Overview

overview

10

Static

static

5

d58482d9af...66.exe

windows7_x64

10

d58482d9af...66.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    61s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266.exe

  • Size

    3.3MB

  • MD5

    29ec167f930bbf8256a66463872ff525

  • SHA1

    4acb67568804342520d71aed66d3d4fc0feac49e

  • SHA256

    d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266

  • SHA512

    63c1418dd42618f84d68c3fb74356f97f94b1734ee4e28df63dae1632b8a16eef120017070e824ff496aca11ebade6636f6fa7ef52481a3fba258d9005a3886b

Score
10/10
ramnitbankerbootkitdiscoverypersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 6 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266.exe
    "C:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266Srv.exe
      C:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3468
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3116
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:82948 /prefetch:2
            5⤵
              PID:4880
      • C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
        "C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3640
      • C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe
        "C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe"
        2⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Writes to the Master Boot Record (MBR)
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3316
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      1⤵
      • Modifies file permissions
      PID:2052
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
      1⤵
      • Modifies file permissions
      PID:5056
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      1⤵
      • Modifies file permissions
      PID:4624
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
      1⤵
      • Executes dropped EXE
      PID:1516
    • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
      C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
      1⤵
      • Executes dropped EXE
      PID:4092
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -Embedding
      1⤵
        PID:3916
      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
        1⤵
          PID:436
        • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
          C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
          1⤵
            PID:3652

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            Filesize

            55KB

            MD5

            ff5e1f27193ce51eec318714ef038bef

            SHA1

            b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

            SHA256

            fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

            SHA512

            c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

            Download Submit
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            Filesize

            55KB

            MD5

            ff5e1f27193ce51eec318714ef038bef

            SHA1

            b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

            SHA256

            fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

            SHA512

            c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            3c94b790a4d3d3813b9804b360811c02

            SHA1

            9b42bca99be723330c45b22abb0698f77ef8077a

            SHA256

            7bc88a561babff736195edc916e12556d4a870e9dc94e649adff7d6859468d93

            SHA512

            594410b019fde2552e456bf87934eab332c73d5a1c73c3fac27886bb2c8f2b2c174acb0fa5f67b40a4b41339cff713b239eab680c6dd7aab00aacaf8e38538b8

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_CEC273363E767B922208DE98D79F0556
            Filesize

            1KB

            MD5

            7623bc9ad70d651acdac234ef7c6e036

            SHA1

            f4070c6a495590d00ff963967b3e50347ae5f538

            SHA256

            f1f125297a630ef1d5b9015097b1d15192561c1f94ba0a0d01f4ef2469c3c543

            SHA512

            77b9ac8c76db71926eca9e15e51bb709b136f7a1837fa8b4b2f6545088072bc8ec0e0374bf5aafc4dc0ae009314d4622f4c30d8a652bc3dbca2eecb73116112c

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
            Filesize

            1KB

            MD5

            4d965f04ee6c54371570bcc0746daa4e

            SHA1

            b7779931f77414f4c4fccd0e3ba1385bcfb3c070

            SHA256

            7253bfdd76e55efa6931e3cf901086efa72aca24d45919a42f0e6ff0c9efe037

            SHA512

            72b914915ce67faa8c0e626808c80a93bd634fbd0550c147b63244edc84b4d95b52880a4af1f5368546cf67036063c3472d7bcf98773fc3cc8ef130107a46481

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            c898493dca05d53a6bbd23a751ebd89a

            SHA1

            bb777e2b1b117574226346ce5563b62a4dba5fb5

            SHA256

            10aaa98289d714204b6c139e97ee950cb31426c9e0439d6b1aed895cc4245a8a

            SHA512

            adc4a4358ef720428a3bfbef84163cbbb1fa1eb53b665338d43a831d2c1ad823e10788c6ae5df5faae424cda0e598500e58dfe27916ed8023ca78dadf8537b67

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_CEC273363E767B922208DE98D79F0556
            Filesize

            540B

            MD5

            646f45e1e9fbc97ed92015b08b62e44a

            SHA1

            c69c54377557e7d6eb20cd45df7d8c25c132bdf2

            SHA256

            5ebd70effb4a62042acfedcb28764973c6fdc36df5d77e43eff8ef1b06dd0c40

            SHA512

            7363b1fdfaf3e92867a998dd539bfff53bc0eacbc121f3de520ded608bd6403064e0ef8f40dad1cab900751ad2a017fb3de0a96ac8716b9b369d3fe100b8686a

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
            Filesize

            492B

            MD5

            09cac9713cc06ba46e8bb643e11c1610

            SHA1

            a0c9c7ad2576fda3841e66b9fb623a2ac27c87d5

            SHA256

            62421453106931e5d590b4f89bf3b006ed61137167cacb62149104e5fce42c35

            SHA512

            7849c42b36a824fee01a9dedb50813c7416341d4c0be8d380af9c0a8862deeac6c201f1e40c6c97ef459ce7e36a421d32367e596e5ceb9afeb9889c9ede8a7e7

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2klo80q\imagestore.dat
            Filesize

            1KB

            MD5

            ff19d1da3bd4a25505050cff50ea379c

            SHA1

            ed7b979c36005cb86da8d7ccc2f05ae0d749f055

            SHA256

            4d0d5abe3f81179d7946315d0f339c5c9fc17c95b7a4eec334cbcd2692a6ba34

            SHA512

            ebc48a92985a4751441cc96ed36138435ec40e071a00925fe4ad26fb74546e0a9eedbb271465cbbec8456c4335f7af319d5fd9d8200f79861401724502a4e545

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266Srv.exe
            Filesize

            55KB

            MD5

            ff5e1f27193ce51eec318714ef038bef

            SHA1

            b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

            SHA256

            fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

            SHA512

            c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\d58482d9af4f9b69008295ba2684f0b249a699162e44319a74cab4cba3a77266Srv.exe
            Filesize

            55KB

            MD5

            ff5e1f27193ce51eec318714ef038bef

            SHA1

            b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

            SHA256

            fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

            SHA512

            c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
            Filesize

            978KB

            MD5

            c19991ba8335387ae24c6cd7ef25e9d4

            SHA1

            6464ef5c79840112e56bd733b2fd6db599f46467

            SHA256

            bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

            SHA512

            f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
            Filesize

            978KB

            MD5

            c19991ba8335387ae24c6cd7ef25e9d4

            SHA1

            6464ef5c79840112e56bd733b2fd6db599f46467

            SHA256

            bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

            SHA512

            f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe
            Filesize

            2.0MB

            MD5

            1c4a6c4af547084522341fd581796e7b

            SHA1

            465609a615eb247b83d011317943f30ceeb46904

            SHA256

            e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

            SHA512

            186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe
            Filesize

            2.0MB

            MD5

            1c4a6c4af547084522341fd581796e7b

            SHA1

            465609a615eb247b83d011317943f30ceeb46904

            SHA256

            e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

            SHA512

            186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

            Download Submit
          • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
            Filesize

            978KB

            MD5

            c19991ba8335387ae24c6cd7ef25e9d4

            SHA1

            6464ef5c79840112e56bd733b2fd6db599f46467

            SHA256

            bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

            SHA512

            f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

            Download Submit
          • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
            Filesize

            978KB

            MD5

            c19991ba8335387ae24c6cd7ef25e9d4

            SHA1

            6464ef5c79840112e56bd733b2fd6db599f46467

            SHA256

            bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

            SHA512

            f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

            Download Submit
          • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
            Filesize

            978KB

            MD5

            c19991ba8335387ae24c6cd7ef25e9d4

            SHA1

            6464ef5c79840112e56bd733b2fd6db599f46467

            SHA256

            bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

            SHA512

            f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

            Download Submit
          • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661\atmlib.exe
            Filesize

            832KB

            MD5

            75b11bf69d229e8b3a190bf3cfcdc4d8

            SHA1

            692511bd734cb753b3bd3f8bf2f814a23ce2799d

            SHA256

            314aba4e9913b8ad4f08efbf0cb129e851204f23a3056919da591985f91e8f32

            SHA512

            75819bfce1d70ac3166f160ee6b7dd6a208dae00a753993587a8e2e5187219fba62404ddf1eae62c369763aedf3048d29662566e158d4eb28b96d321e8c15b69

            Download Submit
          • memory/924-135-0x0000000000400000-0x000000000042E000-memory.dmp
            Filesize

            184KB

            Download
          • memory/924-134-0x0000000000690000-0x000000000069F000-memory.dmp
            Filesize

            60KB

            Download
          • memory/924-131-0x0000000000000000-mapping.dmp
            Download
          • memory/2052-149-0x0000000000000000-mapping.dmp
            Download
          • memory/2260-140-0x0000000000000000-mapping.dmp
            Download
          • memory/3316-145-0x0000000000000000-mapping.dmp
            Download
          • memory/3468-139-0x0000000000400000-0x000000000042E000-memory.dmp
            Filesize

            184KB

            Download
          • memory/3468-136-0x0000000000000000-mapping.dmp
            Download
          • memory/3640-143-0x0000000000000000-mapping.dmp
            Download
          • memory/4624-150-0x0000000000000000-mapping.dmp
            Download
          • memory/5056-151-0x0000000000000000-mapping.dmp
            Download