Overview

overview

10

Static

static

10

41924ff751...5f.exe

windows7_x64

10

41924ff751...5f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    102s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    08-03-2022 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85f.exe

  • Size

    313KB

  • MD5

    e53fccd8979a713d50247bd9b715a8c8

  • SHA1

    6d5c963ffd74b59b425ad2434db49e514073c353

  • SHA256

    41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85f

  • SHA512

    e6894a2f75ac004462875e0831b02d2dd77ae1d2d12404c61ca72f53b66ede7d10fbb9e9c28b80e0b47a40454b1225eed0eaeb589d75ea86259f978b60dff048

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 21 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85f.exe
    "C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85fSrv.exe
      C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85fSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1020
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3708
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3708 CREDAT:17410 /prefetch:2
            5⤵
              PID:536
      • C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85f.exe
        "C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85f.exe" /GetKeys WirelessKeyView01CDCF25
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85fSrv.exe
          C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85fSrv.exe
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:3740
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:756
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1404
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:17410 /prefetch:2
                6⤵
                  PID:364

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        MD5

        5b97603af0fc8f1dd40fc69bd6ca89cf

        SHA1

        18d63dbde43a5bc700ae55b9a013c596021ccd13

        SHA256

        33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

        SHA512

        2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

        Download Submit
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        MD5

        5b97603af0fc8f1dd40fc69bd6ca89cf

        SHA1

        18d63dbde43a5bc700ae55b9a013c596021ccd13

        SHA256

        33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

        SHA512

        2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

        Download Submit
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        MD5

        5b97603af0fc8f1dd40fc69bd6ca89cf

        SHA1

        18d63dbde43a5bc700ae55b9a013c596021ccd13

        SHA256

        33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

        SHA512

        2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

        Download Submit
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        MD5

        5b97603af0fc8f1dd40fc69bd6ca89cf

        SHA1

        18d63dbde43a5bc700ae55b9a013c596021ccd13

        SHA256

        33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

        SHA512

        2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85fSrv.exe
        MD5

        5b97603af0fc8f1dd40fc69bd6ca89cf

        SHA1

        18d63dbde43a5bc700ae55b9a013c596021ccd13

        SHA256

        33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

        SHA512

        2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85fSrv.exe
        MD5

        5b97603af0fc8f1dd40fc69bd6ca89cf

        SHA1

        18d63dbde43a5bc700ae55b9a013c596021ccd13

        SHA256

        33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

        SHA512

        2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85fSrv.exe
        MD5

        5b97603af0fc8f1dd40fc69bd6ca89cf

        SHA1

        18d63dbde43a5bc700ae55b9a013c596021ccd13

        SHA256

        33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

        SHA512

        2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\41924ff751f099b4d1dcf12999bf58e6ede7854f5a64a8c2873c9807be1ca85fSrv.exe
        MD5

        5b97603af0fc8f1dd40fc69bd6ca89cf

        SHA1

        18d63dbde43a5bc700ae55b9a013c596021ccd13

        SHA256

        33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

        SHA512

        2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

        Download Submit
      • memory/548-134-0x0000000000400000-0x0000000000442000-memory.dmp
        Filesize

        264KB

        Download
      • memory/756-143-0x0000000000580000-0x0000000000581000-memory.dmp
        Filesize

        4KB

        Download
      • memory/756-144-0x0000000077BE0000-0x0000000077D83000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1020-136-0x0000000077BE0000-0x0000000077D83000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1020-138-0x0000000000400000-0x0000000000442000-memory.dmp
        Filesize

        264KB

        Download
      • memory/1020-137-0x0000000000560000-0x000000000056F000-memory.dmp
        Filesize

        60KB

        Download
      • memory/1020-135-0x0000000000570000-0x0000000000571000-memory.dmp
        Filesize

        4KB

        Download