Overview

overview

10

Static

static

9fe828a18f...fe.exe

windows7_x64

10

9fe828a18f...fe.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    101s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    16-05-2021 05:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fe828a18f176ce50c4e6174b1afcea163914e1741d2830867cb0b8a1be813fe.exe

  • Size

    540KB

  • MD5

    0b42b3068dccec381d93d6392ba3df56

  • SHA1

    51a612fe6bc702e03c02ce7d7773d778fe2470ec

  • SHA256

    9fe828a18f176ce50c4e6174b1afcea163914e1741d2830867cb0b8a1be813fe

  • SHA512

    c27f748f813251b07f2995edf19fdb06d157aa6b599ee64105a7a160a05589b062739b0f442f01aa1c2339eacb68d9f22f4ca028c7316468be6846a489ee308f

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 17 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fe828a18f176ce50c4e6174b1afcea163914e1741d2830867cb0b8a1be813fe.exe
    "C:\Users\Admin\AppData\Local\Temp\9fe828a18f176ce50c4e6174b1afcea163914e1741d2830867cb0b8a1be813fe.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Users\Admin\AppData\Local\Temp\9fe828a18f176ce50c4e6174b1afcea163914e1741d2830867cb0b8a1be813feSrv.exe
      C:\Users\Admin\AppData\Local\Temp\9fe828a18f176ce50c4e6174b1afcea163914e1741d2830867cb0b8a1be813feSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3908
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3616
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3616 CREDAT:82945 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\9fe828a18f176ce50c4e6174b1afcea163914e1741d2830867cb0b8a1be813feSrv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\9fe828a18f176ce50c4e6174b1afcea163914e1741d2830867cb0b8a1be813feSrv.exe
    MD5

    da18881ccaefeaa4942af9291cb34826

    SHA1

    e4f33c21684bede05ccea60dd0767250ff2b3aba

    SHA256

    1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

    SHA512

    2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

    Download Submit
  • memory/208-128-0x0000000000000000-mapping.dmp
    Download
  • memory/808-125-0x0000000000550000-0x000000000069A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1676-119-0x0000000000000000-mapping.dmp
    Download
  • memory/1676-122-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3616-123-0x0000000000000000-mapping.dmp
    Download
  • memory/3616-124-0x00007FFA8B2C0000-0x00007FFA8B32B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/3908-114-0x0000000000000000-mapping.dmp
    Download
  • memory/3908-118-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3908-117-0x00000000001E0000-0x00000000001EF000-memory.dmp
    Filesize

    60KB

    Download