Overview

overview

10

Static

static

7

Device/Har...dF.exe

windows7-x64

10

Device/Har...dF.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2023 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Device/HarddiskVolume9/RECYCLER/S-3-5-01-4621304173-6055156028-813125507-4057/TVnHnIdF.exe

  • Size

    185KB

  • MD5

    59157bcbfe97f9f8b00af1eb39c87a53

  • SHA1

    63f11e1730237a17d71bb1927e67f561a7dec607

  • SHA256

    d49df261cebcfdc69c73a485002786c0ace31ee0c85cbfe45b830de3c737b941

  • SHA512

    034a730883b0436326b67e996182e0749513f2e1be8b554ff91cfc121d0ea38c7651e0b2dbfadcb34e7b43b54b2fecf35cf8135b227ffe6717e356c5f17ca65c

  • SSDEEP

    1536:+OC0FvV4OguHxjhpA4Bm7uW0vSUsghQevBFkutIbgTuFqKRr0aF5frleGhd9TfBi:+wV4OgSzBmh04eZFkz3Rr0gwGj9Tf8

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume9\RECYCLER\S-3-5-01-4621304173-6055156028-813125507-4057\TVnHnIdF.exe
    "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume9\RECYCLER\S-3-5-01-4621304173-6055156028-813125507-4057\TVnHnIdF.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1688
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    3f99196063cafa7717faed5f9f3ccb45

    SHA1

    8f63f695e723c664a0f2af3727b734cfa2dd9cbf

    SHA256

    0d3eb438019deea1dce3c6c3f722ba4b5bb023954ad881d6985bf355d8b6c973

    SHA512

    b1ba899ce46dc4d0bd67451c1850efec4a92d50660f7968ebfc738b773ed44f903eaffe61aec386c804c305d7fe3196877f1b50b7f20a7eeae6e5e2a83ac568e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    76fd0c70c5c4249f93d1c3f787ec79a4

    SHA1

    07357b1f29d2ff7d10d2625e65fedc068e356347

    SHA256

    a1f123b787bcdb618717af6620746dc6b79441c99ad1d147dd47432e08724770

    SHA512

    15301d6175b37211c454431da7b22f9f4256858a0aa647bde21ff2f8b1599fd00c4e419e62443c7390aaae3a698375784768982d59832fe26735e3a48c88db6d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    3e2655c15f86d2766ee96f22aeca33e4

    SHA1

    7dad4246b9f5581dc6489ce0469afc8150dfbb7b

    SHA256

    81a6871b6afe8df84c05691c23f2fa187f974a7bb8d7a1a81b182c8d124f44be

    SHA512

    83bd0e8c8f078a33669f6c09c4fc845668a893fef7523e23260941f6a73751ffb62dd73a209b2b427f24257a30f8dc90e93e7dfd4e41ece3ccda3dc907fd9101

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    75662bbc153a8fd9c77c326c92c64cf5

    SHA1

    6a173fafff8640b9f88716b352e61555dd340c98

    SHA256

    02f91e9866dae7f94d1598c23b3e7874e8245f4e5ec1dc6899a961373ccdf57c

    SHA512

    ea514043de8c1b928e7c02e4cafd7c8cf36bbbbfca812e496041025dfba361327d55f2655c8c85c5d0047816b4eccb47652b58d437c55059100b9b78f636947a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    f8fec1c8ed123c76e57012e59e1a80bd

    SHA1

    ba9649a47d6472da32f2a9bd0838f8bc60fc233c

    SHA256

    5e259e71695ec1a417db84b1dc667b277590524ea170deee3cf7b0ba487aa9c4

    SHA512

    fa8943327f0b6f3d9d09f4f5011db0226eac91fc9acf9df47db0f9389cc04e64bfc433875480675e6b5aa4297ae678dfceb78b7c12d2031de224ac655a9e532f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    d8ebced539d03aa928f02913b18ab1c3

    SHA1

    bf0637b21c010dfdb1e559fbd6f1352d4df9769c

    SHA256

    30702aa7e6a5deb7cfa1c7a8ba3c152d10845d90bbdeaa045d086d581bab1090

    SHA512

    07d736c0ce383e694fcad7e48dae2a8036bc33d6c615927811bdc2f02313a1a515ac2d8a75ea811aa07da3ac21576e9632e55e38717b659360555d74dc64be50

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    7e552ae78bea1e93cf496d38d34b63ae

    SHA1

    8cd78409545befbcfdb7ff32c4230d42415abc59

    SHA256

    18c7007a6f7d53ca0c1b911a1a23a9087f1c8bab61442f5f1456594e9e9701e7

    SHA512

    b70a0f08b913a4aa3bb0f7bc9ce741d069ce371138780ca6dda8cf576b6c8e4714dc5e03fb7573659e291d32d8c0eba9cd42550d97087739eec95c42212fd15e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    788738fc7a57fd004d002edcad6e0823

    SHA1

    e624ad7c168afaa5eeacc642483535b87a5ad3fc

    SHA256

    6978858c4b933e618e438485eca47c60d799003d6eadd371dded3f5f49085ea5

    SHA512

    0c8f04b69d9e1a99bc8d8567d03c6c727af4836fb7b75a44e08b913a1e93473c61e890f57342702bba6d5c9bae7c21f950e8fdedf9118564424945aee256b90c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    239a44deee0600ad85dea22bc5a7c9e3

    SHA1

    793f16748370e733ca95174b91fbeca2a7d6335c

    SHA256

    e88aaef9de53ed034f2a3b95bcf9ebdbab38818cd64f9a6266cc20d001208ea1

    SHA512

    4daa58ec9af5f729234d4f743ca5736c54c1e9d99bab689c6ad7831c43ba3d682b9e987fc09cb3d67fd43c7a4813eb40d9dbd007db4f4e6e4b1c547037f6dc88

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93CC55B1-0144-11EE-88CE-F2C06CA9A191}.dat
    Filesize

    3KB

    MD5

    a964a5693060735ce648c7650daf74c0

    SHA1

    6c227e4ebf60cdc350dc2d0b82050b16e1bb8bf2

    SHA256

    418bc9b643220787a0136165b9dfac8ffe144ba5d9f49e198cc5b8ede42a1d11

    SHA512

    dabd1440aa18a7ffaad8896e039460de67e8f10a0b274dbc6142857def4fa5723269d114a42cdefdd05e9d2ff0cb0c47e0f7fa329a6f146b0853dd17a1a7be76

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93CC7CC1-0144-11EE-88CE-F2C06CA9A191}.dat
    Filesize

    5KB

    MD5

    3573e166fab4888ce011a02785a3a81c

    SHA1

    1ff833dbdb170b8efd280b2606b8fc54d91f0b92

    SHA256

    71bf9b733af35741e7c2233b7cafca61a8faf2cd24d1b835462aa40cd27ebdab

    SHA512

    e3bbd149b07ba3abf2cf871bea2b75013015fe5d00a3f8f7b08b44df0a15ffcb91bd06874d00385f55ffcb95937fce89768fd886e6b851b99153ebdfc565e1b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QHKTFKHM\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab30A4.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar3197.tmp
    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\947ZTGS2.txt
    Filesize

    608B

    MD5

    dc1f0c615cc6af9d2a4e672c06f8dc87

    SHA1

    39c3f5c76df765bb0b2b52f85b1aeb926f6cb5e8

    SHA256

    a3243def6b8631bcd48bf898b1c0279887b2abbf1b1da4711ed4b15f10eea2b3

    SHA512

    860a2394f1a7b8bcb00a1651d999baae318c39221113dd2b7bcafc97460695ec5ac3bdeaf66b8f885ed42a9f403a785708a56f01ccdf90fecdd7d5e86f6b8a70

    Download Submit
  • memory/1384-58-0x0000000000400000-0x0000000000472000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1384-54-0x0000000000260000-0x0000000000261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1384-59-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1384-60-0x0000000000400000-0x0000000000472000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1384-55-0x0000000000330000-0x0000000000331000-memory.dmp
    Filesize

    4KB

    Download