Overview

overview

10

Static

static

8

9c58196714...d5.exe

windows7-x64

10

9c58196714...d5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c5819671476955d81b58da0075be6eaa8e69af4d0345a0d0b7b63e132185bd5.exe

  • Size

    377KB

  • MD5

    35909d898b101103e524f8c1c3c49c00

  • SHA1

    38e0c2400bd6df41e39cf02f6e7f5a268b8a3bb8

  • SHA256

    9c5819671476955d81b58da0075be6eaa8e69af4d0345a0d0b7b63e132185bd5

  • SHA512

    eeb8f155854f3520632b570ebc386bec85041fbea40c223d332e7517dc381fbf83f7783d65dc2bead46984d1911df851edd0c196a78bc8f88bd2baaae72b1e9d

  • SSDEEP

    3072:0rSFhxp7xHSc7qzPKb/0at9ayXAVJlz0rpl:1hxFxy8qeb/9zaw+zyp

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c5819671476955d81b58da0075be6eaa8e69af4d0345a0d0b7b63e132185bd5.exe
    "C:\Users\Admin\AppData\Local\Temp\9c5819671476955d81b58da0075be6eaa8e69af4d0345a0d0b7b63e132185bd5.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:672
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A1714811-9FDD-11ED-B51C-6E705F4A26E5}.dat
    Filesize

    4KB

    MD5

    93cbd4d91964ad29ba9fe85f4c9fe913

    SHA1

    48018261e7d634968a3e13d601d49bf33d7598c6

    SHA256

    378e263bae663ba6b7d1a59b13780dcd8676e52b73b2ee33b235b8686023d564

    SHA512

    42ef0628601c86a823f031841a17900d6373a86e11753375811888fad5be2cf480073786ec8d126314029b2319f9dd166d08945251fdabf4765873d35a51190e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A1716F21-9FDD-11ED-B51C-6E705F4A26E5}.dat
    Filesize

    3KB

    MD5

    33b26e30a75b3e272ded6cd1eecf64dc

    SHA1

    fd89ccf7e3ff84c42fc533f9f6b5f6e1fe99b19e

    SHA256

    70b752bb0f8bfe7e2756351c6fd5f237c114145a2283f63f98d2b5405b57cf7b

    SHA512

    65fca76f02e872d6867133cac0380d728550287ccdb5411ab308f343200cdca64591da143b705c34f7be76c1dccf9174ce311fafa335b8b36c1ef022d83464f1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I7FYXFPY.txt
    Filesize

    606B

    MD5

    a8c0d37e635ec68b60099363e3b39e62

    SHA1

    882300bc40eeb0d5673f0d645165f5e6e589c69d

    SHA256

    ba153d3d9ea8dac7fae23fea635d5f3fbb10f20ed6054e446274ad43cd998143

    SHA512

    1258720f78b632dab421487a5938c87e981e3672637a9e2c4db43ae12852a9a70a815156bae056d203b7927dab10a945591699a87372552b246d7b84aba43d06

    Download Submit
  • memory/1096-54-0x0000000000400000-0x0000000000467000-memory.dmp
    Filesize

    412KB

    Download
  • memory/1096-55-0x0000000000400000-0x0000000000467000-memory.dmp
    Filesize

    412KB

    Download