Malware Analysis Report

2025-01-19 07:07

Sample ID 240626-ew13cavbnc
Target 7-Zip.zip
SHA256 ceae1aca80de8da382f0344eaa3f658883feda1150e2093085fad47c4687e3c1
Tags
ramnit banker spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ceae1aca80de8da382f0344eaa3f658883feda1150e2093085fad47c4687e3c1

Threat Level: Known bad

The file 7-Zip.zip was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan worm

Ramnit

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 04:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-26 04:18

Reported

2024-06-26 04:20

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7z.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zmgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zmgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zmgr.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7z.exe C:\Users\Admin\AppData\Local\Temp\7zmgr.exe
PID 3628 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7z.exe C:\Users\Admin\AppData\Local\Temp\7zmgr.exe
PID 3628 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7z.exe C:\Users\Admin\AppData\Local\Temp\7zmgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7z.exe

"C:\Users\Admin\AppData\Local\Temp\7z.exe"

C:\Users\Admin\AppData\Local\Temp\7zmgr.exe

C:\Users\Admin\AppData\Local\Temp\7zmgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 272

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3628-0-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zmgr.exe

MD5 303f491b9fc879064b210cb0b865d178
SHA1 5cbdc35fb45bd3fb5ac62950ec22443a4179203c
SHA256 15f7fb2edc9b34e0da2fc658df38d8aea52664f6be1510dba4636dc13f466f86
SHA512 96c076c5027998281c408c1314e67f14c0150ec01173a400bf42e482866744d7e6f58cc7bf9748124c3a652753020f4606b170b61f1e722f8d4f74bff65fee24

memory/3628-6-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1484-10-0x0000000077352000-0x0000000077353000-memory.dmp

memory/1484-9-0x0000000077352000-0x0000000077354000-memory.dmp

memory/1484-12-0x0000000077352000-0x0000000077354000-memory.dmp

memory/1484-11-0x0000000077352000-0x0000000077353000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~TM4F97.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-26 04:18

Reported

2024-06-26 04:20

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zG.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7zG.exe C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe
PID 3384 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7zG.exe C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe
PID 3384 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7zG.exe C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zG.exe

"C:\Users\Admin\AppData\Local\Temp\7zG.exe"

C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe

C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1872 -ip 1872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 272

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
BE 88.221.83.210:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 210.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3384-0-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe

MD5 303f491b9fc879064b210cb0b865d178
SHA1 5cbdc35fb45bd3fb5ac62950ec22443a4179203c
SHA256 15f7fb2edc9b34e0da2fc658df38d8aea52664f6be1510dba4636dc13f466f86
SHA512 96c076c5027998281c408c1314e67f14c0150ec01173a400bf42e482866744d7e6f58cc7bf9748124c3a652753020f4606b170b61f1e722f8d4f74bff65fee24

C:\Users\Admin\AppData\Local\Temp\~TM4594.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/1872-8-0x00000000776F2000-0x00000000776F4000-memory.dmp

memory/1872-9-0x00000000776F2000-0x00000000776F3000-memory.dmp

memory/3384-10-0x0000000000400000-0x0000000000462000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 04:18

Reported

2024-06-26 04:20

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

Network

N/A

Files

memory/1624-0-0x0000000010000000-0x000000001010E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 04:18

Reported

2024-06-26 04:21

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4324 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/2548-0-0x0000000010000000-0x000000001010E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-26 04:18

Reported

2024-06-26 04:21

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7z.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zmgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zmgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zmgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7z.exe

"C:\Users\Admin\AppData\Local\Temp\7z.exe"

C:\Users\Admin\AppData\Local\Temp\7zmgr.exe

C:\Users\Admin\AppData\Local\Temp\7zmgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 96

Network

N/A

Files

memory/2752-0-0x0000000000400000-0x0000000000452000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zmgr.exe

MD5 303f491b9fc879064b210cb0b865d178
SHA1 5cbdc35fb45bd3fb5ac62950ec22443a4179203c
SHA256 15f7fb2edc9b34e0da2fc658df38d8aea52664f6be1510dba4636dc13f466f86
SHA512 96c076c5027998281c408c1314e67f14c0150ec01173a400bf42e482866744d7e6f58cc7bf9748124c3a652753020f4606b170b61f1e722f8d4f74bff65fee24

memory/2752-6-0x0000000000400000-0x0000000000452000-memory.dmp

\Users\Admin\AppData\Local\Temp\~TM7687.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

memory/3044-12-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

memory/3044-11-0x0000000077CF0000-0x0000000077CF1000-memory.dmp

memory/3044-10-0x0000000077CEF000-0x0000000077CF1000-memory.dmp

\Users\Admin\AppData\Local\Temp\~TM7724.tmp

MD5 9b98d47916ead4f69ef51b56b0c2323c
SHA1 290a80b4ded0efc0fd00816f373fcea81a521330
SHA256 96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA512 68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

memory/3044-17-0x0000000077760000-0x0000000077870000-memory.dmp

memory/3044-16-0x00000000777F4000-0x00000000777F5000-memory.dmp

memory/3044-18-0x0000000077760000-0x0000000077870000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-26 04:18

Reported

2024-06-26 04:20

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zFM.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zFM.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zFM.exe

"C:\Users\Admin\AppData\Local\Temp\7zFM.exe"

C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe

C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 96

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zFMmgr.exe

MD5 303f491b9fc879064b210cb0b865d178
SHA1 5cbdc35fb45bd3fb5ac62950ec22443a4179203c
SHA256 15f7fb2edc9b34e0da2fc658df38d8aea52664f6be1510dba4636dc13f466f86
SHA512 96c076c5027998281c408c1314e67f14c0150ec01173a400bf42e482866744d7e6f58cc7bf9748124c3a652753020f4606b170b61f1e722f8d4f74bff65fee24

memory/1776-0-0x0000000000400000-0x0000000000491000-memory.dmp

\Users\Admin\AppData\Local\Temp\~TM169C.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

memory/2224-9-0x0000000077DEF000-0x0000000077DF1000-memory.dmp

memory/2224-12-0x0000000077DF0000-0x0000000077DF2000-memory.dmp

memory/2224-11-0x0000000077DF0000-0x0000000077DF1000-memory.dmp

\Users\Admin\AppData\Local\Temp\~TM16EB.tmp

MD5 9b98d47916ead4f69ef51b56b0c2323c
SHA1 290a80b4ded0efc0fd00816f373fcea81a521330
SHA256 96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA512 68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

memory/2224-16-0x0000000077260000-0x0000000077370000-memory.dmp

memory/2224-15-0x00000000772F4000-0x00000000772F5000-memory.dmp

memory/2224-17-0x0000000077260000-0x0000000077370000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-26 04:18

Reported

2024-06-26 04:20

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zFM.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zFM.exe

"C:\Users\Admin\AppData\Local\Temp\7zFM.exe"

C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe

C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 324

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3752-0-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zFMmgr.exe

MD5 303f491b9fc879064b210cb0b865d178
SHA1 5cbdc35fb45bd3fb5ac62950ec22443a4179203c
SHA256 15f7fb2edc9b34e0da2fc658df38d8aea52664f6be1510dba4636dc13f466f86
SHA512 96c076c5027998281c408c1314e67f14c0150ec01173a400bf42e482866744d7e6f58cc7bf9748124c3a652753020f4606b170b61f1e722f8d4f74bff65fee24

C:\Users\Admin\AppData\Local\Temp\~TM54E6.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/636-9-0x0000000077AD2000-0x0000000077AD3000-memory.dmp

memory/636-8-0x0000000077AD2000-0x0000000077AD4000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-26 04:18

Reported

2024-06-26 04:20

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zG.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zG.exe

"C:\Users\Admin\AppData\Local\Temp\7zG.exe"

C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe

C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 96

Network

N/A

Files

memory/2060-0-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zGmgr.exe

MD5 303f491b9fc879064b210cb0b865d178
SHA1 5cbdc35fb45bd3fb5ac62950ec22443a4179203c
SHA256 15f7fb2edc9b34e0da2fc658df38d8aea52664f6be1510dba4636dc13f466f86
SHA512 96c076c5027998281c408c1314e67f14c0150ec01173a400bf42e482866744d7e6f58cc7bf9748124c3a652753020f4606b170b61f1e722f8d4f74bff65fee24

\Users\Admin\AppData\Local\Temp\~TM1748.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

memory/2384-10-0x0000000077270000-0x0000000077271000-memory.dmp

memory/2384-9-0x000000007726F000-0x0000000077271000-memory.dmp

memory/2384-13-0x0000000077270000-0x0000000077272000-memory.dmp

\Users\Admin\AppData\Local\Temp\~TM1778.tmp

MD5 9b98d47916ead4f69ef51b56b0c2323c
SHA1 290a80b4ded0efc0fd00816f373fcea81a521330
SHA256 96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA512 68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

memory/2384-16-0x0000000074DF4000-0x0000000074DF5000-memory.dmp

memory/2384-18-0x0000000074D60000-0x0000000074E70000-memory.dmp

memory/2384-19-0x0000000074D60000-0x0000000074E70000-memory.dmp

memory/2060-20-0x0000000000400000-0x0000000000462000-memory.dmp