Overview

overview

10

Static

static

8ebca769d5...20.exe

windows7-x64

8

8ebca769d5...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 17:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8ebca769d5c8964a8904c360cd4186330a4c495fb569b14b314e274777fa3c20.exe

  • Size

    106KB

  • MD5

    0d454437babe133986e722b159fd3152

  • SHA1

    dc0b2d742f79f8d133e99d85e105bdd99f1eebd6

  • SHA256

    8ebca769d5c8964a8904c360cd4186330a4c495fb569b14b314e274777fa3c20

  • SHA512

    0169cb311d32c7921bcce580095f3998bedc36350e89dba4aba5af8b9df06a83b2da5db5605ef79d9c78ccafc8e25a90930f0ed9a51640e642d5cbef87f78e15

  • SSDEEP

    3072:ikfkI67f8BNgh1XiciVSz1xWrbCOs42kSN:9fkpDm1cyy1xkps4FSN

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ebca769d5c8964a8904c360cd4186330a4c495fb569b14b314e274777fa3c20.exe
    "C:\Users\Admin\AppData\Local\Temp\8ebca769d5c8964a8904c360cd4186330a4c495fb569b14b314e274777fa3c20.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:424
    • C:\Users\Admin\AppData\Local\Temp\8ebca769d5c8964a8904c360cd4186330a4c495fb569b14b314e274777fa3c20mgr.exe
      C:\Users\Admin\AppData\Local\Temp\8ebca769d5c8964a8904c360cd4186330a4c495fb569b14b314e274777fa3c20mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4872
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:4148
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 204
              5⤵
              • Program crash
              PID:4956
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3076
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1800
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4148 -ip 4148
      1⤵
        PID:4124

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              Filesize

              59KB

              MD5

              0e0f0ae845d89c22bb6385f64a6b85fd

              SHA1

              0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

              SHA256

              5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

              SHA512

              baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

              Download Submit

            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              Filesize

              59KB

              MD5

              0e0f0ae845d89c22bb6385f64a6b85fd

              SHA1

              0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

              SHA256

              5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

              SHA512

              baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{52D90E9D-5F58-11ED-B696-5203DB9D3E0F}.dat
              Filesize

              5KB

              MD5

              f5bf7677821b1904e484b70f1a2f1d57

              SHA1

              4842a037ae2fb70c3b8b9da1dbccb82d34383ae1

              SHA256

              71bd7a976d39d5b249e0fe229c8f724bbf076b8e9388244731858f786e032c3a

              SHA512

              455b2b96d30e09bde9a79e2b5828e3fb83442f7b1a13ae7d28a19c638ca61299024443e9fb034f7f95c2ad96135648747bf95363739340faabac833dfc2c3270

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{52DB70BE-5F58-11ED-B696-5203DB9D3E0F}.dat
              Filesize

              5KB

              MD5

              21702ed6badd2543c36e1e6235033b62

              SHA1

              10e4018e24342e964175039cfa2854815f482747

              SHA256

              78569ff57da9bcda5dd67f30af04308b9935865a6146ff2d227d10a76c8ca422

              SHA512

              32027fdf9e088db996eabca57fa65757d5bbad5488eca7d6398f5e372b7dbbafa8a2202c9e8020e8327547c5136763f368ce3eb7a30d129f5f2300e09819ca13

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\8ebca769d5c8964a8904c360cd4186330a4c495fb569b14b314e274777fa3c20mgr.exe
              Filesize

              59KB

              MD5

              0e0f0ae845d89c22bb6385f64a6b85fd

              SHA1

              0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

              SHA256

              5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

              SHA512

              baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\8ebca769d5c8964a8904c360cd4186330a4c495fb569b14b314e274777fa3c20mgr.exe
              Filesize

              59KB

              MD5

              0e0f0ae845d89c22bb6385f64a6b85fd

              SHA1

              0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

              SHA256

              5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

              SHA512

              baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

              Download Submit

            • memory/424-132-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/424-153-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/3008-139-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/3008-144-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/3008-138-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/4872-150-0x0000000000400000-0x0000000000423000-memory.dmp

              Filesize

              140KB

              Download

            • memory/4872-151-0x0000000000400000-0x0000000000423000-memory.dmp

              Filesize

              140KB

              Download

            • memory/4872-152-0x0000000000400000-0x0000000000423000-memory.dmp

              Filesize

              140KB

              Download

            • memory/4872-156-0x0000000000400000-0x0000000000423000-memory.dmp

              Filesize

              140KB

              Download

            • memory/4872-157-0x0000000000400000-0x0000000000423000-memory.dmp

              Filesize

              140KB

              Download

            • memory/4872-158-0x0000000000400000-0x0000000000423000-memory.dmp

              Filesize

              140KB

              Download

            • memory/4872-159-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download