Overview

overview

10

Static

static

8

b52dbb4753...96.exe

windows7-x64

10

b52dbb4753...96.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b52dbb47538dd79be8e612363931ae451763ce3b12f2c2fb1e2442ce32a2a396.exe

  • Size

    94KB

  • MD5

    0b11de951151ae8ee0888d559c9f9a00

  • SHA1

    f2b1a65a40e358af6050e20e4b701741a8e4a059

  • SHA256

    b52dbb47538dd79be8e612363931ae451763ce3b12f2c2fb1e2442ce32a2a396

  • SHA512

    1b72fd918b2bbc870ebde5f4feff297a045858941d78e398eae2b2cfc3d3a0e2f36e928acc696b27975003c10342d9a9433ed8e919f47ca65ee83b98fec77a37

  • SSDEEP

    1536:3o38k0oFIMN5C/5Zm2/h/40MVskmm0B4uP3sJ+b54BEAtWgjp9At:39oqyWT/4Js0kv3q+b5bAtHjA

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:468
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
          2⤵
            PID:736
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
            2⤵
              PID:804
              • C:\Windows\system32\Dwm.exe
                "C:\Windows\system32\Dwm.exe"
                3⤵
                  PID:1172
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k NetworkService
                2⤵
                  PID:108
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  2⤵
                    PID:1044
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                    2⤵
                      PID:1104
                    • C:\Windows\system32\sppsvc.exe
                      C:\Windows\system32\sppsvc.exe
                      2⤵
                        PID:1664
                      • C:\Windows\system32\taskhost.exe
                        "taskhost.exe"
                        2⤵
                          PID:1124
                        • C:\Windows\System32\spoolsv.exe
                          C:\Windows\System32\spoolsv.exe
                          2⤵
                            PID:308
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs
                            2⤵
                              PID:864
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService
                              2⤵
                                PID:832
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:660
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  2⤵
                                    PID:584
                                • C:\Windows\system32\winlogon.exe
                                  winlogon.exe
                                  1⤵
                                    PID:420
                                  • C:\Windows\system32\csrss.exe
                                    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                    1⤵
                                      PID:384
                                    • C:\Windows\system32\wininit.exe
                                      wininit.exe
                                      1⤵
                                        PID:368
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:484
                                        • C:\Windows\system32\csrss.exe
                                          %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                          1⤵
                                            PID:332
                                          • C:\Windows\System32\smss.exe
                                            \SystemRoot\System32\smss.exe
                                            1⤵
                                              PID:260
                                            • C:\Windows\Explorer.EXE
                                              C:\Windows\Explorer.EXE
                                              1⤵
                                                PID:1252
                                                • C:\Users\Admin\AppData\Local\Temp\b52dbb47538dd79be8e612363931ae451763ce3b12f2c2fb1e2442ce32a2a396.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\b52dbb47538dd79be8e612363931ae451763ce3b12f2c2fb1e2442ce32a2a396.exe"
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • Drops file in Program Files directory
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1216
                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:968
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      4⤵
                                                      • Modifies WinLogon for persistence
                                                      • Drops file in System32 directory
                                                      • Drops file in Program Files directory
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:860
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      4⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1532
                                              • C:\Windows\system32\wbem\wmiprvse.exe
                                                C:\Windows\system32\wbem\wmiprvse.exe
                                                1⤵
                                                  PID:1960
                                                • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                                  wmiadap.exe /F /T /R
                                                  1⤵
                                                    PID:1996

                                                  Network

                                                  MITRE ATT&CK Matrix ATT&CK v6

                                                  Initial Access

                                                  Execution

                                                  Persistence

                                                  Winlogon Helper DLL

                                                  1
                                                  T1004

                                                  Privilege Escalation

                                                  Defense Evasion

                                                  Modify Registry

                                                  1
                                                  T1112

                                                  Credential Access

                                                  Discovery

                                                  Lateral Movement

                                                  Collection

                                                  Exfiltration

                                                  Command and Control

                                                  Impact

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    94KB

                                                    MD5

                                                    0b11de951151ae8ee0888d559c9f9a00

                                                    SHA1

                                                    f2b1a65a40e358af6050e20e4b701741a8e4a059

                                                    SHA256

                                                    b52dbb47538dd79be8e612363931ae451763ce3b12f2c2fb1e2442ce32a2a396

                                                    SHA512

                                                    1b72fd918b2bbc870ebde5f4feff297a045858941d78e398eae2b2cfc3d3a0e2f36e928acc696b27975003c10342d9a9433ed8e919f47ca65ee83b98fec77a37

                                                    Download Submit
                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    94KB

                                                    MD5

                                                    0b11de951151ae8ee0888d559c9f9a00

                                                    SHA1

                                                    f2b1a65a40e358af6050e20e4b701741a8e4a059

                                                    SHA256

                                                    b52dbb47538dd79be8e612363931ae451763ce3b12f2c2fb1e2442ce32a2a396

                                                    SHA512

                                                    1b72fd918b2bbc870ebde5f4feff297a045858941d78e398eae2b2cfc3d3a0e2f36e928acc696b27975003c10342d9a9433ed8e919f47ca65ee83b98fec77a37

                                                    Download Submit
                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    94KB

                                                    MD5

                                                    0b11de951151ae8ee0888d559c9f9a00

                                                    SHA1

                                                    f2b1a65a40e358af6050e20e4b701741a8e4a059

                                                    SHA256

                                                    b52dbb47538dd79be8e612363931ae451763ce3b12f2c2fb1e2442ce32a2a396

                                                    SHA512

                                                    1b72fd918b2bbc870ebde5f4feff297a045858941d78e398eae2b2cfc3d3a0e2f36e928acc696b27975003c10342d9a9433ed8e919f47ca65ee83b98fec77a37

                                                    Download Submit
                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    94KB

                                                    MD5

                                                    0b11de951151ae8ee0888d559c9f9a00

                                                    SHA1

                                                    f2b1a65a40e358af6050e20e4b701741a8e4a059

                                                    SHA256

                                                    b52dbb47538dd79be8e612363931ae451763ce3b12f2c2fb1e2442ce32a2a396

                                                    SHA512

                                                    1b72fd918b2bbc870ebde5f4feff297a045858941d78e398eae2b2cfc3d3a0e2f36e928acc696b27975003c10342d9a9433ed8e919f47ca65ee83b98fec77a37

                                                    Download Submit
                                                  • memory/860-62-0x0000000020010000-0x0000000020021000-memory.dmp
                                                    Filesize

                                                    68KB

                                                    Download
                                                  • memory/860-65-0x0000000074F01000-0x0000000074F03000-memory.dmp
                                                    Filesize

                                                    8KB

                                                    Download
                                                  • memory/860-71-0x0000000020010000-0x0000000020021000-memory.dmp
                                                    Filesize

                                                    68KB

                                                    Download
                                                  • memory/860-64-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/860-66-0x0000000020010000-0x0000000020021000-memory.dmp
                                                    Filesize

                                                    68KB

                                                    Download
                                                  • memory/968-70-0x0000000000400000-0x000000000044D000-memory.dmp
                                                    Filesize

                                                    308KB

                                                    Download
                                                  • memory/968-56-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/968-59-0x0000000000400000-0x000000000044D000-memory.dmp
                                                    Filesize

                                                    308KB

                                                    Download
                                                  • memory/968-130-0x0000000020020000-0x000000002002B000-memory.dmp
                                                    Filesize

                                                    44KB

                                                    Download
                                                  • memory/968-188-0x0000000000400000-0x000000000044D000-memory.dmp
                                                    Filesize

                                                    308KB

                                                    Download
                                                  • memory/1216-57-0x0000000000400000-0x000000000044D000-memory.dmp
                                                    Filesize

                                                    308KB

                                                    Download
                                                  • memory/1532-73-0x0000000020010000-0x000000002001B000-memory.dmp
                                                    Filesize

                                                    44KB

                                                    Download
                                                  • memory/1532-75-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1532-76-0x0000000020010000-0x000000002001B000-memory.dmp
                                                    Filesize

                                                    44KB

                                                    Download