Overview

overview

10

Static

static

4a0c9a68ec...2f.exe

windows7-x64

10

4a0c9a68ec...2f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2022, 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a0c9a68ecf1ec1ed13f0bf696e94c8fd51a522cf1fb74ff8b353065fae4772f.exe

  • Size

    126KB

  • MD5

    131d36fb1f24847f7b861246b9eecb82

  • SHA1

    024c063173f9fd377247deae0b01404af51146ef

  • SHA256

    4a0c9a68ecf1ec1ed13f0bf696e94c8fd51a522cf1fb74ff8b353065fae4772f

  • SHA512

    e05c76d39e8c437dc222744b07a19e6c652f5770122aec03182710762330b0cc1017ab407f57c27a1064513d749d9c3b22bcdcf93623bfc92dfa0a06bc1b3730

  • SSDEEP

    768:106R0UugnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9IC3:jR0Cn3Pc0LCH9MtbvabUDzJYWu3Bg

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a0c9a68ecf1ec1ed13f0bf696e94c8fd51a522cf1fb74ff8b353065fae4772f.exe
    "C:\Users\Admin\AppData\Local\Temp\4a0c9a68ecf1ec1ed13f0bf696e94c8fd51a522cf1fb74ff8b353065fae4772f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Drops file in System32 directory
        • Drops file in Program Files directory
        PID:972
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:668
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:820

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\WaterMark.exe
    Filesize

    126KB

    MD5

    131d36fb1f24847f7b861246b9eecb82

    SHA1

    024c063173f9fd377247deae0b01404af51146ef

    SHA256

    4a0c9a68ecf1ec1ed13f0bf696e94c8fd51a522cf1fb74ff8b353065fae4772f

    SHA512

    e05c76d39e8c437dc222744b07a19e6c652f5770122aec03182710762330b0cc1017ab407f57c27a1064513d749d9c3b22bcdcf93623bfc92dfa0a06bc1b3730

    Download Submit

  • C:\Program Files (x86)\Microsoft\WaterMark.exe
    Filesize

    126KB

    MD5

    131d36fb1f24847f7b861246b9eecb82

    SHA1

    024c063173f9fd377247deae0b01404af51146ef

    SHA256

    4a0c9a68ecf1ec1ed13f0bf696e94c8fd51a522cf1fb74ff8b353065fae4772f

    SHA512

    e05c76d39e8c437dc222744b07a19e6c652f5770122aec03182710762330b0cc1017ab407f57c27a1064513d749d9c3b22bcdcf93623bfc92dfa0a06bc1b3730

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FFB3D220-5DC6-11ED-A674-466E2F293893}.dat
    Filesize

    3KB

    MD5

    1c4885feca2ba3cd9db7c77b35ce9fb6

    SHA1

    5a8833a5e9d8540f9ef5251995c5481407be62c2

    SHA256

    f2c7cf177251a4cbb7472c1e8580c63b57fc2fa5a879130612c7830de816c264

    SHA512

    a8f2577de0a131152ff5a0cdd53ceb2b8680625961747d40bc723ddc1fa3cece1c472709ee8aba67189194b5a4e697eeaf9bdb3732fb48aa6d2d06f725aac640

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FFB3F930-5DC6-11ED-A674-466E2F293893}.dat
    Filesize

    5KB

    MD5

    271d4df766cdb00af15cce31aafc86fe

    SHA1

    67ea71d585cd725cfa38ce6a1af9b8a5ee095fe2

    SHA256

    36c535959ab271596fd98c352a972651d0ade4a631d7a3ed91f51b05d16d6908

    SHA512

    32c61601879805aa25614cea93de6ca2f3bed0b37b9a0fb37a7bd03ad5b39e51f320eec7e109b12c91d856edfddbdf6c3a7ecb9208b5a98eae46d988e0c82d26

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2234CAD6.txt
    Filesize

    603B

    MD5

    082b5304e7ead2d96cfde545e31f0b77

    SHA1

    d55f0012e1d41468b1c4bbf4f8f2fa3f57f3b300

    SHA256

    0d1eeef19ddffab1904962184c7fe27a2367affffde4d25e565788554da91a9f

    SHA512

    6fe883edcc33993a9fc30bff8f035a80e433631f0f24564c8b670f00ea6fa39982c91369877aae2b0bb9127e2c1961b0b0bb11169457c11470d725e56a0ee0fd

    Download Submit

  • \Program Files (x86)\Microsoft\WaterMark.exe
    Filesize

    126KB

    MD5

    131d36fb1f24847f7b861246b9eecb82

    SHA1

    024c063173f9fd377247deae0b01404af51146ef

    SHA256

    4a0c9a68ecf1ec1ed13f0bf696e94c8fd51a522cf1fb74ff8b353065fae4772f

    SHA512

    e05c76d39e8c437dc222744b07a19e6c652f5770122aec03182710762330b0cc1017ab407f57c27a1064513d749d9c3b22bcdcf93623bfc92dfa0a06bc1b3730

    Download Submit

  • \Program Files (x86)\Microsoft\WaterMark.exe
    Filesize

    126KB

    MD5

    131d36fb1f24847f7b861246b9eecb82

    SHA1

    024c063173f9fd377247deae0b01404af51146ef

    SHA256

    4a0c9a68ecf1ec1ed13f0bf696e94c8fd51a522cf1fb74ff8b353065fae4772f

    SHA512

    e05c76d39e8c437dc222744b07a19e6c652f5770122aec03182710762330b0cc1017ab407f57c27a1064513d749d9c3b22bcdcf93623bfc92dfa0a06bc1b3730

    Download Submit

  • memory/972-76-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/972-72-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/972-80-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/972-82-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1668-70-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1668-81-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1948-63-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1948-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1948-58-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1948-57-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download