Overview

overview

10

Static

static

10

013e80dc8e...a8.exe

windows10-2004-x64

7

040677c072...cc.exe

windows10-2004-x64

1

0ba3a15c5f...6a.exe

windows10-2004-x64

10

19d029dd80...b2.dll

windows10-2004-x64

10

1ac4f94c2d...83.exe

windows10-2004-x64

7

1efeb07862...bb.dll

windows10-2004-x64

3

27861dacdd...03.exe

windows10-2004-x64

10

31860041f6...ff.exe

windows10-2004-x64

3

3c49ffd8bf...86.dll

windows10-2004-x64

1

41edb742c1...45.exe

windows10-2004-x64

7

4ad4c837ce...e1.exe

windows10-2004-x64

1

50682871a2...53.exe

windows10-2004-x64

6

5f3bfe76bb...b6.exe

windows10-2004-x64

10

784f3902fd...12.exe

windows10-2004-x64

10

816c0e4deb...6c.exe

windows10-2004-x64

7

81b49d3c61...a9.exe

windows10-2004-x64

10

82d1e979d2...67.exe

windows10-2004-x64

7

8ba3f20419...4f.exe

windows10-2004-x64

10

8d8576432c...fe.exe

windows10-2004-x64

7

962bbb1929...e2.exe

windows10-2004-x64

10

96f295d08c...d1.exe

windows10-2004-x64

7

96f2bcea04...28.exe

windows10-2004-x64

10

9972304b5c...64.exe

windows10-2004-x64

1

9ff988d7ea...09.exe

windows10-2004-x64

7

bfddb59433...b0.exe

windows10-2004-x64

3

c0ca77690a...a5.dll

windows10-2004-x64

1

cb0f8c9180...69.exe

windows10-2004-x64

10

cfbcc54f36...29.exe

windows10-2004-x64

7

dd0f55e997...a3.exe

windows10-2004-x64

8

ded033da36...58.exe

windows10-2004-x64

7

ea55e146fe...59.exe

windows10-2004-x64

10

fffd0cdd49...d6.exe

windows10-2004-x64

10

Resubmissions

14-11-2023 17:31

231114-v3qg7acf42 10

14-11-2023 17:21

231114-vxdw7sdg61 10

28-10-2023 19:29

231028-x7cs1age56 10

24-10-2023 13:29

231024-qrn3rsdb6z 10

18-10-2023 12:04

231018-n8ybnaeb31 10

07-09-2023 12:10

230907-pce1wahe2x 10

Analysis

  • max time kernel
    434s
  • max time network
    1161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2023 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f3bfe76bbd22dd8fd936b3833220ba03964b08e28ecf13dafdbbae24a620cb6.exe

  • Size

    117KB

  • MD5

    9a97fcbfb92a1cd2bea185320ffb8d77

  • SHA1

    6796d5101d50fa0f0689bf0c4201a39f37b10151

  • SHA256

    5f3bfe76bbd22dd8fd936b3833220ba03964b08e28ecf13dafdbbae24a620cb6

  • SHA512

    64a8df2bc8db6f32268858eb40af4e1912f755bbad40e1c807330e11a2b791d9a8ea29912b00ab258291c90a95c3ffa4ec4120c392d04a06dbba30f3c4e32155

  • SSDEEP

    3072:GiYoDJ9UIfLL6y5KxDObWClw5jsNezaiY4d1tok:GijF9UIfLL6ywxabWClujsNH4d1X

Score
10/10
ramnitbankerevasionpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Drops startup file 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f3bfe76bbd22dd8fd936b3833220ba03964b08e28ecf13dafdbbae24a620cb6.exe
    "C:\Users\Admin\AppData\Local\Temp\5f3bfe76bbd22dd8fd936b3833220ba03964b08e28ecf13dafdbbae24a620cb6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies firewall policy service
    • Modifies security service
    • UAC bypass
    • Windows security bypass
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

8
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3992-0-0x0000000015190000-0x00000000151CD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3992-2-0x0000000015190000-0x00000000151CD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3992-1-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-3-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-5-0x0000000015190000-0x00000000151CD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3992-6-0x0000000015190000-0x00000000151CD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3992-7-0x0000000015190000-0x00000000151CD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3992-11-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-12-0x0000000015190000-0x00000000151CD000-memory.dmp

    Filesize

    244KB

    Download