Overview

overview

10

Static

static

3

92c24f9ceb...0a.exe

windows7-x64

10

92c24f9ceb...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 01:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0a.exe

  • Size

    1.3MB

  • MD5

    c97b0b912b89e5be7faee70af4a77ae3

  • SHA1

    3da4cede0b3454b76208ee2df4edada6975796c7

  • SHA256

    92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0a

  • SHA512

    7a0863d8a6027c05338608aa71f86c194d5a6fba368c99521d7590ab81672e16ec77bbfe68d19bcc964ed7043df23724ad699608189b2158ce613e04b1bdabe8

  • SSDEEP

    12288:vqOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+xi3LXct9:vnajQEPnvg6PhWDC750xEct9

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0a.exe
    "C:\Users\Admin\AppData\Local\Temp\92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Users\Admin\AppData\Local\Temp\92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0amgr.exe
      C:\Users\Admin\AppData\Local\Temp\92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0amgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Users\Admin\AppData\Local\Temp\92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0amgrmgr.exe
        C:\Users\Admin\AppData\Local\Temp\92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0amgrmgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1072 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1432
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2132
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1488
      2⤵
      • Program crash
      PID:3864
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4236 -ip 4236
    1⤵
      PID:392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      5ee87e965aced545ef99fab956d39e0f

      SHA1

      7c054e24c36169eaa67a24f9a478945896f548d5

      SHA256

      12ade2b9de7f71022653fe1529eedd686c53c6f24edcf7a2eefdf473759c32a7

      SHA512

      2fec6402edfa8ea8337bee3a9a0a3f563b999df30ee4a7a12042d91bc7e61faa5c676c2cbf237aa97dd98d3a554d813719aecf42259c1a5afdd3d6e28bbc68f9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      5edd802f9a68854e7d766e951a54ec1f

      SHA1

      2ebe204a05a3b39a41e35f8206df2c3bd31c2851

      SHA256

      4b26f212f3a5a18a04c6c52d35c9c3b71a65703a5d035155f8156efab4f37d1f

      SHA512

      82cf0841f8574017f799f886f4564ad91aa704c06819b4747e455a5b59b8425a85e57051fcb465c74a0fc27dd5eb0b7ab3c6bed1b4c34ec31e663f4c6e275a6f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0CF6FE15-C588-11EF-A4B7-4A034D48373C}.dat
      Filesize

      5KB

      MD5

      1c019f1b8b0999ad85eaea33afb9e103

      SHA1

      48f3c0aa4ebafa57a28d50a5bf8bf80e431c7398

      SHA256

      2fef08447666033cae0d6cf0b422dfdc21094b4f6dc438e821206ea4723f570b

      SHA512

      d4f81ea3ef7d78e304182436679f3433def66ca9a4fce4e2abbffe5f2017e3b6cbb5b39662a76d54c930b5664acdbdb947a3acff28f4b5ceeb3d7db674108172

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0CF960F1-C588-11EF-A4B7-4A034D48373C}.dat
      Filesize

      5KB

      MD5

      f77ebfae4de8279a597e0dd1fee597cf

      SHA1

      4624597be7da757260affb8193dacfc8d54d1fb4

      SHA256

      c8a7218f9418705aca3fae67993536b47f40f514a14b288d765dcc34e2f4257e

      SHA512

      4d7fcbd4b2fd113337da6047793d8081e4a8d4fd2cb7baaa90cd9abc13e81d8ab093c8093db03fe4aa0cc7baeaeaa2d586af80642ab179adb79cb8cff29b1afa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver38AF.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0amgr.exe
      Filesize

      176KB

      MD5

      fa7f8da80fda86aae9a3f2364302b5a7

      SHA1

      20d1e7e3ec9db5fc5992c368a213a3d4f8f785f4

      SHA256

      1458f7f05d222fcdb2f4131a15c9408144e5be45a5e53830823124bf3891002d

      SHA512

      1cc17fd351e8c493fb3db31d02fc2300af2d8ae8fb081879895082a81a0f41809f1cf1cc594eae9faf47ca3d2086a26af9c007c065ca73007737bfdbfb21cf04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\92c24f9cebcb803f5b02791186b226744a4d5805f82c10985293395ab4b39e0amgrmgr.exe
      Filesize

      87KB

      MD5

      1e55a2d7a5b3b8f2970c134145d54ab4

      SHA1

      3113838605f4c4a84656a7dea5b1b0effb89d015

      SHA256

      49a9fb163b538f1d32f5bd492b1089388b6ed9293ff7c6dd2756100e34f87c4c

      SHA512

      9b47379aaf3e71d6a4ee3b0508768a42eb247dde4a0b8135e1af6119e26fcb47af9f45bfe3f4f0ac453e19317bf121d7b71d0d152987d6d40ae5a8781beec8aa

      Download Submit

    • memory/1300-24-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1300-31-0x0000000077052000-0x0000000077053000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1300-23-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1300-21-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1300-6-0x0000000000400000-0x0000000000431000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1300-19-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1300-20-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1300-22-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1300-26-0x0000000077052000-0x0000000077053000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1300-25-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1300-9-0x0000000000401000-0x0000000000402000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2420-10-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2420-12-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2420-13-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2420-15-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2420-16-0x0000000000170000-0x0000000000171000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4236-37-0x0000000000400000-0x000000000054B000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4236-0-0x0000000000400000-0x000000000054B000-memory.dmp

      Filesize

      1.3MB

      Download