Overview

overview

10

Static

static

314082c909...c6.exe

windows7_x64

10

314082c909...c6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-02-2022 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    314082c909a94ccd11372aedfc8f7ccfc00cb234003ff66934d3e517f63a37c6.exe

  • Size

    330KB

  • MD5

    d3674fb64e76d37df3c1348228bba39c

  • SHA1

    fab2e0855c412f224fb75115a084dc689b1a3dc2

  • SHA256

    314082c909a94ccd11372aedfc8f7ccfc00cb234003ff66934d3e517f63a37c6

  • SHA512

    7285002b30727bb68410c500aea1f8fd359325480b0e4eadbad1d5a88c7b39a8b4d505a56b29a632b3ee4627d4dd7c7fd73bece79da8e78eed4c3a9a546f2b96

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\314082c909a94ccd11372aedfc8f7ccfc00cb234003ff66934d3e517f63a37c6.exe
    "C:\Users\Admin\AppData\Local\Temp\314082c909a94ccd11372aedfc8f7ccfc00cb234003ff66934d3e517f63a37c6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Users\Admin\AppData\Local\Temp\314082c909a94ccd11372aedfc8f7ccfc00cb234003ff66934d3e517f63a37c6Srv.exe
      C:\Users\Admin\AppData\Local\Temp\314082c909a94ccd11372aedfc8f7ccfc00cb234003ff66934d3e517f63a37c6Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3960
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:1568
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe ce199be7ad92aa3e1cb40798a5c35051 RsHqXmyNdEm+SwwVHEOx/g.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1316
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    17efb7e40d4cadaf3a4369435a8772ec

    SHA1

    eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

    SHA256

    f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

    SHA512

    522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    MD5

    17efb7e40d4cadaf3a4369435a8772ec

    SHA1

    eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

    SHA256

    f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

    SHA512

    522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    6d08640f035817460efc2c76e73799f8

    SHA1

    076169cf6babd6829374bd9e988ba68965345fbf

    SHA256

    09e1a31fda17a1f81f3d068fd5566968fca4423ea91afeefe9042f7439135a2a

    SHA512

    4f25e0445170928cd1fef89645c350ee6056c23a4d6f4079e814e14d1ca40065af98e893cef8c2ff81605eb18527311dfc2528052f6c54127fe9334fbd2a9e33

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    8a44c661c6794c4356f8fb99b034f366

    SHA1

    ad0f441b51dfb7c435f32bc93a0a29761e0585fd

    SHA256

    aeee85d6b68470825c833015b6dcedcc3b39860e3fb06c863c7c2fca57f53a0f

    SHA512

    0e58d2fb300ee41a25293dc27df96f3fbb5d36aa94a856f60bb9c078bbde128fac6e498e30b2447fe960a19bf00834f5bc9108af79ecbbc682c0f54b5c8d2220

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\314082c909a94ccd11372aedfc8f7ccfc00cb234003ff66934d3e517f63a37c6Srv.exe
    MD5

    17efb7e40d4cadaf3a4369435a8772ec

    SHA1

    eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

    SHA256

    f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

    SHA512

    522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\314082c909a94ccd11372aedfc8f7ccfc00cb234003ff66934d3e517f63a37c6Srv.exe
    MD5

    17efb7e40d4cadaf3a4369435a8772ec

    SHA1

    eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

    SHA256

    f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

    SHA512

    522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

    Download Submit
  • memory/3036-141-0x0000000000670000-0x0000000000671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3036-142-0x0000000000400000-0x0000000000413000-memory.dmp
    Filesize

    76KB

    Download
  • memory/3684-135-0x0000000002020000-0x0000000002022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3684-136-0x0000000000400000-0x0000000000413000-memory.dmp
    Filesize

    76KB

    Download
  • memory/3684-137-0x0000000000400000-0x0000000000413000-memory.dmp
    Filesize

    76KB

    Download