Overview

overview

10

Static

static

8

51f0adfa1a...c9.exe

windows7-x64

10

51f0adfa1a...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9.exe

  • Size

    220KB

  • MD5

    6241dd3fac47cc85ceb3a3a393e5a9c1

  • SHA1

    87690d849de99a7bdd6334ff25c24a105fe51c80

  • SHA256

    51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9

  • SHA512

    9d03fcf12fb87fffffae751fed64698ff8ac4ea5aacc69dd8e4f91ad646a1979aea28393f7298cda3d909df1fce8fa6f4a7374f5e382e07fc19ec32851a29832

  • SSDEEP

    3072:2ROzoTq0+RO7IwnYJOqpv5pINcM48iQqjm295F7XJivcuXXJZ3p/k7nISR:okdNwBkpvp3HN7XJJuf5M5R

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 7 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9.exe
    "C:\Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9mgr.exe
      C:\Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9mgr.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:548
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 180
        3⤵
        • Program crash
        PID:896
    • C:\Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9Srv.exe
      C:\Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9Srv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:764
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D6430ED1-43E8-11ED-A94D-C6F54D7498C3}.dat
    Filesize

    3KB

    MD5

    404a275216174669480ad1e64ab02525

    SHA1

    d72b5f2434751c83f083bfd8112b30adf1da0a16

    SHA256

    8fe27f2a386beb6237ab8783d14c7642cc7526876f55f8d5161bd9b7bcb06e42

    SHA512

    dd3e20f8f5fde2a5961c122a05460e7b7d94c61f4ac7162d884d252de4a2f4259f16ff186bfaeb5e5ef336f5057d298fd817376b63c79d945ec1df5e2dfdaa1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D64335E1-43E8-11ED-A94D-C6F54D7498C3}.dat
    Filesize

    5KB

    MD5

    59bf9bd88fdfd23fccab9606e9dce824

    SHA1

    ce83bcbdb5af777a42afa37650c2bef54355b1c9

    SHA256

    27899e124ae2378ea7b9b41f755859855af9f27aabcb8a9def2b08f4aa790b9a

    SHA512

    785dca1dc4668925eaeafa7d27c7411a219912fd872b46ed1e972d332e4a488a7640c93d7570aaae64a4e7e25cc180a7ec8c8848cc68368d2823a46ffb1d4942

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9Srv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9Srv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9mgr.exe
    Filesize

    106KB

    MD5

    7657fcb7d772448a6d8504e4b20168b8

    SHA1

    84c7201f7e59cb416280fd69a2e7f2e349ec8242

    SHA256

    54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

    SHA512

    786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DY1FI3DT.txt
    Filesize

    608B

    MD5

    baf8ec48b46891e0f248b838e0a22ff1

    SHA1

    d41a5ad7d003a294a0aec08a268b89f2fdd9b118

    SHA256

    bd3010d45f6bb4555b5b3213e4c5b26501be418b6aa3a280368e003f6affa836

    SHA512

    4f714ba8c9d10a0c68dc319750d739dce56d040f0331ba95556cd9b7c9e495e98cdf64aeffad99f8995eec0d245105df9bcccfe1d14ab2f0fee2bc2bf124a6e5

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9Srv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9mgr.exe
    Filesize

    106KB

    MD5

    7657fcb7d772448a6d8504e4b20168b8

    SHA1

    84c7201f7e59cb416280fd69a2e7f2e349ec8242

    SHA256

    54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

    SHA512

    786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\51f0adfa1a2796e0f95dc6adaca96739145bcbf0afdb16d5cdadc94e498010c9mgr.exe
    Filesize

    106KB

    MD5

    7657fcb7d772448a6d8504e4b20168b8

    SHA1

    84c7201f7e59cb416280fd69a2e7f2e349ec8242

    SHA256

    54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

    SHA512

    786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~TM983.tmp
    Filesize

    1.2MB

    MD5

    d124f55b9393c976963407dff51ffa79

    SHA1

    2c7bbedd79791bfb866898c85b504186db610b5d

    SHA256

    ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

    SHA512

    278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~TMA30.tmp
    Filesize

    1.1MB

    MD5

    9b98d47916ead4f69ef51b56b0c2323c

    SHA1

    290a80b4ded0efc0fd00816f373fcea81a521330

    SHA256

    96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

    SHA512

    68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

    Download Submit

  • memory/548-82-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/548-83-0x0000000000240000-0x000000000026A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/548-81-0x0000000077BE0000-0x0000000077D60000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/948-72-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1440-79-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1808-73-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/1808-54-0x0000000076171000-0x0000000076173000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1808-59-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download