Overview

overview

10

Static

static

4f71eb9c8a...24.exe

windows7_x64

10

4f71eb9c8a...24.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294208s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    01-03-2022 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224.exe

  • Size

    373KB

  • MD5

    5e24a1cbadfa2a3db36923b8616022e2

  • SHA1

    c8c8071eb3446381be63d55490175d46ddc49bed

  • SHA256

    4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224

  • SHA512

    e36612d4a67ba114a94eb230935f47c2eaa44adab032603d1dc662d8602d69874daf9797bee1c808379639ba5889adbc13da6b30676430a01f8ddc0a0168e813

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224.exe
    "C:\Users\Admin\AppData\Local\Temp\4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Users\Admin\AppData\Local\Temp\lAYcVl.exe
      C:\Users\Admin\AppData\Local\Temp\lAYcVl.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Users\Admin\AppData\Local\Temp\lAYcVlSrv.exe
        C:\Users\Admin\AppData\Local\Temp\lAYcVlSrv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:516
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1156
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:872
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:872 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1812
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\75d34f1c.bat" "
        3⤵
          PID:988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\75d34f1c.bat
      MD5

      bee6784505e0effe735b33649bbfd95a

      SHA1

      39ac2a3a4edd78efa8e5021498fb817dba924d7a

      SHA256

      69bd6f6bb652e9f3e3491b3d94c923fb6efcb26d4516c6d3644edf2a87c1a596

      SHA512

      04869c8339d831d061a97b4677b75c9bd09fb9af917ed29b9559bc762b7a92905e4744c27dea651d6d4fbd9b25f758b7b912d403323c607333ffb1bcda021a3a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lAYcVl.exe
      MD5

      600cb9df92f223091068a1f2af40e3a9

      SHA1

      e8607c287d607e470858d102a0328146cb6f919e

      SHA256

      d61e62f24771c947f117416f03223fa55819ab3818b5d45a755bd0473d18e0a0

      SHA512

      c1feecbe7a4adfc928a52ec252adc0ecad8dd636b78968945a6a4fefd392440b3d0fe66a8f3770bd6e486572f336b05f5055a62aa6d3a5c514a5beedeb672a7e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lAYcVl.exe
      MD5

      600cb9df92f223091068a1f2af40e3a9

      SHA1

      e8607c287d607e470858d102a0328146cb6f919e

      SHA256

      d61e62f24771c947f117416f03223fa55819ab3818b5d45a755bd0473d18e0a0

      SHA512

      c1feecbe7a4adfc928a52ec252adc0ecad8dd636b78968945a6a4fefd392440b3d0fe66a8f3770bd6e486572f336b05f5055a62aa6d3a5c514a5beedeb672a7e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lAYcVlSrv.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lAYcVlSrv.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8N2DQ715.txt
      MD5

      d2762dca214a13fc44dfebd2f9f60280

      SHA1

      cec58f6b747aa9ea161ffe32e8eb55cfb7b25912

      SHA256

      726a9d6e05e6ad82850840053729c27a3f5c05b87e0a10a406fafdf108c5d22f

      SHA512

      3ad992a37d670b7d55c050b1f89570c0469f66431c512c69533be45e1702b5c634936a9f403970db941c111f361caf5628156df727b75a998591a96aea56ad9c

      Download Submit
    • \Program Files (x86)\Microsoft\DesktopLayer.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\lAYcVl.exe
      MD5

      600cb9df92f223091068a1f2af40e3a9

      SHA1

      e8607c287d607e470858d102a0328146cb6f919e

      SHA256

      d61e62f24771c947f117416f03223fa55819ab3818b5d45a755bd0473d18e0a0

      SHA512

      c1feecbe7a4adfc928a52ec252adc0ecad8dd636b78968945a6a4fefd392440b3d0fe66a8f3770bd6e486572f336b05f5055a62aa6d3a5c514a5beedeb672a7e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\lAYcVl.exe
      MD5

      600cb9df92f223091068a1f2af40e3a9

      SHA1

      e8607c287d607e470858d102a0328146cb6f919e

      SHA256

      d61e62f24771c947f117416f03223fa55819ab3818b5d45a755bd0473d18e0a0

      SHA512

      c1feecbe7a4adfc928a52ec252adc0ecad8dd636b78968945a6a4fefd392440b3d0fe66a8f3770bd6e486572f336b05f5055a62aa6d3a5c514a5beedeb672a7e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\lAYcVlSrv.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • memory/516-66-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1144-54-0x0000000076891000-0x0000000076893000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1156-69-0x0000000000240000-0x0000000000241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1156-70-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1684-71-0x0000000000290000-0x00000000002A8000-memory.dmp
      Filesize

      96KB

      Download