Overview

overview

10

Static

static

3

2025-01-03...it.exe

windows7-x64

10

2025-01-03...it.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-03_7c7a53883b80f22bd881903a16de54d3_mafia_ramnit.exe

  • Size

    3.6MB

  • MD5

    7c7a53883b80f22bd881903a16de54d3

  • SHA1

    7ca6134a736dc8f52829f8e30cd13a95af53986c

  • SHA256

    c4abf6ae6c226c4824446df015cfc1ce0517e361e4e0d16808b124ba3b7ca0dc

  • SHA512

    10723ed0eeef5f392d3251e03a6adbca537db0a5b8f79bf8463a6fb08feb19d638023ec17e7e447dbc607ae126badc92c178024655b12e664354e106d6658c32

  • SSDEEP

    98304:z1fX1YJdXWdlfmkfldqgVMgDnwo+kUNWvI3npO9Dz7vYzLEEvBZ0qwmy7mpmm9mW:z90dXwgSkpWfDz7vYzLEYBZ0qwmy7mpf

Score
10/10
ramnitbankerdiscoverypersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 62 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-03_7c7a53883b80f22bd881903a16de54d3_mafia_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-03_7c7a53883b80f22bd881903a16de54d3_mafia_ramnit.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\2025-01-03_7c7a53883b80f22bd881903a16de54d3_mafia_ramnitSrv.exe
      C:\Users\Admin\AppData\Local\Temp\2025-01-03_7c7a53883b80f22bd881903a16de54d3_mafia_ramnitSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Users\Admin\AppData\Local\Temp\2025-01-03_7c7a53883b80f22bd881903a16de54d3_mafia_ramnitSrvSrv.exe
        C:\Users\Admin\AppData\Local\Temp\2025-01-03_7c7a53883b80f22bd881903a16de54d3_mafia_ramnitSrvSrv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2592
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4324
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:692
        • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2120
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3436
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3436 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4800
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    8fad2e07a4c7a80a9b50d87e76420c29

    SHA1

    7faa7310d52e1b97b5f7597dda3fa439f4ec04d8

    SHA256

    be210b4b624d55d076fdc5b6d9f6b98acb116c646e43c56e52790d910bca942d

    SHA512

    459a02e6817f3ba0a1edc2590a266a772127f39f651c9a5ee1170fbaefedeadff6a6ff948f97ed09670413dabe611c2c34e00e7600b4ff501455c35776da7895

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    7d634cea0e782e6c70b57e560c6c9331

    SHA1

    a5cda8ea6b2a1c8a434b47a10a77badf51226fb7

    SHA256

    a92813cd9b3599da39e9e11fa6b8fca60be11f1894f3c12c5d3e7158e629317f

    SHA512

    c105b24dc45e6ce51d203e2401fe6f8f67f5e27528b02b0924d548bc98f61fa9142fd4196ef406103a4e7bf3e14a0cd7dd3f758103a7c9a9cc3a2af8b22180d0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    88dd8f09d12d08ec6b9ddca87be684da

    SHA1

    1ba181e8fe32f7fd95a3f30b409f0a7f162b6dc0

    SHA256

    9b9d7d870262721bd022f57b21d35de364ea29dd5be336324602b07c799067b5

    SHA512

    7c6dc5c5074897dbe3ef626e63e5521e9a2e39ef366780d1a3587cef5037ad5f9c4bc51e21ddacf1a472965f1c66e306cd0c6367a3885bdabbf84ccdf04116f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5193FF51-C9CF-11EF-ADF2-EE6C25FCE24B}.dat
    Filesize

    3KB

    MD5

    a1497ba9ae724467ce6d721eb826ccd4

    SHA1

    caf72eda7f5aa564aa7877a174eb3d2421a08a52

    SHA256

    defbc366ac4c24cf2dd921d68e276d72212458c427a45278323aa620d4443844

    SHA512

    cf5c6921e1e8654948b02cb674d34b2019a4e8d424a01770dfef1291d6c2bce5c634715e17973bc0dee66b3ec522e24f71ca6e3edc93bfba4bf932fd942754a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{519661BF-C9CF-11EF-ADF2-EE6C25FCE24B}.dat
    Filesize

    4KB

    MD5

    a6d4544bc44b1edf10db7dd4706a870a

    SHA1

    01429de41e887ec793aab316352d91dea2c8501b

    SHA256

    ce6696d31893f49370b2bb6d6d6565e69894be66cfc3e7f8a1fb277d15e2a004

    SHA512

    63e1989333e43afdd45da8688e9ee71b7ba15f0ca2278b1f6ed8d56123de2bc0449091b2f1e37eb2a9bbae4f01ae752d3cacc33fd325a14359ac7137d611251e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{519661BF-C9CF-11EF-ADF2-EE6C25FCE24B}.dat
    Filesize

    5KB

    MD5

    35b0a8c639b2d17cb204e0d0ef5b7cfd

    SHA1

    26a0bf2a16221bdb565ade106c32facdf2c561da

    SHA256

    c13cc73bc0adc37a84843a6886744dd4fe8bd1e8b826d02785e7ec91423a0600

    SHA512

    25d7f77b433fcb4bae0940f5f6d18021fd8c25f3336dad4160bac967269cdfd9eeeaa1044e46db8e5d1c3450153988512d88b53cc522cdb58052e79b566ac374

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver192.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-01-03_7c7a53883b80f22bd881903a16de54d3_mafia_ramnitSrv.exe
    Filesize

    111KB

    MD5

    0807f983542add1cd3540a715835595e

    SHA1

    f7e1bca5b50ab319e5bfc070a3648d2facb940eb

    SHA256

    8b492fd5118993f8adb4ddbba5371a827fa96ff69699fe82286ad3a92758bf5f

    SHA512

    27161f765072f32977bfae3737a804492251514bd256336ed9eee985a760f11c8c778bfb45760bdbf94cb69ed49fa6831f2700548a290412a577fbc70a5b7d77

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-01-03_7c7a53883b80f22bd881903a16de54d3_mafia_ramnitSrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/692-21-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/692-27-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/692-31-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2120-26-0x0000000000490000-0x0000000000491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-29-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2120-30-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3000-41-0x0000000000CC0000-0x0000000001063000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/3000-0-0x0000000000CC0000-0x0000000001063000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4008-13-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4008-12-0x0000000002050000-0x000000000205F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4008-4-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4964-23-0x00000000005D0000-0x00000000005D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4964-28-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4964-16-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4964-10-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download