Overview

overview

10

Static

static

7e5b310d90...0b.exe

windows7-x64

10

7e5b310d90...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 02:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190b.exe

  • Size

    248KB

  • MD5

    596e61d8a201eb3563339eaa6ee76350

  • SHA1

    37eeab0a8bffcf2de32babad1360e80f9d34e003

  • SHA256

    7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190b

  • SHA512

    f6eb64d8d47393b77c5c01cb7fb0860aeb0daa56f1eaf7caf61bcad09b24d764fd5ec8997dd3f68d61976cd1787464e4981db1b83c8ca48c1e24fdd119bfad54

  • SSDEEP

    3072:DR2xn3k0CdM1vabyzJYWqCaaSV18NS40ZgoW6hxdDgmPeZk1VVQLheuCip9pyv58:DR2J0LS6Vh6KZgojdD7OkufpA0Q/bs

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:472
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\system32\sppsvc.exe
          C:\Windows\system32\sppsvc.exe
          2⤵
            PID:1996
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
            2⤵
              PID:1804
            • C:\Windows\system32\taskhost.exe
              "taskhost.exe"
              2⤵
                PID:1116
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                2⤵
                  PID:1076
                • C:\Windows\System32\spoolsv.exe
                  C:\Windows\System32\spoolsv.exe
                  2⤵
                    PID:536
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k NetworkService
                    2⤵
                      PID:336
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                        PID:868
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:844
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:800
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                              PID:756
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:672
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:596
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:380
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:480
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:332
                                        • C:\Windows\System32\smss.exe
                                          \SystemRoot\System32\smss.exe
                                          1⤵
                                            PID:260
                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                            C:\Windows\system32\wbem\wmiprvse.exe
                                            1⤵
                                              PID:1300
                                            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                              wmiadap.exe /F /T /R
                                              1⤵
                                                PID:1328
                                              • C:\Users\Admin\AppData\Local\Temp\7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190b.exe
                                                "C:\Users\Admin\AppData\Local\Temp\7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190b.exe"
                                                1⤵
                                                • Loads dropped DLL
                                                • Drops file in Program Files directory
                                                • Suspicious use of UnmapMainImage
                                                • Suspicious use of WriteProcessMemory
                                                PID:1324
                                                • C:\Users\Admin\AppData\Local\Temp\7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190bmgr.exe
                                                  C:\Users\Admin\AppData\Local\Temp\7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190bmgr.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Drops file in Program Files directory
                                                  • Suspicious use of UnmapMainImage
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1284
                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of UnmapMainImage
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1528
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      4⤵
                                                      • Modifies WinLogon for persistence
                                                      • Drops file in System32 directory
                                                      • Drops file in Program Files directory
                                                      PID:588
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      4⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:780
                                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of UnmapMainImage
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1620
                                                  • C:\Windows\SysWOW64\svchost.exe
                                                    C:\Windows\system32\svchost.exe
                                                    3⤵
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1928
                                                  • C:\Windows\SysWOW64\svchost.exe
                                                    C:\Windows\system32\svchost.exe
                                                    3⤵
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1636
                                              • C:\Windows\Explorer.EXE
                                                C:\Windows\Explorer.EXE
                                                1⤵
                                                  PID:1220
                                                • C:\Windows\system32\Dwm.exe
                                                  "C:\Windows\system32\Dwm.exe"
                                                  1⤵
                                                    PID:1184

                                                  Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190bmgr.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190bmgr.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • \Users\Admin\AppData\Local\Temp\7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190bmgr.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • \Users\Admin\AppData\Local\Temp\7e5b310d90bcb8225ad7aed9a0b663da7399d4d19a0274f7ae22ef8bf41f190bmgr.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    f366b94e5659b913db6a549937a32786

                                                    SHA1

                                                    ae3a4249a0b7165ab8c25a9dafc01cef2599928b

                                                    SHA256

                                                    714aa3429d5ed9f2cbb35e1c203ef4d7a8b83c5902a22eed1975a2340b817dcb

                                                    SHA512

                                                    349604890e182f3cc5dac1245db08fec8de920e3f1ac3cf5bac827700ebadc488f36d1cd8af00dd70e27e17f91d4852cd20c3bd01195d102a8a9f324767eb2e7

                                                    Download Submit

                                                  • memory/588-102-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/588-112-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/588-244-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/588-94-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/780-118-0x0000000020010000-0x000000002001B000-memory.dmp

                                                    Filesize

                                                    44KB

                                                    Download

                                                  • memory/780-114-0x0000000020010000-0x000000002001B000-memory.dmp

                                                    Filesize

                                                    44KB

                                                    Download

                                                  • memory/1284-77-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/1324-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/1324-66-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/1324-63-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/1324-76-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/1528-110-0x0000000000400000-0x000000000042B000-memory.dmp

                                                    Filesize

                                                    172KB

                                                    Download

                                                  • memory/1528-86-0x0000000000400000-0x000000000042B000-memory.dmp

                                                    Filesize

                                                    172KB

                                                    Download

                                                  • memory/1528-243-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/1620-111-0x0000000000400000-0x000000000042B000-memory.dmp

                                                    Filesize

                                                    172KB

                                                    Download

                                                  • memory/1620-82-0x0000000000400000-0x000000000042B000-memory.dmp

                                                    Filesize

                                                    172KB

                                                    Download