Overview

overview

10

Static

static

91ee2bd912...f2.exe

windows7-x64

10

91ee2bd912...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2022, 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91ee2bd912bae2cd88271e3411fd80f48dee2848529305ec6f9577a0980343f2.exe

  • Size

    604KB

  • MD5

    30783f4c8176f8c4c0904f708986ce00

  • SHA1

    f3728c58e21b0dada3fb4d84f6a26dcdea95548f

  • SHA256

    91ee2bd912bae2cd88271e3411fd80f48dee2848529305ec6f9577a0980343f2

  • SHA512

    5227e7c47a29773804a8800e11b419f19ab1512518d26b7d7dcbb17d6ed3fc2f901d472c02a818d3d80c281e91653603a52b275dbdb1eda47f25bbb387456b1f

  • SSDEEP

    12288:QHiVgpen2Ys7zWjMCKxaiPnW/0cfByu34oN579l5iLOjKDKFiSU:sDW9KciPvyyu34otlKOK+

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\91ee2bd912bae2cd88271e3411fd80f48dee2848529305ec6f9577a0980343f2.exe
        "C:\Users\Admin\AppData\Local\Temp\91ee2bd912bae2cd88271e3411fd80f48dee2848529305ec6f9577a0980343f2.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Users\Admin\AppData\Local\Temp\91ee2bd912bae2cd88271e3411fd80f48dee2848529305ec6f9577a0980343f2Srv.exe
          C:\Users\Admin\AppData\Local\Temp\91ee2bd912bae2cd88271e3411fd80f48dee2848529305ec6f9577a0980343f2Srv.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1360
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1184
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1056
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1656

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\91ee2bd912bae2cd88271e3411fd80f48dee2848529305ec6f9577a0980343f2Srv.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\91ee2bd912bae2cd88271e3411fd80f48dee2848529305ec6f9577a0980343f2Srv.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FLGR3ED6.txt
      Filesize

      608B

      MD5

      d4a5a38cf0ffeef511b36e4f0e84dfe0

      SHA1

      2861f7493296c0aeff164bd332dc2db831fd3131

      SHA256

      bbdc8f69995adffc52fef9af6ac60205e5760fe7885e90603ff8956bfc6ef73e

      SHA512

      69fd8c8c0f59daeb648549fad8f69153ac853b31e4949a63b9111c1f532c008b8ea0fbb2ec169481073714407f324e812066536664f3046c9896643e5d5006b5

      Download Submit

    • \Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\91ee2bd912bae2cd88271e3411fd80f48dee2848529305ec6f9577a0980343f2Srv.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • memory/1184-76-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1224-60-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-74-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-64-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-69-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-66-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-70-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-63-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-62-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-61-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1224-65-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1360-71-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1980-54-0x0000000075761000-0x0000000075763000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1980-77-0x00000000008A0000-0x0000000000940000-memory.dmp

      Filesize

      640KB

      Download