Overview

overview

10

Static

static

3

25d7e41e41...bf.exe

windows7-x64

10

25d7e41e41...bf.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2023 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bf.exe

  • Size

    6.3MB

  • MD5

    79f98c49bc40fd7bfd485076b61f12a5

  • SHA1

    0615c4f50b4d9f4a3bf8bf41b961829e8a3589f1

  • SHA256

    25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bf

  • SHA512

    c73577ef82868109e97c4d22ea2b7b6da078c511ff31163069a1d06f07424879bd4bc6dd14c530eeed76d1f746b0bb9cb3418e0cc6a00e6dfa8ffa70926adf8f

  • SSDEEP

    98304:QNRLx2q4bVReAWuLtEoo6G6vR1NffetjTahCyQXlgWJyNYrPbM+eFVcW5B9rUf4h:QNRgqQuzulKahDQ1bJbMzZUfkuTB8D

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bf.exe
    "C:\Users\Admin\AppData\Local\Temp\25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bfmgr.exe
      C:\Users\Admin\AppData\Local\Temp\25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bfmgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2728
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{471C5611-91F0-11EE-B174-5ECA98445576}.dat
    Filesize

    5KB

    MD5

    cadd31565137fe9acce8e9d87341508c

    SHA1

    f49b84829f79156129553496f73015a2198b8d8d

    SHA256

    9fc6211ddfce5743fa5e3263af96d06f50c411e1e26a93ddadbe4ddede0becee

    SHA512

    c6f3ece7fee857d214c07a950d812fc68f322d8156ccd04fd574f0fe020bf8510ca8875bad206426afa22867042fe89f6930bac117bde4bd359d00fbca779356

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{47237A31-91F0-11EE-B174-5ECA98445576}.dat
    Filesize

    5KB

    MD5

    592aa352f03d482f55283f7a6caeb750

    SHA1

    f6de8ea217fe925bc5430cc9b70fc919906120a9

    SHA256

    18ae8fbdf56807909985841c1c24547f6ff179cff28648added96968d46e0e30

    SHA512

    0e9d763e27c4088b93c660a049efa037ffb15ea5e8e22531d8f0222f1f9c1a0fc33866ce6e4566e7a9494cbe04f5fbbddf6dcab323b48650977da648c0771fb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bfmgr.exe
    Filesize

    99KB

    MD5

    f3873258a4258a6761dc54d47463182f

    SHA1

    fbbf8bca739ca4e9745e5224662b33b437a52461

    SHA256

    63b02a3e8e7e049d1f29cd4cd79fe5c8905754da6c023df72aa5cca351d0d5c5

    SHA512

    eec16bb41fd05d9acd5d2b17eb5218057c3cd97cd706e0782a64eb2c32f8a57f1206fe0268be7f37a9f1c3f7b8eb09767cf2724951eaee4be03c4d509d4b3dd4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bfmgr.exe
    Filesize

    99KB

    MD5

    f3873258a4258a6761dc54d47463182f

    SHA1

    fbbf8bca739ca4e9745e5224662b33b437a52461

    SHA256

    63b02a3e8e7e049d1f29cd4cd79fe5c8905754da6c023df72aa5cca351d0d5c5

    SHA512

    eec16bb41fd05d9acd5d2b17eb5218057c3cd97cd706e0782a64eb2c32f8a57f1206fe0268be7f37a9f1c3f7b8eb09767cf2724951eaee4be03c4d509d4b3dd4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bfmgr.exe
    Filesize

    99KB

    MD5

    f3873258a4258a6761dc54d47463182f

    SHA1

    fbbf8bca739ca4e9745e5224662b33b437a52461

    SHA256

    63b02a3e8e7e049d1f29cd4cd79fe5c8905754da6c023df72aa5cca351d0d5c5

    SHA512

    eec16bb41fd05d9acd5d2b17eb5218057c3cd97cd706e0782a64eb2c32f8a57f1206fe0268be7f37a9f1c3f7b8eb09767cf2724951eaee4be03c4d509d4b3dd4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\25d7e41e418b52de15f49605dc2bcf85b287d1598ee009376c62e41e252f64bfmgr.exe
    Filesize

    99KB

    MD5

    f3873258a4258a6761dc54d47463182f

    SHA1

    fbbf8bca739ca4e9745e5224662b33b437a52461

    SHA256

    63b02a3e8e7e049d1f29cd4cd79fe5c8905754da6c023df72aa5cca351d0d5c5

    SHA512

    eec16bb41fd05d9acd5d2b17eb5218057c3cd97cd706e0782a64eb2c32f8a57f1206fe0268be7f37a9f1c3f7b8eb09767cf2724951eaee4be03c4d509d4b3dd4

    Download Submit

  • memory/2040-28-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-9-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-101-0x0000000000400000-0x0000000000A5C000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2040-83-0x0000000077D50000-0x0000000077D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-82-0x0000000000250000-0x00000000002A4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2040-78-0x0000000000400000-0x0000000000A5C000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2040-14-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-13-0x0000000000400000-0x0000000000A5C000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2040-21-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-76-0x0000000000250000-0x00000000002A4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2040-68-0x000000006D8E0000-0x000000006D8F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2040-23-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-22-0x0000000000250000-0x00000000002A4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2040-26-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-33-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-31-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-11-0x0000000000250000-0x00000000002A4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2040-41-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-38-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-36-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-43-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-46-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-48-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-53-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-51-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-49-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-57-0x000000006D8E0000-0x000000006D8F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2040-8-0x0000000000400000-0x0000000000A5C000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2040-69-0x0000000077D50000-0x0000000077D52000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2040-58-0x00000000028F0000-0x00000000029D6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2040-64-0x000000006D8E0000-0x000000006D8F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2244-10-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-24-0x0000000077D5F000-0x0000000077D60000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-20-0x0000000077D5F000-0x0000000077D60000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-16-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-80-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2244-18-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-19-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2244-84-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2244-15-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download