Overview

overview

10

Static

static

9af414175d...a6.exe

windows7-x64

10

9af414175d...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9af414175d1a699f426f5c071c691a560633db47b8d59c9f53298a6eebb206a6.exe

  • Size

    888KB

  • MD5

    82e29f4581342f7d18464fe7935bb600

  • SHA1

    e0220e5ba3023f2fb42c2f9d379b809c3f2f7aca

  • SHA256

    9af414175d1a699f426f5c071c691a560633db47b8d59c9f53298a6eebb206a6

  • SHA512

    2ad530c75edc9c62b15ae1384b4c7f1a7b83d7407bab08ba580d540e1f09c423beda98006b1b3931447c82d78b783860e43541e545f2a206f70d78a153a1134e

  • SSDEEP

    12288:VHATf2ycdFG9+krC8MIvumXdw9eDuUltBeDuUlVEtEvVxpbN:Va2ycPU+krC8tWAw+yxpbN

Score
10/10
ramnitbankerspywarestealertrojanworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9af414175d1a699f426f5c071c691a560633db47b8d59c9f53298a6eebb206a6.exe
    "C:\Users\Admin\AppData\Local\Temp\9af414175d1a699f426f5c071c691a560633db47b8d59c9f53298a6eebb206a6.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Users\Admin\AppData\Local\Temp\9af414175d1a699f426f5c071c691a560633db47b8d59c9f53298a6eebb206a6mgr.exe
      C:\Users\Admin\AppData\Local\Temp\9af414175d1a699f426f5c071c691a560633db47b8d59c9f53298a6eebb206a6mgr.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2040
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 84
            4⤵
            • Program crash
            PID:1120
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:888
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3792
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3792 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2220
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3792 CREDAT:82948 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1688
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          3⤵
            PID:4728
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 204
              4⤵
              • Program crash
              PID:4204
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3452
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              4⤵
              • Modifies Internet Explorer settings
              PID:4340
          • C:\Users\Admin\AppData\Local\Temp\dcyegitogmrnjybv.exe
            "C:\Users\Admin\AppData\Local\Temp\dcyegitogmrnjybv.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2040 -ip 2040
        1⤵
          PID:4560
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4728 -ip 4728
          1⤵
            PID:4508

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\9af414175d1a699f426f5c071c691a560633db47b8d59c9f53298a6eebb206a6mgr.exe
            Filesize

            111KB

            MD5

            01d78731e0877a900ba8777f796b1e70

            SHA1

            fcb262d14c928c5b23aa377222bcba6ed0f8fa4a

            SHA256

            1b834256d4ed7160962cbd6b87ccdb1833853f69aaf271ac74af6dcd013d029b

            SHA512

            ee177f1536d2dcacee156b3367e9bec01760a214bb61538041ebd4d178c13a3b8f829e2826c8d2339ba8041eaf53929cebc86bf3e7b22dbeb9b314e30fe5143a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9af414175d1a699f426f5c071c691a560633db47b8d59c9f53298a6eebb206a6mgr.exe
            Filesize

            111KB

            MD5

            01d78731e0877a900ba8777f796b1e70

            SHA1

            fcb262d14c928c5b23aa377222bcba6ed0f8fa4a

            SHA256

            1b834256d4ed7160962cbd6b87ccdb1833853f69aaf271ac74af6dcd013d029b

            SHA512

            ee177f1536d2dcacee156b3367e9bec01760a214bb61538041ebd4d178c13a3b8f829e2826c8d2339ba8041eaf53929cebc86bf3e7b22dbeb9b314e30fe5143a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dcyegitogmrnjybv.exe
            Filesize

            111KB

            MD5

            01d78731e0877a900ba8777f796b1e70

            SHA1

            fcb262d14c928c5b23aa377222bcba6ed0f8fa4a

            SHA256

            1b834256d4ed7160962cbd6b87ccdb1833853f69aaf271ac74af6dcd013d029b

            SHA512

            ee177f1536d2dcacee156b3367e9bec01760a214bb61538041ebd4d178c13a3b8f829e2826c8d2339ba8041eaf53929cebc86bf3e7b22dbeb9b314e30fe5143a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dcyegitogmrnjybv.exe
            Filesize

            111KB

            MD5

            01d78731e0877a900ba8777f796b1e70

            SHA1

            fcb262d14c928c5b23aa377222bcba6ed0f8fa4a

            SHA256

            1b834256d4ed7160962cbd6b87ccdb1833853f69aaf271ac74af6dcd013d029b

            SHA512

            ee177f1536d2dcacee156b3367e9bec01760a214bb61538041ebd4d178c13a3b8f829e2826c8d2339ba8041eaf53929cebc86bf3e7b22dbeb9b314e30fe5143a

            Download Submit

          • memory/1712-148-0x0000000000400000-0x0000000000437D10-memory.dmp

            Filesize

            223KB

            Download

          • memory/4956-141-0x0000000000400000-0x0000000000437D10-memory.dmp

            Filesize

            223KB

            Download

          • memory/4956-137-0x0000000000400000-0x0000000000437D10-memory.dmp

            Filesize

            223KB

            Download

          • memory/4956-136-0x0000000000400000-0x0000000000437D10-memory.dmp

            Filesize

            223KB

            Download

          • memory/4956-147-0x0000000000400000-0x0000000000437D10-memory.dmp

            Filesize

            223KB

            Download

          • memory/5040-140-0x0000000000400000-0x00000000004F2000-memory.dmp

            Filesize

            968KB

            Download

          • memory/5040-132-0x0000000000400000-0x00000000004F2000-memory.dmp

            Filesize

            968KB

            Download