Overview

overview

10

Static

static

7

Device/Har...dF.exe

windows7-x64

10

Device/Har...dF.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    98s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2023 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Device/HarddiskVolume9/RECYCLER/S-3-5-01-4621304173-6055156028-813125507-4057/TVnHnIdF.exe

  • Size

    185KB

  • MD5

    59157bcbfe97f9f8b00af1eb39c87a53

  • SHA1

    63f11e1730237a17d71bb1927e67f561a7dec607

  • SHA256

    d49df261cebcfdc69c73a485002786c0ace31ee0c85cbfe45b830de3c737b941

  • SHA512

    034a730883b0436326b67e996182e0749513f2e1be8b554ff91cfc121d0ea38c7651e0b2dbfadcb34e7b43b54b2fecf35cf8135b227ffe6717e356c5f17ca65c

  • SSDEEP

    1536:+OC0FvV4OguHxjhpA4Bm7uW0vSUsghQevBFkutIbgTuFqKRr0aF5frleGhd9TfBi:+wV4OgSzBmh04eZFkz3Rr0gwGj9Tf8

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume9\RECYCLER\S-3-5-01-4621304173-6055156028-813125507-4057\TVnHnIdF.exe
    "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume9\RECYCLER\S-3-5-01-4621304173-6055156028-813125507-4057\TVnHnIdF.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1156
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    78048bdd248f754d4c59661d4197c1ca

    SHA1

    f9b34b353c92757fa1c6fc2253bcb0016a276903

    SHA256

    5c36f9f77dc834f4236bb131aba4d22ceb833b049a8305ca16a1314e44a6bbd0

    SHA512

    5188dc688b054262b6ece70ebc3aac30c7d86d69e1573c43fcfe178dd4eae86467d8d1c69ca0ad2284b3fc1b191b629fe998e35ae587d6ae62c0661cd006e02c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BE6E0D1-0144-11EE-8F95-D2C9D0B8F522}.dat
    Filesize

    4KB

    MD5

    7dc7c678a34c864ac174199a53614425

    SHA1

    d529a44a84e72bec4cb8dd0a0176e5e87f8a709c

    SHA256

    242cfa694612b34cfc8d2d3b43d145a0798004c4e24dabdb1fbf696f0170d17c

    SHA512

    e0045c4c861fe820950a600e342d464332349f4cc67fef5eb6d9738a0dcfa6ff85c7bbaee23ed21dd4023d2d304501c859680c21493415d61002024bb543fde4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BE707E1-0144-11EE-8F95-D2C9D0B8F522}.dat
    Filesize

    5KB

    MD5

    610b85bd7ac490e6706c7388ca4c6524

    SHA1

    d9e358dfccfcd52678e368bed2889a5b45ae2d6f

    SHA256

    205327608309570ac2d691d0905d61ec46cac0fbabb43f2a3fecf6442dbd2a23

    SHA512

    efa869771dad0714d8fee04ffd0cb9dbc9ec4587c9877bb6aec9fc2c01dd2c28838d8e75fd77d3a7de6dda51a509d289baecb910632617bc38d650587e132abc

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TarC461.tmp
    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XKNQI7B0.txt
    Filesize

    602B

    MD5

    3c09ecae836479ed7417709ea1f57dce

    SHA1

    16b1ee3f0ac49d6128d8be0951dd9b3f0bf1fe4f

    SHA256

    60c0f506d81cecbe478e431080cec346c8ce2f66fee573ff8a0704fc45f244a5

    SHA512

    678d812b5e5b62869331e3936c55d6fcc80c0f6703bcf86d68e8dc67e6303eb63fabe8999020203ae4482894fa3b8ce45c2c3335f09dbfa24032a3a2f81c73ad

    Download Submit
  • memory/1900-57-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1900-60-0x0000000000400000-0x0000000000472000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1900-54-0x0000000000320000-0x0000000000321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1900-56-0x0000000000400000-0x0000000000472000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1900-55-0x0000000000330000-0x0000000000331000-memory.dmp
    Filesize

    4KB

    Download