Overview

overview

10

Static

static

3

VirusShare...49.exe

windows7-x64

10

VirusShare...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_01185b6d11fe77996abe91a615919f49.exe

  • Size

    92KB

  • MD5

    01185b6d11fe77996abe91a615919f49

  • SHA1

    4082b7e0fded54d8f5ef4c0e8ab43d6bb35d88e3

  • SHA256

    10016b9f68b73a51165f70a783860c41ce3db6d6706aa0800c91397d32b26507

  • SHA512

    3c9918b834ad4f87b444de2e30700804f79ab25bc3a7eafcf4d6c3015eb8401acb4fa4cc211164c060e05b71d3bac7ecb9bdbf5f3b3e650753f3b7e4739f7444

  • SSDEEP

    1536:vVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApE:XnxwgxgfR/DVG7wBpE

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_01185b6d11fe77996abe91a615919f49.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_01185b6d11fe77996abe91a615919f49.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:404
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2748
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 204
            4⤵
            • Program crash
            PID:2928
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:432
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2088
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2748 -ip 2748
      1⤵
        PID:3360

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        92KB

        MD5

        01185b6d11fe77996abe91a615919f49

        SHA1

        4082b7e0fded54d8f5ef4c0e8ab43d6bb35d88e3

        SHA256

        10016b9f68b73a51165f70a783860c41ce3db6d6706aa0800c91397d32b26507

        SHA512

        3c9918b834ad4f87b444de2e30700804f79ab25bc3a7eafcf4d6c3015eb8401acb4fa4cc211164c060e05b71d3bac7ecb9bdbf5f3b3e650753f3b7e4739f7444

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        05a55aacc33432fec9fea490f5c69442

        SHA1

        bd2dd697d6e49290ff51f6f8e2db9bde87e72860

        SHA256

        65d742646568766a452eafac7bd80d140b7acfcedb5cd55923fbcc0f3cd2fa43

        SHA512

        91aa6dc1cb9632f1b9fec82da928a3e49d5531298e264228eba79ae38d530377a78af5f0beef9763d7d624acbdbe93bfffff4caf5b8dc29fa4d9b8d01514e5a5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        f77f4d315f660bfb31ecbf63b1b06c2b

        SHA1

        2aa3a243cb20f0561fd9791652289d810470058f

        SHA256

        83abf69a219831f3a1d12f8ca840083cb69f035c4fc5d11c8c1142834e6a65b6

        SHA512

        6a1c5b02424642b3a1e1d81ae86b73be574e896a6ba32c0c7b4766774e363e7a745ac337dddec376c5bc9b1064cd74ac76979df12be9b8cef52b8ddec72dc05f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        d5ae5fb23c37d4565619fcf41f949eb5

        SHA1

        f08fee63b6ab8c2b68069dc2861cf5e61a440b87

        SHA256

        d086a7012ff719450b288b0bdab66cce43e78b936bab9da91b20c23cb982e302

        SHA512

        e7fcb053e8459e9e7e617996ec7f60c3192e13bb630323ff099a6519b9e0d0bf7ccbb1bfecbee67a172ba2172345b748701ba5f4e717d9ae5937239ee3db604f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{615E83F4-D067-11EF-BDBF-FE5A08828E79}.dat
        Filesize

        3KB

        MD5

        cf25611c6f43db16f687141b3c14b8d1

        SHA1

        9407b5c9545ae2daeac4e2a4d909912ecc7a5672

        SHA256

        61321d8f7d97c964b3f17eac5d5530bbb187b50a8376c76ad9c4fb4a74f1ac89

        SHA512

        4bf5170e3a8631491d2b678d63eae991b7dda769ccd5ca514fce6166f7cf9c6e8a2c40df3942f4ad872a2b7af380b834445cfe97ca058989805b9fe16b9d6f76

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6160E635-D067-11EF-BDBF-FE5A08828E79}.dat
        Filesize

        5KB

        MD5

        34b61d7b5a9c293671fcb20fa6b1d891

        SHA1

        94ba9c34e0256cb2043b2b140be0d8d1ae057f51

        SHA256

        375e2e912f013d41f8b5f26b77a16cdaeae7ce6bd2ae8ab49b3ca824dc82cb0d

        SHA512

        28530c9dbd120652f16feaf197ce3c073b7e6ba6894bb7b97735b61cf1b6f7755c19c170e1622a05b8580490fe0e762b41270e959be2dd5f366679086964fe84

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/404-19-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/404-30-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/404-41-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/404-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/404-39-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/404-38-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/404-20-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/404-28-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/404-27-0x0000000000430000-0x0000000000431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/404-35-0x0000000077E52000-0x0000000077E53000-memory.dmp

        Filesize

        4KB

        Download

      • memory/404-34-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/404-31-0x0000000077E52000-0x0000000077E53000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2748-33-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2748-32-0x00000000008D0000-0x00000000008D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2880-17-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2880-0-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/2880-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2880-5-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/2880-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2880-2-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2880-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2880-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2880-7-0x0000000000920000-0x0000000000921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2880-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2880-3-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2880-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download