Overview

overview

10

Static

static

9124e6062d...fa.exe

windows7-x64

10

9124e6062d...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 22:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe

  • Size

    121KB

  • MD5

    2299a2d6f8d62723d3d76cac0bc2c01b

  • SHA1

    a2c396aa7d073b50ddc96a9996eef8f47cb9b04b

  • SHA256

    9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa

  • SHA512

    2bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95

  • SSDEEP

    1536:N8kwilTEhU4HDa1KkjWXUa21mc/Mue9VR:dhlohUEK9ekp6

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe
    "C:\Users\Admin\AppData\Local\Temp\9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4196
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 208
            4⤵
            • Program crash
            PID:4600
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2164
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1152
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4196 -ip 4196
      1⤵
        PID:1864

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        121KB

        MD5

        2299a2d6f8d62723d3d76cac0bc2c01b

        SHA1

        a2c396aa7d073b50ddc96a9996eef8f47cb9b04b

        SHA256

        9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa

        SHA512

        2bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95

        Download Submit
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        121KB

        MD5

        2299a2d6f8d62723d3d76cac0bc2c01b

        SHA1

        a2c396aa7d073b50ddc96a9996eef8f47cb9b04b

        SHA256

        9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa

        SHA512

        2bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        0518b0c986ebecc2e8b7d18563f3a3f9

        SHA1

        f64c6bf2713c74c0519bc4dfbb1ef2d361d8fa0f

        SHA256

        5beab60b4c60e1dd16a188541199742eb97df28aa6a3e41f7dcabc1c75dee492

        SHA512

        a49b8b37bc4d23c631e891b9cc8921bc724f52a66c59f01823536423336fd387223f544ff6de19db5ed691a18285004bc2a1fc5730f4165e26b89479713f9915

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        f47dabfe531f2b135b1217714fbf04b3

        SHA1

        6a4a7744431ca01ed2969fb6b2a85b3136613ba0

        SHA256

        83eb510c1f0c7bd17caf78fc0d2af4bbecffccc1710c2a9d3e408819a15df4df

        SHA512

        4ed650a70a51ba5ed2cfc64cd653129a073f5a7fb9853fee26a1d7a67fededd3c02b186e750a0886bfaffb5868f4a3af8498d883dba0ae035e61af6f6420fa97

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7D1133EB-A030-11ED-AECB-E62BBF623C53}.dat
        Filesize

        3KB

        MD5

        d019c6bfc731de7600a1ad010365a8e6

        SHA1

        fa9f14689b6e48059c03cba0aa1afd917cb4b9d5

        SHA256

        d9b2c8f352ca0055d728f4d5c91462ab2c246b888b912c6c5e74a6bfee22f2d6

        SHA512

        d362d51b429d92621ef35039849399db443c8cc68e4a4395c22c982459eda89d0fb67f79cff177d7b5428a88d56870ddd283ca7ee5948eeaaeb5abd02865630f

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7D115AFB-A030-11ED-AECB-E62BBF623C53}.dat
        Filesize

        5KB

        MD5

        e962f514efc5b67e70a1a4465bca52fe

        SHA1

        9e75c00bb49e2f54c5800a6233a75be2a8ef1532

        SHA256

        379e630363d8b40977c04b8deed61cebfb530ea0fcb406006c186c3ff60e279d

        SHA512

        f69463d07fdcd2670abf3024e384223ef888e3fe82e8dd8519280eeb26a20d49210238f0d1991b6898a1c898656cc1fbe33db85592aa31e6fb41e52f53c3383b

        Download Submit
      • memory/2296-137-0x0000000002160000-0x0000000002187000-memory.dmp
        Filesize

        156KB

        Download
      • memory/2296-132-0x0000000000400000-0x0000000000427000-memory.dmp
        Filesize

        156KB

        Download
      • memory/2296-136-0x0000000000400000-0x0000000000427000-memory.dmp
        Filesize

        156KB

        Download
      • memory/4196-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4420-140-0x0000000000640000-0x0000000000667000-memory.dmp
        Filesize

        156KB

        Download
      • memory/4420-141-0x0000000000400000-0x0000000000427000-memory.dmp
        Filesize

        156KB

        Download
      • memory/4420-144-0x0000000000400000-0x0000000000427000-memory.dmp
        Filesize

        156KB

        Download
      • memory/4420-145-0x0000000000400000-0x0000000000427000-memory.dmp
        Filesize

        156KB

        Download
      • memory/4420-133-0x0000000000000000-mapping.dmp
        Download