Overview

overview

10

Static

static

b6a7db5c9e...0c.exe

windows7-x64

10

b6a7db5c9e...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6a7db5c9e9b3ce7362bb47117dbce5a90bae618bb23a704adc40f070c8b700c.exe

  • Size

    60KB

  • MD5

    89d13aca5665c3fcde154dfc3c054f88

  • SHA1

    b483fffd3c9843d75cac6330955dae40fd36f1ba

  • SHA256

    b6a7db5c9e9b3ce7362bb47117dbce5a90bae618bb23a704adc40f070c8b700c

  • SHA512

    bc8937142752f0a2806cb43f7a79df9bdded6fd3f4e4d6ff7a543273d528f1af1f053bfb52dbb8cc58f45322c23de0d26354fbc82a5f739078835b4bc1450651

  • SSDEEP

    1536:VVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApE:FnxwgxgfR/DVG7wBpE

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
            PID:588
          • C:\Windows\system32\sppsvc.exe
            C:\Windows\system32\sppsvc.exe
            2⤵
              PID:1720
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
              2⤵
                PID:964
              • C:\Windows\system32\taskhost.exe
                "taskhost.exe"
                2⤵
                  PID:1116
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  2⤵
                    PID:1076
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    2⤵
                      PID:748
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:324
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:888
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:848
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            2⤵
                              PID:808
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                              2⤵
                                PID:732
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:668
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:376
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:484
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:332
                                        • C:\Windows\System32\smss.exe
                                          \SystemRoot\System32\smss.exe
                                          1⤵
                                            PID:260
                                          • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                            wmiadap.exe /F /T /R
                                            1⤵
                                              PID:1596
                                            • C:\Windows\Explorer.EXE
                                              C:\Windows\Explorer.EXE
                                              1⤵
                                                PID:1268
                                                • C:\Users\Admin\AppData\Local\Temp\b6a7db5c9e9b3ce7362bb47117dbce5a90bae618bb23a704adc40f070c8b700c.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\b6a7db5c9e9b3ce7362bb47117dbce5a90bae618bb23a704adc40f070c8b700c.exe"
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • Drops file in Program Files directory
                                                  • Suspicious use of UnmapMainImage
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1712
                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of UnmapMainImage
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1348
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      4⤵
                                                      • Modifies WinLogon for persistence
                                                      • Drops file in System32 directory
                                                      • Drops file in Program Files directory
                                                      PID:1828
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      4⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:576
                                              • C:\Windows\system32\Dwm.exe
                                                "C:\Windows\system32\Dwm.exe"
                                                1⤵
                                                  PID:1180

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  60KB

                                                  MD5

                                                  89d13aca5665c3fcde154dfc3c054f88

                                                  SHA1

                                                  b483fffd3c9843d75cac6330955dae40fd36f1ba

                                                  SHA256

                                                  b6a7db5c9e9b3ce7362bb47117dbce5a90bae618bb23a704adc40f070c8b700c

                                                  SHA512

                                                  bc8937142752f0a2806cb43f7a79df9bdded6fd3f4e4d6ff7a543273d528f1af1f053bfb52dbb8cc58f45322c23de0d26354fbc82a5f739078835b4bc1450651

                                                  Download Submit

                                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  60KB

                                                  MD5

                                                  89d13aca5665c3fcde154dfc3c054f88

                                                  SHA1

                                                  b483fffd3c9843d75cac6330955dae40fd36f1ba

                                                  SHA256

                                                  b6a7db5c9e9b3ce7362bb47117dbce5a90bae618bb23a704adc40f070c8b700c

                                                  SHA512

                                                  bc8937142752f0a2806cb43f7a79df9bdded6fd3f4e4d6ff7a543273d528f1af1f053bfb52dbb8cc58f45322c23de0d26354fbc82a5f739078835b4bc1450651

                                                  Download Submit

                                                • \Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  60KB

                                                  MD5

                                                  89d13aca5665c3fcde154dfc3c054f88

                                                  SHA1

                                                  b483fffd3c9843d75cac6330955dae40fd36f1ba

                                                  SHA256

                                                  b6a7db5c9e9b3ce7362bb47117dbce5a90bae618bb23a704adc40f070c8b700c

                                                  SHA512

                                                  bc8937142752f0a2806cb43f7a79df9bdded6fd3f4e4d6ff7a543273d528f1af1f053bfb52dbb8cc58f45322c23de0d26354fbc82a5f739078835b4bc1450651

                                                  Download Submit

                                                • \Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  60KB

                                                  MD5

                                                  89d13aca5665c3fcde154dfc3c054f88

                                                  SHA1

                                                  b483fffd3c9843d75cac6330955dae40fd36f1ba

                                                  SHA256

                                                  b6a7db5c9e9b3ce7362bb47117dbce5a90bae618bb23a704adc40f070c8b700c

                                                  SHA512

                                                  bc8937142752f0a2806cb43f7a79df9bdded6fd3f4e4d6ff7a543273d528f1af1f053bfb52dbb8cc58f45322c23de0d26354fbc82a5f739078835b4bc1450651

                                                  Download Submit

                                                • memory/576-82-0x0000000020010000-0x000000002001B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                  Download

                                                • memory/576-85-0x0000000020010000-0x000000002001B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                  Download

                                                • memory/1348-67-0x0000000000400000-0x0000000000430000-memory.dmp

                                                  Filesize

                                                  192KB

                                                  Download

                                                • memory/1348-187-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/1348-79-0x0000000000400000-0x0000000000430000-memory.dmp

                                                  Filesize

                                                  192KB

                                                  Download

                                                • memory/1712-65-0x0000000000230000-0x0000000000260000-memory.dmp

                                                  Filesize

                                                  192KB

                                                  Download

                                                • memory/1712-62-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/1712-56-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/1712-833-0x0000000000230000-0x0000000000260000-memory.dmp

                                                  Filesize

                                                  192KB

                                                  Download

                                                • memory/1712-57-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/1828-71-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1828-80-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1828-75-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1828-74-0x0000000075071000-0x0000000075073000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/1828-188-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download