Overview

overview

10

Static

static

8

926bf33829...8b.exe

windows7-x64

10

926bf33829...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe

  • Size

    120KB

  • MD5

    fcc3e83c605961ce711a28522be916f6

  • SHA1

    18681477b75de6979d9d3c857fa09f72da36ec90

  • SHA256

    926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b

  • SHA512

    b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad

  • SSDEEP

    3072:Ig+3fh/PHrgNUqOBx4J2vNbGfvGnd3gW5ZM4/uBnh:h+3fRb9NdndPZMT7

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe
    "C:\Users\Admin\AppData\Local\Temp\926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:2476
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 204
          3⤵
          • Program crash
          PID:4088
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3308
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3308 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3736
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3308 CREDAT:82950 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3104
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:4632
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 208
            3⤵
            • Program crash
            PID:3664
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          2⤵
          • Modifies Internet Explorer settings
          PID:1568
        • C:\Users\Admin\AppData\Local\Temp\jcbqdctseuljtvnr.exe
          "C:\Users\Admin\AppData\Local\Temp\jcbqdctseuljtvnr.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4252
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2476 -ip 2476
        1⤵
          PID:4688
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4632 -ip 4632
          1⤵
            PID:848

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            0518b0c986ebecc2e8b7d18563f3a3f9

            SHA1

            f64c6bf2713c74c0519bc4dfbb1ef2d361d8fa0f

            SHA256

            5beab60b4c60e1dd16a188541199742eb97df28aa6a3e41f7dcabc1c75dee492

            SHA512

            a49b8b37bc4d23c631e891b9cc8921bc724f52a66c59f01823536423336fd387223f544ff6de19db5ed691a18285004bc2a1fc5730f4165e26b89479713f9915

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            6f2f62307f534b687064b34f30e94251

            SHA1

            ae535ce69d19d94ff8adddf21168ffd8ffaf8336

            SHA256

            f445656fa2f7be40e5c492d5ad7d6d6cd23b19cebfaa7b337d02e5a4bb973f60

            SHA512

            8abe8cbee1f651f8f0a75d43c6cc137fbcfe8949132170d5c2d09591c8fc1cbdd26485306ee064261a1411e955d517d9d5ef8a9bc39117b3c314ed92a326cbf7

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\jcbqdctseuljtvnr.exe
            Filesize

            120KB

            MD5

            fcc3e83c605961ce711a28522be916f6

            SHA1

            18681477b75de6979d9d3c857fa09f72da36ec90

            SHA256

            926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b

            SHA512

            b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\jcbqdctseuljtvnr.exe
            Filesize

            120KB

            MD5

            fcc3e83c605961ce711a28522be916f6

            SHA1

            18681477b75de6979d9d3c857fa09f72da36ec90

            SHA256

            926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b

            SHA512

            b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad

            Download Submit
          • memory/2476-133-0x0000000000000000-mapping.dmp
            Download
          • memory/4252-137-0x0000000000000000-mapping.dmp
            Download
          • memory/4252-141-0x0000000000400000-0x000000000043957C-memory.dmp
            Filesize

            229KB

            Download
          • memory/4340-134-0x0000000000400000-0x000000000043957C-memory.dmp
            Filesize

            229KB

            Download
          • memory/4340-140-0x0000000000400000-0x000000000043957C-memory.dmp
            Filesize

            229KB

            Download
          • memory/4632-136-0x0000000000000000-mapping.dmp
            Download