95d3b250

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\6XM4Q0NJ.cookie
    MD5

    91da22f3fe8926ae5b0feb43564d54d8

    SHA1

    4b3efaddcea1d8766d9a72e0c01ba3356e3a7f6f

    SHA256

    20810c00204a98b3c9e132ac5aec50d88fccb50f174452205d6a7a5a1138fcdb

    SHA512

    9a2ddef631a3510a180dda4a27157896598d1b64aaadbf621756ad2bfc47860027e2b2bb24957d2efe722958330c6a23f4ed9dc44204ac76ef5b65086763f307

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\c0a68401f157e11bbaa8f00687410c74e0a92b3ac1c2c9ab0304bb1e8e98de20Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\c0a68401f157e11bbaa8f00687410c74e0a92b3ac1c2c9ab0304bb1e8e98de20Srv.exe
    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/1204-118-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1204-114-0x0000000000000000-mapping.dmp
    Download
  • memory/1204-117-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1460-122-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1460-119-0x0000000000000000-mapping.dmp
    Download
  • memory/1756-123-0x0000000000000000-mapping.dmp
    Download
  • memory/1756-124-0x00007FF9D4DB0000-0x00007FF9D4E1B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/4068-125-0x0000000000000000-mapping.dmp
    Download