Overview

overview

10

Static

static

8

d80e8d886e...6d.exe

windows7-x64

10

d80e8d886e...6d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    105s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d80e8d886eba78704e090cbee74b6628f21352a57fc870c2c99064ea2563b06d.exe

  • Size

    652KB

  • MD5

    29b0c574a132ce32f3ec06a951a73cb7

  • SHA1

    c4dcf8d8236b64f1dd44f2c3ec4abc93cfa0be56

  • SHA256

    d80e8d886eba78704e090cbee74b6628f21352a57fc870c2c99064ea2563b06d

  • SHA512

    65e175a6cc9cfae3e6d0932190005a45dfcfae4e2a05a5f2cb4d0811acbbaf7b029c16541c5ad6028912db823081276cb97a24efd0b701b0724b447e57883591

  • SSDEEP

    12288:DkXSVWWAuE+ppEOyWMKQ2NywhyvOCrgPxp/jN0ji23R3Yh6dFJyl0GwXRlMe:9ZAulrLmK1RsOCrg/jNN2R04FJylgB+e

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d80e8d886eba78704e090cbee74b6628f21352a57fc870c2c99064ea2563b06d.exe
    "C:\Users\Admin\AppData\Local\Temp\d80e8d886eba78704e090cbee74b6628f21352a57fc870c2c99064ea2563b06d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Users\Admin\AppData\Local\Temp\d80e8d886eba78704e090cbee74b6628f21352a57fc870c2c99064ea2563b06dmgr.exe
      C:\Users\Admin\AppData\Local\Temp\d80e8d886eba78704e090cbee74b6628f21352a57fc870c2c99064ea2563b06dmgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1552
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1312

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B73C16D1-6B8E-11ED-A5BF-5242C1400D5F}.dat
    Filesize

    3KB

    MD5

    69c0f2e75c64e9bc4174aaa4eab224d5

    SHA1

    94a3e1c61acffa0f87d770458695b4f5bb89f3a8

    SHA256

    5831cd042c652ce2831693b99a9d0339951b0ef5422f39a57eeeaaa4b6f2a0ef

    SHA512

    b1d00f0a7d3d250df69bd52529f8c9d28d3cc80a9ef1275aed3ee31b81e280a156a428e18c08ae82967035e4b4a9146ce77f8cf368a8b760378b2bceb88d92d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B73C8C01-6B8E-11ED-A5BF-5242C1400D5F}.dat
    Filesize

    3KB

    MD5

    06b36b7e59571f5f9c3124d5d9dbb76e

    SHA1

    c482335f9a054315917c842915b7170dbfa7ccfe

    SHA256

    a4746e5d1cef39ebebe09f1c19df52ca2537b8f38c86259123cb7baf6f744acd

    SHA512

    807766c71ea41afca489aec26cdc756b8b5c29b6cfcd8ed211f0e6a7491cd97ec001aced0c0b993131abaeb30b85c3654cb3053eb477ab65220d6af4bba48c47

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\d80e8d886eba78704e090cbee74b6628f21352a57fc870c2c99064ea2563b06dmgr.exe
    Filesize

    105KB

    MD5

    98a8ced05b34189b8b36760049b2ea36

    SHA1

    a5271250fb91d891c7df0cae7812ed68907ae076

    SHA256

    e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

    SHA512

    8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\95RP4GD8.txt
    Filesize

    607B

    MD5

    fe95d0fa8c9f29a060a41b6ac4dfae8f

    SHA1

    b73ca3920eec3b119e7e6c51acec50e7bc98df91

    SHA256

    78c47b76b4173770643914968c64f1f779e08281d29b042892a434484f76051d

    SHA512

    0c5e0a5157d863ad12f26f451e70be941e122bbb2f9fa3efec969071655d7fd79f51f8f7876ead6608b09efeda90d0168b50bd490c8e800b61e2b6a4fd5a64eb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\d80e8d886eba78704e090cbee74b6628f21352a57fc870c2c99064ea2563b06dmgr.exe
    Filesize

    105KB

    MD5

    98a8ced05b34189b8b36760049b2ea36

    SHA1

    a5271250fb91d891c7df0cae7812ed68907ae076

    SHA256

    e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

    SHA512

    8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

    Download Submit

  • \Users\Admin\AppData\Local\Temp\d80e8d886eba78704e090cbee74b6628f21352a57fc870c2c99064ea2563b06dmgr.exe
    Filesize

    105KB

    MD5

    98a8ced05b34189b8b36760049b2ea36

    SHA1

    a5271250fb91d891c7df0cae7812ed68907ae076

    SHA256

    e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

    SHA512

    8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

    Download Submit

  • memory/816-57-0x0000000000000000-mapping.dmp

    Download

  • memory/816-61-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/816-64-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/1340-60-0x0000000000320000-0x0000000000383000-memory.dmp

    Filesize

    396KB

    Download

  • memory/1340-59-0x0000000000400000-0x0000000000B69000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/1340-65-0x0000000000400000-0x0000000000B69000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

    Filesize

    8KB

    Download