Overview

overview

10

Static

static

58f637ca0c...8a.exe

windows7-x64

8

58f637ca0c...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58f637ca0ce38a97f31ca2821dfcb80ac45905ec469fa72bd2f2d635da1e618a.exe

  • Size

    158KB

  • MD5

    91b06298af4fce27cd8310dd06d8b351

  • SHA1

    a281062784f8cff691b4a85085af1236885ab3ee

  • SHA256

    58f637ca0ce38a97f31ca2821dfcb80ac45905ec469fa72bd2f2d635da1e618a

  • SHA512

    d709e97c9e5539805567a288a8e8a4177aac56644f1eaf88554cd5799af756dcc0025447c0fccfda806a332e4f39a3cc8c29e8c7d902b994afb8c76c650219f7

  • SSDEEP

    1536:Aj4Hq4rJZa6jJXUedPkPcsLxi6VL33uKdTicTuEoldsO56xVH4aFYZr22T5KDtw2:a4zZpjJEuMxF3VL3RnLoixmq87ADtVH

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58f637ca0ce38a97f31ca2821dfcb80ac45905ec469fa72bd2f2d635da1e618a.exe
    "C:\Users\Admin\AppData\Local\Temp\58f637ca0ce38a97f31ca2821dfcb80ac45905ec469fa72bd2f2d635da1e618a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Users\Admin\AppData\Local\Temp\58f637ca0ce38a97f31ca2821dfcb80ac45905ec469fa72bd2f2d635da1e618amgr.exe
      C:\Users\Admin\AppData\Local\Temp\58f637ca0ce38a97f31ca2821dfcb80ac45905ec469fa72bd2f2d635da1e618amgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:5016
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 204
              5⤵
              • Program crash
              PID:4824
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4420
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4420 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3976
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2148
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2148 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5016 -ip 5016
      1⤵
        PID:4856

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        103KB

        MD5

        0ff8c1c8de1f818a51512f4d894e30d1

        SHA1

        bd99a343ea5ca5ebdd7207651478a8425054716a

        SHA256

        7cc54785e229b1605103e3219969939eb80f106e9edca3cb380917ac33526d28

        SHA512

        da23767aa25ba5c1bb55c338fa82b1b60853c83fd1e4af28cc023fdd1405b46717bc58137d7bfe7a3a581dcd23de0520ab6ace88434b8cf35b3a0278f516dfd2

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        103KB

        MD5

        0ff8c1c8de1f818a51512f4d894e30d1

        SHA1

        bd99a343ea5ca5ebdd7207651478a8425054716a

        SHA256

        7cc54785e229b1605103e3219969939eb80f106e9edca3cb380917ac33526d28

        SHA512

        da23767aa25ba5c1bb55c338fa82b1b60853c83fd1e4af28cc023fdd1405b46717bc58137d7bfe7a3a581dcd23de0520ab6ace88434b8cf35b3a0278f516dfd2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        deabbdcb221537d48aed54816739f367

        SHA1

        9ce0f0d21d9bd08823732047e19edbbd909396bc

        SHA256

        494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

        SHA512

        95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        0baa36317270557e842757d883bf520d

        SHA1

        68529024d4e2afbcc394a086a6b6c4ee098279c8

        SHA256

        149eccbaab00372cfd8a82910165b18e1443c32b2320f5940780fa480ff0c023

        SHA512

        b829a19bd01c2b63cdcca0eff2603e8f1cd05ee0f8985b785005c29356b1fa5d2cef2d6e9942524df0ac2be5305c7dcd153da902a9c2fb5609c98d0352953166

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6CD8AFCE-594A-11ED-89AC-5A10AEE59B4B}.dat
        Filesize

        5KB

        MD5

        b5937a87b5fcead0186e0ef0ab7c4cc8

        SHA1

        8bbba544f0336f30cd7881e33a047ba334b53b7b

        SHA256

        37e5cb648f2eacdde171f898ac71cf871c08ff2014e0c8714b39d68482184f0c

        SHA512

        16c4d18214b8819bb355c14f8ef1280ae10f8aa994b8dd378874c3baefd6dfaa8582d5919b4f987ea176f46701f7dc16495d7d7c008cb9f4767fce15c44b62f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6CDB0EDA-594A-11ED-89AC-5A10AEE59B4B}.dat
        Filesize

        3KB

        MD5

        1de79fe973267f3eff288f2070d4da11

        SHA1

        f2c70d905738a29ea465b56533a7ddc3c05eea9c

        SHA256

        ec7c336a603b1a509f843e60bf9307a99d4ed16111fb44ecaf29d3d386f816c1

        SHA512

        fceb5934dbb3d0bbf663ac8ba60895a5b99460e2a385e0887d250482dff1848ea2fd52a14ec3f4eef3b623aa29bb53eb7a87ec090a4c39533ed1ac99b738ebb2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\58f637ca0ce38a97f31ca2821dfcb80ac45905ec469fa72bd2f2d635da1e618amgr.exe
        Filesize

        103KB

        MD5

        0ff8c1c8de1f818a51512f4d894e30d1

        SHA1

        bd99a343ea5ca5ebdd7207651478a8425054716a

        SHA256

        7cc54785e229b1605103e3219969939eb80f106e9edca3cb380917ac33526d28

        SHA512

        da23767aa25ba5c1bb55c338fa82b1b60853c83fd1e4af28cc023fdd1405b46717bc58137d7bfe7a3a581dcd23de0520ab6ace88434b8cf35b3a0278f516dfd2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\58f637ca0ce38a97f31ca2821dfcb80ac45905ec469fa72bd2f2d635da1e618amgr.exe
        Filesize

        103KB

        MD5

        0ff8c1c8de1f818a51512f4d894e30d1

        SHA1

        bd99a343ea5ca5ebdd7207651478a8425054716a

        SHA256

        7cc54785e229b1605103e3219969939eb80f106e9edca3cb380917ac33526d28

        SHA512

        da23767aa25ba5c1bb55c338fa82b1b60853c83fd1e4af28cc023fdd1405b46717bc58137d7bfe7a3a581dcd23de0520ab6ace88434b8cf35b3a0278f516dfd2

        Download Submit

      • memory/3100-132-0x0000000001000000-0x000000000106C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/3100-154-0x0000000001000000-0x000000000106C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/3452-155-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3452-148-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3452-149-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3452-156-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4188-137-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4188-136-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4188-142-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4188-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4188-139-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download