Overview

overview

10

Static

static

8

e26b565cbe...7a.exe

windows7-x64

10

e26b565cbe...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2022, 17:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027a.exe

  • Size

    111KB

  • MD5

    0880b69d95271d98fda80ecbd5fd3ee8

  • SHA1

    b0c2e4bbe31bfbc420f109ba228215422d7684b5

  • SHA256

    e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027a

  • SHA512

    7cd4fbd2e9c461f0973426419996bb77e0cf22f5fbbdf960da692454cd7bdfd45f079dca3a5e5efa4e74e4cfd47ce322c009f5163194c69cdab883bc3d8be624

  • SSDEEP

    3072:TROzoTq0+RO7IwnYWuSiwMjBik++Zyh8XfB:1kdNwBMZx++ZqeB

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027a.exe
    "C:\Users\Admin\AppData\Local\Temp\e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027a.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027aSrv.exe
      C:\Users\Admin\AppData\Local\Temp\e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027aSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:568
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:608
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:672
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:764
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:808

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          111KB

          MD5

          0880b69d95271d98fda80ecbd5fd3ee8

          SHA1

          b0c2e4bbe31bfbc420f109ba228215422d7684b5

          SHA256

          e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027a

          SHA512

          7cd4fbd2e9c461f0973426419996bb77e0cf22f5fbbdf960da692454cd7bdfd45f079dca3a5e5efa4e74e4cfd47ce322c009f5163194c69cdab883bc3d8be624

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          111KB

          MD5

          0880b69d95271d98fda80ecbd5fd3ee8

          SHA1

          b0c2e4bbe31bfbc420f109ba228215422d7684b5

          SHA256

          e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027a

          SHA512

          7cd4fbd2e9c461f0973426419996bb77e0cf22f5fbbdf960da692454cd7bdfd45f079dca3a5e5efa4e74e4cfd47ce322c009f5163194c69cdab883bc3d8be624

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{34480771-41C2-11ED-A50E-C6457FCBF3CF}.dat
          Filesize

          3KB

          MD5

          dd8bf923d848e0a66bfc8b2b4a1ec414

          SHA1

          75a35da248328d41caa5e9426bb2fbb55c730732

          SHA256

          9ee85537aab8d8a97203ea291f8d0008347d8cd73617ea8ce92b69d0fc8a1cc2

          SHA512

          c57aff6e787695bc2646205634b666202fda1026a6ac9f0f6d78d0b64dd916a62adccaf8bfc16e746de6bd19635c4387c8309d8c6215ed94ea0b44fb537057da

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{34615BD1-41C2-11ED-A50E-C6457FCBF3CF}.dat
          Filesize

          3KB

          MD5

          8fb1e42dadb4dc4aef9947c5a60f0d98

          SHA1

          38cfa2aebb33bdca25de9bd78daae7532e6eff04

          SHA256

          7e3c80e2c9b3dccf8529f8cd1210bdb1d5cb5ba1ebe4748391fb61ff3ac9d178

          SHA512

          9e91f8ec26dc8acc7109d46a115a4fa2e4934c25de8c72ee4c01002957cc6e9e0445c1c7730a4d5f64982ecc4b0fde5ad3c78ce31fb9e3389cb6afc23d70fbbf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027aSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027aSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2OUMLTG4.txt
          Filesize

          603B

          MD5

          48dfbdfcc24c9c3e4c946f1d7be2a237

          SHA1

          fb781eab3b8ec7c583ca9f7ef2348235135cebec

          SHA256

          5058d03fffdb0d023229641190470e5206e29175ec1fccd4699fd2e97f5f2328

          SHA512

          643d6efdb959eaf315ce725c1a058a63743c94a8b13f60c117f64f878bbca8eac26e87a95e3b8e35f2c4d4a1acdfc1d19771e24fc69f001293f4f157323b9ab4

          Download Submit

        • \Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          111KB

          MD5

          0880b69d95271d98fda80ecbd5fd3ee8

          SHA1

          b0c2e4bbe31bfbc420f109ba228215422d7684b5

          SHA256

          e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027a

          SHA512

          7cd4fbd2e9c461f0973426419996bb77e0cf22f5fbbdf960da692454cd7bdfd45f079dca3a5e5efa4e74e4cfd47ce322c009f5163194c69cdab883bc3d8be624

          Download Submit

        • \Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • \Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • \Users\Admin\AppData\Local\Temp\e26b565cbe44e1fddb05dd5c304338bee6046d7df113d63fce5b78703e1c027aSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • memory/608-79-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/908-64-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1532-76-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1732-71-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2016-63-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download