Overview

overview

10

Static

static

6cc446035e...cf.exe

windows7-x64

10

6cc446035e...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 12:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6cc446035e3c53d9b6c1962abe7c8970e2be0ff0ec2cc5eb9bed4d4dc0c907cf.exe

  • Size

    563KB

  • MD5

    479afc9b85f6f79ddf3a1c77485608e0

  • SHA1

    06fc0786770f9169bf66e803563755e3e3393cf4

  • SHA256

    6cc446035e3c53d9b6c1962abe7c8970e2be0ff0ec2cc5eb9bed4d4dc0c907cf

  • SHA512

    d457910c793ecf2dc25079e7b464a2cbc574c54117ee9f99050737384e20f105de607371183568884ba89db1fff546b6e9ae886147ac402a6d3c4831830e1666

  • SSDEEP

    12288:WrnkzL6RcJq3U+LKyB/AGBZrTBSn7q8G8luor8S+mGvpB4wrj:WoQcJj8KwBSn+Iw3SpUDP

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cc446035e3c53d9b6c1962abe7c8970e2be0ff0ec2cc5eb9bed4d4dc0c907cf.exe
    "C:\Users\Admin\AppData\Local\Temp\6cc446035e3c53d9b6c1962abe7c8970e2be0ff0ec2cc5eb9bed4d4dc0c907cf.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\6cc446035e3c53d9b6c1962abe7c8970e2be0ff0ec2cc5eb9bed4d4dc0c907cfSrv.exe
      C:\Users\Admin\AppData\Local\Temp\6cc446035e3c53d9b6c1962abe7c8970e2be0ff0ec2cc5eb9bed4d4dc0c907cfSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3332
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4064
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4064 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4312

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          7de3527d962389a61a0825bebf9031b7

          SHA1

          ffc04b363ec1d3976e454446827d36813002a9b7

          SHA256

          63db191be3bdce3f969a6f457edaa2bf5c9ec863a311540d719ad80ca9ce4a19

          SHA512

          57220b86487cefb01b4c2b9b904a147ea35133f490d5da092dbf10e1568c14a2f1359ed36529edc779335a9f4530c25a67d2065620379eec0e682b03389ae91d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          57e5179fc378bd24f49825f0c67d529d

          SHA1

          e0b77309f995cf41367db32737cffc2e5e0c5a4b

          SHA256

          0fa3412180c8995789f2c5e23fce46e0a570fbc1bcf0d45b2d77a659a156d3df

          SHA512

          eabf92797726486402c417f4853c0818eeea9e076348fb4f2879db27832d13c2a5188b6e188a80529c43923b447305203b009eb506db90eb94befd32da053f8f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6cc446035e3c53d9b6c1962abe7c8970e2be0ff0ec2cc5eb9bed4d4dc0c907cfSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6cc446035e3c53d9b6c1962abe7c8970e2be0ff0ec2cc5eb9bed4d4dc0c907cfSrv.exe
          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          Download Submit

        • memory/1708-144-0x0000000000540000-0x000000000054F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1708-138-0x0000000000540000-0x000000000054F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1708-136-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-143-0x0000000000400000-0x0000000000579000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2032-135-0x0000000000400000-0x0000000000579000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3332-141-0x0000000000540000-0x000000000054F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/3332-145-0x0000000000540000-0x000000000054F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/3332-142-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download