Overview

overview

10

Static

static

87a42043bc...1d.exe

windows7-x64

10

87a42043bc...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe

  • Size

    130KB

  • MD5

    22d8fb0fde2ec77b0a3da0a7588bfa40

  • SHA1

    e76802220d01891479b64bf709fd0c2d3ec266bb

  • SHA256

    87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d

  • SHA512

    1304e549ebafd89163db4e4728dab986cd100de6cf1f26e98ef6e681d2fb995c1607a58ff27a097675e8979247d0ad2a2d98a24b795f6e3a930d8188a0e4f6b4

  • SSDEEP

    3072:NYaENCs1tDKROWgPJblycavQARvZeURunoswmKK:NYaMCSqOWgP/av6U1U

Score
10/10
ramnitbankerspywarestealertrojanworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe
    "C:\Users\Admin\AppData\Local\Temp\87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:4852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 208
          3⤵
          • Program crash
          PID:4168
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3848
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3848 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1756
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3848 CREDAT:82950 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4312
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:1060
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 204
            3⤵
            • Program crash
            PID:1628
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4420
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            3⤵
            • Modifies Internet Explorer settings
            PID:3448
        • C:\Users\Admin\AppData\Local\Temp\cehsaugl.exe
          "C:\Users\Admin\AppData\Local\Temp\cehsaugl.exe" elevate
          2⤵
          • Executes dropped EXE
          PID:636
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 408
            3⤵
            • Program crash
            PID:60
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4852 -ip 4852
        1⤵
          PID:4768
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1060 -ip 1060
          1⤵
            PID:4188
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 636 -ip 636
            1⤵
              PID:3796

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              0518b0c986ebecc2e8b7d18563f3a3f9

              SHA1

              f64c6bf2713c74c0519bc4dfbb1ef2d361d8fa0f

              SHA256

              5beab60b4c60e1dd16a188541199742eb97df28aa6a3e41f7dcabc1c75dee492

              SHA512

              a49b8b37bc4d23c631e891b9cc8921bc724f52a66c59f01823536423336fd387223f544ff6de19db5ed691a18285004bc2a1fc5730f4165e26b89479713f9915

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              434B

              MD5

              598aab056e7cb676a079589a942f737c

              SHA1

              1a4cc24a6a6b8fe3dd49dc9eb73890bddad18099

              SHA256

              5e14f85b19c35270f186787f6df91925a803aa46fbccd5044cd484f1ab4207e8

              SHA512

              1caaf01bb794f76dd040c46069c53bc159d527fb0c745a55c79f33e53051fd0e63634c8623b61033f4d41efe7792a325e4284fe9ab8cce7aa330c123f08070ab

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\cehsaugl.exe
              Filesize

              130KB

              MD5

              22d8fb0fde2ec77b0a3da0a7588bfa40

              SHA1

              e76802220d01891479b64bf709fd0c2d3ec266bb

              SHA256

              87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d

              SHA512

              1304e549ebafd89163db4e4728dab986cd100de6cf1f26e98ef6e681d2fb995c1607a58ff27a097675e8979247d0ad2a2d98a24b795f6e3a930d8188a0e4f6b4

              Download Submit
            • memory/636-138-0x0000000000000000-mapping.dmp
              Download
            • memory/1060-137-0x0000000000000000-mapping.dmp
              Download
            • memory/4116-132-0x0000000000400000-0x000000000043C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/4116-135-0x0000000000400000-0x000000000043C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/4116-140-0x0000000000400000-0x000000000043C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/4852-134-0x0000000000000000-mapping.dmp
              Download