Overview

overview

10

Static

static

3

e6ecb9b9df...15.exe

windows7-x64

10

e6ecb9b9df...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6ecb9b9df7802d0b44a68fec69d3580e3c4dceb751763aa7507a9905cfeba15.exe

  • Size

    1013KB

  • MD5

    3eac714b100d3e3e2bdaf9a6d4eb4a53

  • SHA1

    e87a2fc933d3954bed475e501c362f2fb3e3657d

  • SHA256

    e6ecb9b9df7802d0b44a68fec69d3580e3c4dceb751763aa7507a9905cfeba15

  • SHA512

    1cdbe9cf86221e1bd9ecd01ad6b2a948200e8c0cb32cf148b6d6fc4f2740b2f256990617ae2ad17d05aa0822713a441eee143309ccfc0fc91aef1d75404a08f5

  • SSDEEP

    24576:cEGRzatThRiVNbLGJv6plFh9iGa2oMYMgdsHGn:cJ8TjFJspDLoVMgdkw

Score
10/10
ramnitbankerdiscoverypersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\e6ecb9b9df7802d0b44a68fec69d3580e3c4dceb751763aa7507a9905cfeba15.exe
        "C:\Users\Admin\AppData\Local\Temp\e6ecb9b9df7802d0b44a68fec69d3580e3c4dceb751763aa7507a9905cfeba15.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Users\Admin\AppData\Local\Temp\@AE9616.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\@AE9616.tmp.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2188
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4448
              • C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
                "C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:932
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3348
                  • C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
                    "C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 932
                    8⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1620
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:5044
                      • C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
                        "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"
                        10⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:332
                        • C:\Users\Admin\AppData\Roaming\injector_s.exe
                          "C:\Users\Admin\AppData\Roaming\injector_s.exe"
                          11⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2500
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""
                          11⤵
                          • System Location Discovery: System Language Discovery
                          PID:732
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2532
          • C:\Users\Admin\AppData\Local\Temp\e6ecb9b9df7802d0b44a68fec69d3580e3c4dceb751763aa7507a9905cfeba15.exe
            "C:\Users\Admin\AppData\Local\Temp\e6ecb9b9df7802d0b44a68fec69d3580e3c4dceb751763aa7507a9905cfeba15.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4816
            • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
              "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2008
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3236
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3236 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      4678c6b9e04d71f22ad272e0502cdb5e

      SHA1

      3f4cda0c3979c8f87b48914dd58b7eec0d480738

      SHA256

      8a2e74caaacdb17295780859af0882ff7e55a14ba77b04ab4656462c44adb673

      SHA512

      b347198672efdfb51dfdc266aa96b463fc8ee2bb260f9b493055849be7805c38b0c176d25bece406106d9d2e526c5948579f53d38737517496c1c81a7f9a2bbf

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      edc5495e52766dd594c4132cd2d9ba7b

      SHA1

      ce85d252362b8251fb7fe4f55213fbc749e77828

      SHA256

      83f3d25ce0c4d8b4144f5c1ddc3d67437fd23118d783d6fecf87f6d071fee8b5

      SHA512

      e3808291191a59186112fbd3c34736a25c51213a097e8a530ad6e2eef366adbcd19bae103557a43a98549e7e444468c833d7252207cb88ee3c69947ff85392ff

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\@AE9616.tmp.exe
      Filesize

      951KB

      MD5

      fc0177453f6297f8a51340756cbcb941

      SHA1

      8ac21c7e31c81697d2b23ebc30b445f01c62cafa

      SHA256

      fbbd0dba3bcab25a75afa9bd14691bf24c25274537eaeaf7e2c11b4526721fa3

      SHA512

      81fb2305d8292419555a70a869ab82a01e4c7d839184bb2556b08d141b8b384163bd365df37c18ccb61a0471859cfc77e7a871c49d86599b84b3ee077d910f5f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a0x.bat
      Filesize

      44B

      MD5

      804bb96081db73d249b1d21573d8ea59

      SHA1

      abf76e8d0702ce245bb7afbb513cdcc8bac6ab35

      SHA256

      b1e4990bf84c402594a53a2a98011b8880239e790872de1f6c7b8b9cd1005cf5

      SHA512

      d037dea300ffe466ab83c2a1c2c9a55693c36b546dbbcfa0a7a1ef477a3ea5c33f9831d71389466cf4c74192b417bf9ed0b7e0ad88d927f1ca997fcba254414c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\e6ecb9b9df7802d0b44a68fec69d3580e3c4dceb751763aa7507a9905cfeba15.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA066.tmp
      Filesize

      619KB

      MD5

      713537a3f79d36f0eaeaf8e8fba96322

      SHA1

      f03481707b940065e41ce008eda643eea78ffe40

      SHA256

      5864a4bfc200c2d9aadfa8c9540da1af036c2c712309da9d88fa901e9582b950

      SHA512

      0bf36c904e863d79d57b83e6e54371056b2fc0ddfa89b806519fbeb91c2ac4f9688d5c7d2619a496320d28cd008313fff61f92612dfe69c00d093917366189e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA087.tmp
      Filesize

      121KB

      MD5

      864484e1394eaaa2e9a8a63f01c97be0

      SHA1

      d02a92d866232f22a8477ab99e6d27354fa310f2

      SHA256

      e1a25be30164e6aca9bf97454be217f2b49e6f65fa4d3ac710637f6ef8a213a0

      SHA512

      16919202ee3626ab829070dbe2f43bb5caa9bbaebf63f5de3fb9930825f71edd074855cac6349241705d6bf979203e0eb7f9df2c25d2bfab95ee210ac350568c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA097.tmp
      Filesize

      131KB

      MD5

      ebc999a1ded4f76d648431350fe423bb

      SHA1

      b1a4abcb00364ede9185209d41e7e2532cd559a0

      SHA256

      ba6a7655e3860d01201ffbce06398dff71fd97acff99e95ac8cd2a3e3161d1c0

      SHA512

      aba5a33667e01857650f74ea5dd461c11a0ff121c22e08ab058b950b11b315119b00acaf0aaf7401a668a4131daf73d07717002c6dd55570a79ad5ba526e5ce4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA0B7.tmp
      Filesize

      99KB

      MD5

      88c497ace0db30cc47fc259b7806ad8f

      SHA1

      a486cedff64cb60e62ffbefd25ee5df79e6a9714

      SHA256

      4a8ea33966592b337d31802f55ea7f901caec037b5b1bf18a9e2b6b044915781

      SHA512

      1748700a158b8f999658eb532e5d4ed80c844b21c47d3bf0d8682de22be4b47a424350196ee3d0538d71a67aca906b781282eb3192031e93e834f417b8134346

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA0E7.tmp
      Filesize

      172KB

      MD5

      b00a14a9f3b2c8ac19ada6992517ff77

      SHA1

      8469aa684cf86fcf627c828d40a9dc9688187173

      SHA256

      015caba690febdd5403ad86a04bb9763db7408a3b3f0be85f9c364580dac4649

      SHA512

      fea53117dc2efc23af186fae9ea8abc6ed15a516a820d62a5d312525447b0495fc0d81acf540017422427ea45754298fb7e334c9db8c47d49c4ce741f85bbf2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA0E8.tmp
      Filesize

      76KB

      MD5

      ccf05ce9abe252cc7d68b2ff8ab6cfb7

      SHA1

      8739e9e007b62d9434bd5d06d5d312d255496a00

      SHA256

      a1d30db63fcb26cfcc1e128f4b840ac1c822267a8f17de45cc2e2fc19147e41f

      SHA512

      e2e56fa332b895fc54fd9a6ccd71952f11237f18d66b2342a47c7b707a65743d3f8b84efa5988257e657623cb748cb196e36a8839fb1cd5f600cb30623b2a29b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
      Filesize

      953KB

      MD5

      a1e7d9a68bb796bfdc57403aaa1921bb

      SHA1

      0e22ac3ea7b755866ba9e3f3a5650315ba496e46

      SHA256

      739050a468d74bd1771e8ec1065e9d6f84011b1fc495ff3a35f9bd3a183abfbb

      SHA512

      253b2eca888b64d1e6ca360520a191eeb10735e0f73fbd13a599fc46b1fd49368f43c7aaf2f6233385ac91768be7b71e7a4dacfe047f49e0593d57f9ed5759c4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
      Filesize

      76KB

      MD5

      8bf335774fbb62bbe1de03921dfe047a

      SHA1

      24fc750a20aebb52f23e84264d201f458106d95d

      SHA256

      048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7

      SHA512

      aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
      Filesize

      172KB

      MD5

      6ff3155e619e2c601db536c88741e094

      SHA1

      c71bfc0a9b11db33c801035e06d31a03e2901dd0

      SHA256

      b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1

      SHA512

      8a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat
      Filesize

      105B

      MD5

      902a1098f800859502aec4eac3026495

      SHA1

      a6b209e9aa15087670e830af5de8179b31abc897

      SHA256

      ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd

      SHA512

      cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
      Filesize

      196B

      MD5

      426ab43fae13628d5e1ef9613a3f672a

      SHA1

      5a208a3b7e27a01efe1c1acfb3f1d5b708ee50e6

      SHA256

      e1c0213b74babaed85cfd1efa73658e845a289c028f624bab98258163b71705e

      SHA512

      11e0899b857d16a529beef00fdc00f422cc85512a7afa12747135263a28a8550e1e8686c96730d81c324f20f556da89c0bfa40362f0b28f4d63583fbf3c1b3f8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
      Filesize

      121B

      MD5

      86a0140071cf078805ba9fb8ba76260a

      SHA1

      526bdf1af785325d83726b139066cf7fa74bf64e

      SHA256

      cd405932f27d574b3cb9fd42cb48a8961266467cf6d42a5805a10606e2a1a35f

      SHA512

      22fc1704292d08aa3624e4efbddf4fe2a7314f8c7c3c35f621bbd52bb28fabab2bb67ab3ffa793bfe8bd44358f2f715a0b2312ce718a4ab3bed795bddac15c0d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat
      Filesize

      107B

      MD5

      85eb3280f9675f88d00040cbea92277f

      SHA1

      2fece0a30b2153b4a9fee72fe5a637dee1967a2f

      SHA256

      bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b

      SHA512

      2641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Temp\mydll.dll
      Filesize

      388KB

      MD5

      8d7db101a7211fe3309dc4dc8cf2dd0a

      SHA1

      6c2781eadf53b3742d16dab2f164baf813f7ac85

      SHA256

      93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

      SHA512

      8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

      Download Submit

    • C:\Users\Admin\AppData\Roaming\injector_s.exe
      Filesize

      188KB

      MD5

      1d1491e1759c1e39bf99a5df90311db3

      SHA1

      8bd6faed091bb00f879ef379715461130493e97f

      SHA256

      22c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778

      SHA512

      ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e

      Download Submit

    • memory/2008-87-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2008-85-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2008-91-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2008-90-0x0000000000560000-0x0000000000561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2008-89-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2188-14-0x0000000010000000-0x0000000010015000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4816-86-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4816-72-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4816-27-0x0000000000660000-0x000000000066F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/4816-25-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download