Overview

overview

10

Static

static

3

1a230d93fa...10.exe

windows7-x64

1a230d93fa...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    4s
  • max time network
    4s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-04-2024 19:20

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-22T19:20:48Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win7-20240221-en/instance_10-dirty.qcow2\"}"
Report Analysis Logs

General

  • Target

    1a230d93fadd685858c9a1eda1295cd5a2cc0e9702afc119fbefc6c98eeed210.exe

  • Size

    149KB

  • MD5

    dc59d4b251a9c5840688313292b03db7

  • SHA1

    83401c52f5564ee253d52dae1e208ac7f0a8b30d

  • SHA256

    1a230d93fadd685858c9a1eda1295cd5a2cc0e9702afc119fbefc6c98eeed210

  • SHA512

    964092f273f956f8302323b4191cecc13970b49c7640dff9e200d7d4c667f46ee92dea628c123d0178bdc9b3983f4d2a2b44ed4cc0619bf153c9faefc3c61a46

  • SSDEEP

    3072:lAVzVfWE0SKEgoenY+De9s0v2Q4+Nz6coKcMbf4cZi6:lY1WTSFgoenY/9P2WNz6co7Mbf4

Score
10/10
ramnitbankerevasionpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • UPX dump on OEP (original entry point) 3 IoCs
  • Drops startup file 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a230d93fadd685858c9a1eda1295cd5a2cc0e9702afc119fbefc6c98eeed210.exe
    "C:\Users\Admin\AppData\Local\Temp\1a230d93fadd685858c9a1eda1295cd5a2cc0e9702afc119fbefc6c98eeed210.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies firewall policy service
    • Modifies security service
    • UAC bypass
    • Windows security bypass
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

8
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2224-0-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2224-2-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2224-1-0x0000000015190000-0x00000000155CD000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/2224-3-0x0000000015190000-0x00000000155CD000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/2224-7-0x0000000015190000-0x00000000155CD000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/2224-8-0x0000000015190000-0x00000000155CD000-memory.dmp
    Filesize

    4.2MB

    Download