Overview

overview

10

Static

static

4f71eb9c8a...24.exe

windows7_x64

10

4f71eb9c8a...24.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-03-2022 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224.exe

  • Size

    373KB

  • MD5

    5e24a1cbadfa2a3db36923b8616022e2

  • SHA1

    c8c8071eb3446381be63d55490175d46ddc49bed

  • SHA256

    4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224

  • SHA512

    e36612d4a67ba114a94eb230935f47c2eaa44adab032603d1dc662d8602d69874daf9797bee1c808379639ba5889adbc13da6b30676430a01f8ddc0a0168e813

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224.exe
    "C:\Users\Admin\AppData\Local\Temp\4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Users\Admin\AppData\Local\Temp\lAYcVl.exe
      C:\Users\Admin\AppData\Local\Temp\lAYcVl.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Users\Admin\AppData\Local\Temp\lAYcVlSrv.exe
        C:\Users\Admin\AppData\Local\Temp\lAYcVlSrv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3872
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3324
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3324 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:116
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\652777ae.bat" "
        3⤵
          PID:820

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      c5f5302846f4b684c4c698b31c8aeb04

      SHA1

      e2f2ecf4c159d063c21cc9c5462abdc145822fea

      SHA256

      8e193e13188183566de77760c176ebb2210ff2fcd5b7083ed937197adaecb6c7

      SHA512

      1073a7f0c82c27dda84003df23f7057a286dcb1f6c16a33da96de371bfb4765786fcd4491f986ef4b3130e6fc507c47c086641d362015afd49207bfbeaf3e034

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      d81cdb10a5c6fa34c48732d73fc473fa

      SHA1

      f994f8fb07e923ae74a635e55f0beb1079dceeb5

      SHA256

      db393dd1c588f113bf70fc8d3c592118bb1775f8923b307200625fa618691329

      SHA512

      a3cfa746979a8626b5a6462678b7745ee152c1cdf574496234b1fc36795660204938762e75fd7819cdde99fad71cab3ad3cc679bfbedfc361ae73797cb22d0b1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\652777ae.bat
      MD5

      f508628f5898abd1099b976b3504fbfe

      SHA1

      410ff1530306b4e0b7e0bcd35f4c5c5cb3d32ab9

      SHA256

      bb4e9589fe760fb9f9086007fcad0cc7f9e23ff49dfcf500a2a8a8dffa093e3e

      SHA512

      bc3de3dec964bd6f71be9886043101ddf8b92187caec7814dcff75c234da54b1842e239ad9db171c4ed767dc69d9c546b97d1dfbe61f66dc42ed6882b67656ab

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lAYcVl.exe
      MD5

      600cb9df92f223091068a1f2af40e3a9

      SHA1

      e8607c287d607e470858d102a0328146cb6f919e

      SHA256

      d61e62f24771c947f117416f03223fa55819ab3818b5d45a755bd0473d18e0a0

      SHA512

      c1feecbe7a4adfc928a52ec252adc0ecad8dd636b78968945a6a4fefd392440b3d0fe66a8f3770bd6e486572f336b05f5055a62aa6d3a5c514a5beedeb672a7e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lAYcVl.exe
      MD5

      600cb9df92f223091068a1f2af40e3a9

      SHA1

      e8607c287d607e470858d102a0328146cb6f919e

      SHA256

      d61e62f24771c947f117416f03223fa55819ab3818b5d45a755bd0473d18e0a0

      SHA512

      c1feecbe7a4adfc928a52ec252adc0ecad8dd636b78968945a6a4fefd392440b3d0fe66a8f3770bd6e486572f336b05f5055a62aa6d3a5c514a5beedeb672a7e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lAYcVlSrv.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lAYcVlSrv.exe
      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit
    • memory/1044-138-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1044-137-0x0000000000440000-0x0000000000441000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2468-139-0x0000000000740000-0x0000000000758000-memory.dmp
      Filesize

      96KB

      Download
    • memory/3872-135-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download