Overview

overview

10

Static

static

8

a0e7a684f5...84.exe

windows7-x64

10

a0e7a684f5...84.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    112s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe

  • Size

    109KB

  • MD5

    5136003f12ee4676b47c4c902c495200

  • SHA1

    7f596e40832b6855ec156ae2170529700d8dcdb2

  • SHA256

    a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84

  • SHA512

    6f4f2fd0b4ec5ab927257cdfad1f50d0c5652a229e1a7bf14c11cc49e1025f982324e75003543fd9ce8b27da3da71478ac89ec2a9971e2c5f220442584a45b01

  • SSDEEP

    1536:sLOC0FvV4OguHxjhpA4Bm7uW0vSUsghQevBFkutIbgTuFqKRr0aF5frleGhd9Tf8:YwV4OgSzBmh04eZFkz3Rr0gwGj9Tf8

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
    "C:\Users\Admin\AppData\Local\Temp\a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1980
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF53CA01-6B66-11ED-9C90-C6457FCBF3CF}.dat
    Filesize

    3KB

    MD5

    875597859dabe6e748a32d133b9238e7

    SHA1

    9c3a403e9c32ede3640aedc742d4c80ccaf90b0a

    SHA256

    7da0e639a285ed3f753643413fefc00d06acf24e7927fd9ae58a30fbd1145f9a

    SHA512

    9bed7dc86186167de8e03421ae661d566f2ecdcbd6d2345e444e90c04a41fb9feb420a75cf2da20c8e4bfc0277d012665bd6bbda73ab466d1442b4d26b77ec69

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF559EC1-6B66-11ED-9C90-C6457FCBF3CF}.dat
    Filesize

    4KB

    MD5

    97538ab1d2735331d2ed1d44970ff40d

    SHA1

    26dcda8eba087cda6984f8aab2d29632e8668a9e

    SHA256

    fd684c7a93356ad553915b138242144f8ff27fa1c2c0759a107f08efabb4fa0c

    SHA512

    5f8140ca172c969ebea768ffca666b29a37d87d178ca3e30c8b74b25eec5f026c4367c5485025c6c8683cca09e1520b4451679e1e0e07335c642358e8257a30a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\837HIC8K.txt
    Filesize

    600B

    MD5

    b68c33a9b2082a191edafb9efa8686de

    SHA1

    5a9c0a5aed78849476dd3592709894388eb07d27

    SHA256

    5f3d301c970f849d10ecc406f4a4b85658413e1875bc65f0f5f61b59b069a786

    SHA512

    edb7f6b4a9229d8fa14a6c43d79edaf591eaef30e7d5e31d8f9038d3f0eba17ed2cdda3f1af711edc63f680d24d6b07a823f34ea97e39119b0a55f60f88169d1

    Download Submit
  • memory/784-54-0x0000000000400000-0x0000000000456000-memory.dmp
    Filesize

    344KB

    Download
  • memory/784-57-0x0000000000400000-0x0000000000456000-memory.dmp
    Filesize

    344KB

    Download