Overview

overview

10

Static

static

cf82b0ccf6...0f.exe

windows7-x64

10

cf82b0ccf6...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520f.exe

  • Size

    80KB

  • MD5

    b4df4ccd5c976f8fe77c90d49b62c58c

  • SHA1

    51b76e5f8a17af37a775494963b72285463483ae

  • SHA256

    cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520f

  • SHA512

    0e04179206073f5debe7cff90f751861d303d495f873867e375ba2a1d5deab86a53144b0e38811a7348c2000956d6232152a5945f0b79cc970cd4aed3dbc3cd5

  • SSDEEP

    1536:Wn78M/J6C4q5Mv0l+wzBoW+a54xqVa3dWQ4WEyrkz:tMRd47v0bBP+a+xqVa3djr

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520f.exe
    "C:\Users\Admin\AppData\Local\Temp\cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520fSrv.exe
      C:\Users\Admin\AppData\Local\Temp\cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520fSrv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:768
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    39KB

    MD5

    7b9c72733b615919a28f1011958b818f

    SHA1

    de615eab8b5e75719cb4054c61fe32413a1d33b9

    SHA256

    c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

    SHA512

    ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    39KB

    MD5

    7b9c72733b615919a28f1011958b818f

    SHA1

    de615eab8b5e75719cb4054c61fe32413a1d33b9

    SHA256

    c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

    SHA512

    ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A54B3A51-70AC-11ED-85B0-72E6D75F6BEB}.dat
    Filesize

    1KB

    MD5

    72f5c05b7ea8dd6059bf59f50b22df33

    SHA1

    d5af52e129e15e3a34772806f6c5fbf132e7408e

    SHA256

    1dc0c8d7304c177ad0e74d3d2f1002eb773f4b180685a7df6bbe75ccc24b0164

    SHA512

    6ff1e2e6b99bd0a4ed7ca8a9e943551bcd73a0befcace6f1b1106e88595c0846c9bb76ca99a33266ffec2440cf6a440090f803abbf28b208a6c7bc6310beb39e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520fSrv.exe
    Filesize

    39KB

    MD5

    7b9c72733b615919a28f1011958b818f

    SHA1

    de615eab8b5e75719cb4054c61fe32413a1d33b9

    SHA256

    c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

    SHA512

    ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520fSrv.exe
    Filesize

    39KB

    MD5

    7b9c72733b615919a28f1011958b818f

    SHA1

    de615eab8b5e75719cb4054c61fe32413a1d33b9

    SHA256

    c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

    SHA512

    ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RI7RDWUF.txt
    Filesize

    606B

    MD5

    1499e96e4db1791142aff6f78984f89c

    SHA1

    6aeef33ae7d51e3ada7a30818b2c16aaf1a30dbb

    SHA256

    223b536b2cad659d5c3a7dbee64438361e89bd0f7246f10df8d1dccd2cbd2f89

    SHA512

    dc529940011988f2599a7578db927438c96c63879d93411f8f28d2329630d5bddb7e886a4c87653840749c6ce25cbfd6fdba8f5503ac50be9d05cb31ac27cfae

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    39KB

    MD5

    7b9c72733b615919a28f1011958b818f

    SHA1

    de615eab8b5e75719cb4054c61fe32413a1d33b9

    SHA256

    c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

    SHA512

    ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    39KB

    MD5

    7b9c72733b615919a28f1011958b818f

    SHA1

    de615eab8b5e75719cb4054c61fe32413a1d33b9

    SHA256

    c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

    SHA512

    ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520fSrv.exe
    Filesize

    39KB

    MD5

    7b9c72733b615919a28f1011958b818f

    SHA1

    de615eab8b5e75719cb4054c61fe32413a1d33b9

    SHA256

    c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

    SHA512

    ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\cf82b0ccf68893ee4b8d6a0aa223a4f1fc0ab8e1faccebd9e154fa3afbbe520fSrv.exe
    Filesize

    39KB

    MD5

    7b9c72733b615919a28f1011958b818f

    SHA1

    de615eab8b5e75719cb4054c61fe32413a1d33b9

    SHA256

    c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

    SHA512

    ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

    Download Submit

  • memory/1132-59-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1172-63-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1608-66-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download