Overview

overview

10

Static

static

0f1e3f5538...f4.exe

windows7_x64

10

0f1e3f5538...f4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-06-2022 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f1e3f55380d17ea4c6e58fbe69ca63ed0c6acec19c59a610d5cc1f3fe0e91f4.exe

  • Size

    800KB

  • MD5

    229ef6c491a4e2acffb23d47da2a2c5a

  • SHA1

    4740a7672eb26001b987d58d846b96e8d65ba194

  • SHA256

    0f1e3f55380d17ea4c6e58fbe69ca63ed0c6acec19c59a610d5cc1f3fe0e91f4

  • SHA512

    3f463901b422a661a112416c46749e98b9f7ce5152c95e4a81f9298b1dd315c19b338f5f1cf025e1ba167555c5fe3528830964106d5a6d88a89ed7f452731c3a

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f1e3f55380d17ea4c6e58fbe69ca63ed0c6acec19c59a610d5cc1f3fe0e91f4.exe
    "C:\Users\Admin\AppData\Local\Temp\0f1e3f55380d17ea4c6e58fbe69ca63ed0c6acec19c59a610d5cc1f3fe0e91f4.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Users\Admin\AppData\Local\Temp\0f1e3f55380d17ea4c6e58fbe69ca63ed0c6acec19c59a610d5cc1f3fe0e91f4Srv.exe
      C:\Users\Admin\AppData\Local\Temp\0f1e3f55380d17ea4c6e58fbe69ca63ed0c6acec19c59a610d5cc1f3fe0e91f4Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3108
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3108 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    4b5f63131c2ad19a1b25b9c790cb101f

    SHA1

    23ffbecbbc2c90699e632a1bb789f5e6c6975fbe

    SHA256

    f712507488d39ee6f3913255fa4e3f64b7f8d7be0c920c02546e3647f87603da

    SHA512

    dc1d4c9b5157e79230fa05b1bde5e76f1ab2bdb08883ec74cccedc3ef88b1dff05fe91b36ab72086be6899d70fa9056d7c19fa0f285578b7cfa141f9e2cb6240

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    434B

    MD5

    109639185483999103c13182150837be

    SHA1

    c34b3f84af34d8a1cc792c121fbd046d40edbb97

    SHA256

    b42d6a30a09d04a5ffe7672b58daf203b7c3c223f3c7b63d499cbf2c02c56eaf

    SHA512

    c9b8b762b2453b6ff33d3ca8cf09a5bfee9ba4c964986232059e78b0800b080fa83ea93cdf194190e01bf0b197a14ecf5518ed498ff24d501d8df3b2536724f6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\0f1e3f55380d17ea4c6e58fbe69ca63ed0c6acec19c59a610d5cc1f3fe0e91f4Srv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\0f1e3f55380d17ea4c6e58fbe69ca63ed0c6acec19c59a610d5cc1f3fe0e91f4Srv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit
  • memory/968-130-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/968-139-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/1568-131-0x0000000000000000-mapping.dmp
    Download
  • memory/1568-136-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2724-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2724-138-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download