Overview

overview

10

Static

static

3

2dae35b9d3...98.exe

windows7-x64

10

2dae35b9d3...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 19:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2dae35b9d3507b019def494805d237a8077458225314208affac435406408498.exe

  • Size

    153KB

  • MD5

    7871fe1b8c1e347dc9cec091c5a7967d

  • SHA1

    00784352ba070f9c0a894d5525feef72e5bd14f4

  • SHA256

    2dae35b9d3507b019def494805d237a8077458225314208affac435406408498

  • SHA512

    5d4537e6933800bb0d000f7a39101de8026449f00c94354de0c9d5ddba29a8cb238d5a438df6c43b0face9eed8d6c6652dfe2bdcd49ffa7e549a6e22b01338c6

  • SSDEEP

    3072:HaQo03tPdZeVXq8xNR6tgR07WtU/Wbf8Slr/5IfygXUhVI:j0BXR0SUS8St/5NEUhK

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UPX dump on OEP (original entry point) 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\2dae35b9d3507b019def494805d237a8077458225314208affac435406408498.exe
        "C:\Users\Admin\AppData\Local\Temp\2dae35b9d3507b019def494805d237a8077458225314208affac435406408498.exe"
        2⤵
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Users\Admin\AppData\Local\Temp\2dae35b9d3507b019def494805d237a8077458225314208affac435406408498.exe
          "C:\Users\Admin\AppData\Local\Temp\2dae35b9d3507b019def494805d237a8077458225314208affac435406408498.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of UnmapMainImage
          PID:1732
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 192
            4⤵
            • Program crash
            PID:2636

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml
            Filesize

            14KB

            MD5

            0a8c3e67fc0b9bc353379b222e66332c

            SHA1

            7fe9aa231e26168c0f5ded82c54458a7c533b786

            SHA256

            9e4693159d27eb9d9849a926723d4c8a953801e275a338eee9ecd0cf2fe12f4d

            SHA512

            7b5a9053d59fb8d8cd7c84d4da25c75e1c385b902dab958478a4d9379015d15b4de6285154e1679a243d2236c36b1c5bd2a8abaf31344fe808b69d49518d600a

            Download Submit

          • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
            Filesize

            12KB

            MD5

            8156706568e77846b7bfbcc091c6ffeb

            SHA1

            792aa0db64f517520ee8f745bee71152532fe4d2

            SHA256

            5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

            SHA512

            8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

            Download Submit

          • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
            Filesize

            8KB

            MD5

            7757fe48a0974cb625e89012c92cc995

            SHA1

            e4684021f14053c3f9526070dc687ff125251162

            SHA256

            c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

            SHA512

            b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

            Download Submit

          • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
            Filesize

            451KB

            MD5

            7f822d6d134b07926fb26849c6049f9a

            SHA1

            b775e7dc28373c02e538ad1264842ec619eaf834

            SHA256

            5cb51fe402ac48c99118fd98061895fba7c9d2a8e2383bead86f50a4ed3206ed

            SHA512

            609155a161975d26299f9b489bef5682fd3a800a842a8f0cffde4d5d12061319188dd8fec6df6a02640728b5870455e1a32cfaee3087a18feaecb590e453b19a

            Download Submit

          • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
            Filesize

            640KB

            MD5

            87727840fcf81df46068640d7a85189a

            SHA1

            18540b08fbcb072ac3af3ad64a2b9ee1b03c9782

            SHA256

            b6762d270201daa072b9b32058f7e227fc33a0874118391014f4f4ae79d7c547

            SHA512

            fdd4d31bbcf86927476329b97e6dcddcda7e1aeb2add7bca886caf483af58af941cc2b72123b8152a625c00d3039046982ac902b7679f1b5c1729834955c41d0

            Download Submit

          • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
            Filesize

            640KB

            MD5

            b4c70c6aa73292570c54aa695730755f

            SHA1

            a8b6be55686a2afcc7a23c4b3339e2b9d354cfb7

            SHA256

            6b08989977df31bf90559e45745d8d000e80101be09432f006849daba3e05159

            SHA512

            2db1fcd53c04b8569897437541bf278dfc26e3b1362a36e2101fd7ce0716b72b505280589676f7d654f8d3762ae7ee07b0e7508d30d67bc44de3876b546cb5d6

            Download Submit

          • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
            Filesize

            461KB

            MD5

            ee22532b4b8955b0ab7f604aef6191be

            SHA1

            e605e3868948fca46a8bbeb280779c3e9afe4e6d

            SHA256

            f711295abfe7bf9d42a0c36954b59b12aff022f8239ebe7c00a67c5bbd28bb31

            SHA512

            7fb29a6d13be569fd1b189c876f4f6226da681c56e5c85437de0e3931477502e103c4d09a572a9e5cde3c0e002df17d2450ddb03e25979eb7f4ee3925485968d

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            451KB

            MD5

            9e73542b50596feaee1a1aeb474171da

            SHA1

            7cce69bbdff41615a91b9e4e5ae98e4c55f2da6e

            SHA256

            a4218026a48a9edd9bd818eedff44dbf78941e6d348305a04fad503400dbb999

            SHA512

            0e63b765c19a6dd788fd72e412363a276b520f23ffac5b9018bce8f67f98d6e181cd8db8f917e547d4f3d097e86519678f68c7e95461ecc4520c9bbfd420c9ac

            Download Submit

          • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
            Filesize

            461KB

            MD5

            4ba9a7a9e255164cdcc0f6ce378418c5

            SHA1

            6381f48aba8268e5c6eafe769bc7b972ea16df27

            SHA256

            a942e81e1b85e4adf97cfaac3b742a29c0fa05aa346f549dc0d56878f74a7c01

            SHA512

            e6daccb92e83c663493fd218c5a2055ef8938668989ab0cc271cc7c30000dee77a06451bde5a6b2b5d90329909ac1b728ac8f442f5c489c8fa8e15f6c91eeaa3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ose00000.exe
            Filesize

            152KB

            MD5

            a2f5215b1a839d1c18344016d46e7ae3

            SHA1

            ac6f5d1cabb52b1f1bad8bea1a92c3693bfa9505

            SHA256

            c98b52aafca1eca83affdd643c80d187746b84348c5f01b3c47857d58888ee8b

            SHA512

            237fe6d92141716eb56cfb66f8911765f3c37dfdecc1b140f2d90bd9331f92517b5198bf5fa5574faa16fae6756968254f87def2cd48ca03a275195cadcef6f1

            Download Submit

          • C:\Windows\SysWOW64\runouce.exe
            Filesize

            10KB

            MD5

            6a2fb92ab680909e723cd6cbe3916177

            SHA1

            0f943b937251065d5d173efb6d935cb223dd88d6

            SHA256

            cd493e965f12063386eabc94c112680b0b176dc76f57b4e5de9f271ccf803af7

            SHA512

            9dfff1cec9797c70ded70a2f319c31358dd71f19cc3780ac3bc3c59265aa64f13f1b22d2fb2670cbf3a237f87f966ee9f84735bad013638a1157d191f036afef

            Download Submit

          • C:\vcredist2010_x86.log.html
            Filesize

            81KB

            MD5

            1b4b9cc4ddb73b9284b794c0acfe55c2

            SHA1

            4579deb3052a4034c3477324c234c49c6314840d

            SHA256

            e3cfda23c02af8c432418733ca810856cba5bf698475e22745a28f24d8be7301

            SHA512

            5c7955b0a119e354da5c186c89411fb3b751eb1dab9bb6744906b984cea8834046045da0a990f8d478f6e67565666b3b9403237c0648d2fb19818a190b20c599

            Download Submit

          • \Users\Admin\AppData\Local\Temp\~TM28E4.tmp
            Filesize

            1.2MB

            MD5

            d124f55b9393c976963407dff51ffa79

            SHA1

            2c7bbedd79791bfb866898c85b504186db610b5d

            SHA256

            ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

            SHA512

            278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

            Download Submit

          • \Users\Admin\AppData\Local\Temp\~TM2914.tmp
            Filesize

            1.1MB

            MD5

            9b98d47916ead4f69ef51b56b0c2323c

            SHA1

            290a80b4ded0efc0fd00816f373fcea81a521330

            SHA256

            96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

            SHA512

            68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

            Download Submit

          • memory/1204-24-0x0000000002A60000-0x0000000002A61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1204-23-0x0000000002A60000-0x0000000002A61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1732-4-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

            Download

          • memory/1732-7-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

            Download

          • memory/1732-21-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

            Download

          • memory/1732-19-0x0000000077084000-0x0000000077085000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1732-13-0x0000000077A1F000-0x0000000077A21000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1732-14-0x0000000077A20000-0x0000000077A21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1732-15-0x0000000077A20000-0x0000000077A22000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1732-3-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

            Download

          • memory/1732-916-0x0000000076FF0000-0x0000000077100000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1732-2-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

            Download

          • memory/1732-10-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

            Download

          • memory/1732-9-0x0000000000150000-0x0000000000151000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1732-5-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

            Download

          • memory/1732-25-0x0000000076FF0000-0x0000000077100000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1732-6-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

            Download

          • memory/1732-1-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/2064-0-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download