Overview

overview

10

Static

static

8

ba0da21c3a...79.exe

windows7-x64

10

ba0da21c3a...79.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 15:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ba0da21c3a6b3dd6d271ea74d8165f1cfce474c671c1f0f6db59c9579347ce79.exe

  • Size

    627KB

  • MD5

    822dd4db315079d9264667ce6d4a5e50

  • SHA1

    fab0f8f43ac79aadb9af2b2550cdbe8d96310762

  • SHA256

    ba0da21c3a6b3dd6d271ea74d8165f1cfce474c671c1f0f6db59c9579347ce79

  • SHA512

    0772cb21c8097fea4f6e76e5789abde85618a2101b9704dba64ff919386a6d823c4d25a78e441fdca8daac7168979c19f994675e70390cc6e76437ec96c173c9

  • SSDEEP

    12288:n+YcUc6SBLLTSEgBAnhc1kGsx9msjwio3Qv3lAh:nv2BLHSn6q1+wio3QP+h

Score
10/10
ramnitbankerevasionpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba0da21c3a6b3dd6d271ea74d8165f1cfce474c671c1f0f6db59c9579347ce79.exe
    "C:\Users\Admin\AppData\Local\Temp\ba0da21c3a6b3dd6d271ea74d8165f1cfce474c671c1f0f6db59c9579347ce79.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\ba0da21c3a6b3dd6d271ea74d8165f1cfce474c671c1f0f6db59c9579347ce79mgr.exe
      C:\Users\Admin\AppData\Local\Temp\ba0da21c3a6b3dd6d271ea74d8165f1cfce474c671c1f0f6db59c9579347ce79mgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1760
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1444
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\at.exe
        AT /delete /yes
        3⤵
          PID:976
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\WORD.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\SysWOW64\at.exe
          AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\WORD.exe
          3⤵
            PID:1628
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:988
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x590
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2020
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:880
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:876
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        PID:1980
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1540
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        PID:1528

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8640B101-58EF-11ED-A645-626C2AE6DC56}.dat
              Filesize

              3KB

              MD5

              e87a2d22cce265c35044ca5724eba365

              SHA1

              cc34d49f8e5d32fa0e3b8a81be9e52364e9cddfc

              SHA256

              6e4778c242498ef5533ccf33e851f910fbf0d23dd676e4f19859e1a692dd7853

              SHA512

              393edc6b5a61a8cb8a8fd492996cd12ca3b0f6511c8e2462c9e94bf9b3f4cb332a2d4ab1d426300c55121afa5a17372d2ee6120cd93a7db4274e3473efa60170

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8640D811-58EF-11ED-A645-626C2AE6DC56}.dat
              Filesize

              3KB

              MD5

              3c97a83f3c805965794508b1a62c949b

              SHA1

              bb29c328bdbf868305642e2bed02e16e258437f5

              SHA256

              4c24c8b38f07259679f5606e5e54a64aa528274b6a2fdbd6995645738788c328

              SHA512

              9a7ce965c1e9c9c498d34cc109af1255a57be4fb59b3c17d64670605a0d403ff336022f17bb4399d72e0a8f7e62a86f7e13432b758c5174f651b7664badd0afe

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ba0da21c3a6b3dd6d271ea74d8165f1cfce474c671c1f0f6db59c9579347ce79mgr.exe
              Filesize

              340KB

              MD5

              a335e0d50da877e39944d999f990e82b

              SHA1

              9db3ae5b5140756838b023ff3ac11b853023162c

              SHA256

              154eb0e8adea973590f21c50913fcdd1618ebc292ebe1e60df20e067c81b4666

              SHA512

              52eaf1f00a4846c34825cde6942dc349feb78da57fe0639bc42ba328bf4756898cafa026a5c56c8b762c0dc5b44485e1f9b12de529819b81af7f4e7b25b40981

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D5EG6QAZ.txt
              Filesize

              608B

              MD5

              d23202d916f9e5524fa105e00e6fc735

              SHA1

              0726603f921ec4256ad7ca208336615a26601c28

              SHA256

              b414029c7d299b94544743d4a6a223d4348618bc94f5c10df8b60cb6651cf36b

              SHA512

              647b8503075507d116fed0df7784aa075d9dbd37aaba16b01d9140aa7ef9ed351aaaaf4a8160cadb02c1b397c57531d043861634e24d98a1948b46f83a984896

              Download Submit

            • \Users\Admin\AppData\Local\Temp\ba0da21c3a6b3dd6d271ea74d8165f1cfce474c671c1f0f6db59c9579347ce79mgr.exe
              Filesize

              340KB

              MD5

              a335e0d50da877e39944d999f990e82b

              SHA1

              9db3ae5b5140756838b023ff3ac11b853023162c

              SHA256

              154eb0e8adea973590f21c50913fcdd1618ebc292ebe1e60df20e067c81b4666

              SHA512

              52eaf1f00a4846c34825cde6942dc349feb78da57fe0639bc42ba328bf4756898cafa026a5c56c8b762c0dc5b44485e1f9b12de529819b81af7f4e7b25b40981

              Download Submit

            • \Users\Admin\AppData\Local\Temp\ba0da21c3a6b3dd6d271ea74d8165f1cfce474c671c1f0f6db59c9579347ce79mgr.exe
              Filesize

              340KB

              MD5

              a335e0d50da877e39944d999f990e82b

              SHA1

              9db3ae5b5140756838b023ff3ac11b853023162c

              SHA256

              154eb0e8adea973590f21c50913fcdd1618ebc292ebe1e60df20e067c81b4666

              SHA512

              52eaf1f00a4846c34825cde6942dc349feb78da57fe0639bc42ba328bf4756898cafa026a5c56c8b762c0dc5b44485e1f9b12de529819b81af7f4e7b25b40981

              Download Submit

            • memory/988-73-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1168-72-0x0000000000400000-0x00000000004FB000-memory.dmp

              Filesize

              1004KB

              Download

            • memory/1168-63-0x0000000000150000-0x00000000001E1000-memory.dmp

              Filesize

              580KB

              Download

            • memory/1168-64-0x0000000000150000-0x00000000001E1000-memory.dmp

              Filesize

              580KB

              Download

            • memory/1168-54-0x0000000075571000-0x0000000075573000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1168-74-0x0000000000150000-0x00000000001E1000-memory.dmp

              Filesize

              580KB

              Download

            • memory/1168-55-0x0000000000400000-0x00000000004FB000-memory.dmp

              Filesize

              1004KB

              Download

            • memory/1992-65-0x0000000000400000-0x0000000000491000-memory.dmp

              Filesize

              580KB

              Download

            • memory/1992-71-0x0000000000400000-0x0000000000491000-memory.dmp

              Filesize

              580KB

              Download