Overview

overview

10

Static

static

3

2025-01-14...or.exe

windows7-x64

10

2025-01-14...or.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2025 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-14_0b8cd5cc5f79f82fc95da3030b9d4012_icedid_ramnit_ruftar_strictor.exe

  • Size

    7.7MB

  • MD5

    0b8cd5cc5f79f82fc95da3030b9d4012

  • SHA1

    50c6f7bd9609790a9d41e1b3cfc5e91c1a69d6b3

  • SHA256

    763626966dbd96bed7bc2aa5e3ab58e3302b973925f49ece644ccacb90aa4119

  • SHA512

    b9d8655abfccacde0df1771084b4adbb7266fe1b963f7a8dd0f0750e83d6f00df094dfe3d31a7e6f3773bcd247c9853b9b8dfea0ce3e23992cc96dfded9606b7

  • SSDEEP

    49152:J70vVrYK8m0TzBNMFcUVcAYXnGYXPNd2kala+yihdXAF/edvoRFRh1Z+WD14gkz8:JwdrytXlposN/I83HpR7h5u

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-14_0b8cd5cc5f79f82fc95da3030b9d4012_icedid_ramnit_ruftar_strictor.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-14_0b8cd5cc5f79f82fc95da3030b9d4012_icedid_ramnit_ruftar_strictor.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\drivers\lsass.exe
      "C:\Windows\system32\drivers\lsass.exe"
      2⤵
      • Drops file in Drivers directory
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2144
    • C:\Users\Admin\AppData\Local\Temp\2025-01-14_0b8cd5cc5f79f82fc95da3030b9d4012_icedid_ramnit_ruftar_strictor.~tmp
      "C:\Users\Admin\AppData\Local\Temp\2025-01-14_0b8cd5cc5f79f82fc95da3030b9d4012_icedid_ramnit_ruftar_strictor.~tmp"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Local\Temp\2025-01-14_0b8cd5cc5f79f82fc95da3030b9d4012_icedid_ramnit_ruftar_strictorSrv.exe
        C:\Users\Admin\AppData\Local\Temp\2025-01-14_0b8cd5cc5f79f82fc95da3030b9d4012_icedid_ramnit_ruftar_strictorSrv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2976
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    00bf3bc2f8fd2e0eae64c7d86be34f31

    SHA1

    fafa461f19d41ab6d736e6911233a7a5150b2a86

    SHA256

    97bed3f8d9a5c10ff183508ec649265c7a1c77f077f8ae7e38f0114f5e1c3ee2

    SHA512

    e54431a60634a14425e4b737c34a5b9936451ee729be91dd26e840706bc044e8786b24acfb05e91670eb652c886618f816e5406d0101813d7d667ac5ddfbd2e4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b0817539882c67c7da974d484cc8adef

    SHA1

    d5562438d857acfe32778ba0695ea00b95c48f8d

    SHA256

    4a1179a1bb1e0d05985a226f4bc0bede74aa3a970037ee7a4c009c241a15a71b

    SHA512

    519d73aff641be903ac23834ddd023255e3d36e1beb1e7d98ed02aabfe38a18843c1a72168aa79ce055ef82f0b10f0b66a3c4eb61ce0fb3a6a688bf6a773869d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9b84b5d4d490d093795e7e11e2f48e4f

    SHA1

    899c61e99f582ab266fcf9e3809d9ea196c67580

    SHA256

    fff0ead870e6526fcaaf7696017afc17a9e9fc6cb3956ddb10d3aaee1a5516e6

    SHA512

    f1d5f2c454d7c4a569ca2dfdcfed02243bd220a4431f6decdef6ca791a3c8bd19ec838062648868aecb4538dbef14ef57b8f61d63549858d7b29f37cd4d2d0e3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e054671c2821c8016d528c3cb65662fc

    SHA1

    2efff49b63603004e4c50e4cf6c7786212df6963

    SHA256

    2cb411cb6b91e0c70d38180a7c6612aed57c3757d72b6911c107e078d564eb30

    SHA512

    3a97335b6a8000db6a0f57afc947129b97d3bf047c44bc041d99c65bc7d87bdafa818508110bdcc00505ed15891efe943c3cea8e525c060c3c837cc065f74fd0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1a6803e5231ba447bf17c8ead8cf0953

    SHA1

    1a43f96149c34969c7624b0e5a9e5413cc2b074c

    SHA256

    f4d26d667d7aa6590a259d1d04c8002fde91498635efa68cd6c9eff2523283cf

    SHA512

    7832887b6d1115e73cd834830f58c2631b1c95bdce0a1accb2dbea101fdb92ee812113a6070c5bee31dca457a14ec52bdf08ba88cf3f062c67e529c61f5917e3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9e59fc8f9385f17167b019893b280164

    SHA1

    93bf42e9c6c091685bb91e9a6e30959246140213

    SHA256

    dc1e5ae8d9186a8947f70608a9b14744e1713ad7ae2d9b00fb8f4b7cbcac66ba

    SHA512

    931daaa0fdbf536ef789091fb277bc83e0ac01469124bf1ac903fd93eaddc98c009d8b08492fdad8517ccefd4c1af7ba43849b1403318ed84fd87ead87384e4e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    70f413181036bb0fcc88f3e13909f621

    SHA1

    10795f58205cae6125c3acb3b4f0a2509cd4b351

    SHA256

    97224509477a81e1cebf40a0b675aa6a31910f218244ef37963f7a9c560f3f6a

    SHA512

    031074b47c28a74a3a73721292bef474853450ed3bd4c7e0d9d25f1955cf9f91387e34b1a26a3016bd8246665daeff425ae03c7a323af1a276348f80110a7c33

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b3f2e54069dcde52c35b0eaecc8305d8

    SHA1

    a085577938e6ad7621c0a9b9f025c0ec15bd7f5f

    SHA256

    5b7191f0425fdc5110f75cd8b91d8a36ff40ff01f1d5de7c08840ca9bc8cbbd9

    SHA512

    a091ad79d33e012ac4be082b4f28744a4b0f7b8d529e2f15a5bad561f0f1847ff5e4160a316b8f50581d5f9680d39dd0054ab9aab047839506afa9d7943bd566

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cb6c4ace5af9494fe733804602dca7fc

    SHA1

    a38f0222b9083dd28e95f6f2b16e474b396fbd94

    SHA256

    45d87d296e9659e20fac84d9eee5cabd25768ea692271a74130b96fafa92db58

    SHA512

    5ed3eb8c8e0eec30d8d32f0ba6fabead2c65c22b42afb1db43865e6d83098bd9cfc03fdc4a09c2f98d2345a4fb6ab7aab5287140bcd48ced4095e2c53fd89fc0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cc363eeb5f1d32cde1f6527cf9c8cbf5

    SHA1

    3041c2059243c8b7262fd44d1660e5fa3a6408e4

    SHA256

    1724598720e84a67d46e30c2d3134002d389bd1ac73d059c4d8018dcb57f80d5

    SHA512

    c05b203099a95e789c6097ecaa87572cad28a02b6a0b906cbf63a7e934a3a51efad766c6c2894ae0e7aa5ab871b15c8df98b794594fd1fa465abdac48c06332f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4e1990e2cdbe35c053181e7d82361e1a

    SHA1

    1a57199f020b230c10ce5026ac90e4fd182ad940

    SHA256

    99bcffaea004b0080b9e139d87db7a7d59acf589984e54ee0bdda0ea7a71986c

    SHA512

    a7da53110fdebc849aff9c7f592b6acf02be7d1ee66f351f8fb7310a1db99b4ef1f277139a5dfbf5cac346c8ecf62a318e097200ccd2769a9a4bcbfc642eb316

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e5b4b9714a67aef33bc12facdcb87847

    SHA1

    8638bba80209419f7a44876abc5f5cd848fe5c3e

    SHA256

    7a4786e23f9ca8fef566d0f4515e4cd68037bc983b457096c7c9ea56b4b4b64a

    SHA512

    9239df47b19d7e95d0c717d125edc5abe766e2a53ffdcf93e1519f843d2fde4258707ec0840fa2ac36f197bcc56c0e9e82bb1bb175f4ba3600edb5e679b52f56

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2f2f90293d6d885f299a04dbbe9a26c0

    SHA1

    060e5396b7580c80db77e84e335f26d61542d5a4

    SHA256

    ba766e42c36b505caa50837635810e61a1329e5a5b76efc9e6c5ec7a24ae4b05

    SHA512

    04fba6d1e2e2bbd9fcca7ccec72f2e638cfce81e7634268e6068ff5fd3ff7de8231068bca8106140fa59d42673b9c8aa076d04485c0c12803aef1cd781ee59a2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    84d8dc1352423ae48d046f769d02cb44

    SHA1

    afe5a8226aea032637de1a9fe30463ef466e2ee5

    SHA256

    2d95761640266e5caa64c1758a381faaf45b895c79400f59f0bf27b5660c27bc

    SHA512

    79ba602a9cc2a6534cafa364612e703f52e44851433df6edc69600a9ae8bfaa055fffb27925f2f356b24e7651237944b4e99d07ecea0214d56926903d5bf4d33

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d6705bc99bd0c215543c6d870179b70a

    SHA1

    3fb3373cd1a08be4bd454372f537f833b2cfd676

    SHA256

    a0b1f31f8fdd58ec66f6fc86bfcb390ab45f8f3c3a3542f1c03b7a2edb8b3916

    SHA512

    4ccd2c1de10dc6319001fdadf316054cfd405301d879fd446c19ea7a27184c3744dea7198e06d4dc29111581e4de300e43895aa16b20bd6bf7dd22565a0a6f5c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    18afc5d0101b4fcf2bed86ffa38f6bfd

    SHA1

    68e0581db635c36fa592fd572f6cfcfae0c2ba17

    SHA256

    b5cbf3b10cefeee7c69032bb76c02bf12d290a71fbe2e4ef8bde21f9ca090f9d

    SHA512

    a4d83972a9769e6c75d98b074fd95e7ea70fa53661a91608d255915eb3b551ea8f11e88ccf78e8c977f66b3baf2572cbf9e9d55405163198a48d225fa0cd5d67

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4e6250b8935542dc90223d62144ef87f

    SHA1

    89b509bfe879d811685be8c53fdfc0507bd32f9c

    SHA256

    29b7d22dbb00fdf6b2ebb7675e28a406597592650187f667900fea3532905423

    SHA512

    13c3d497a826d9e053d33a545e68fdd35457f8d9f8505f26fe3e3e02ff3924d38e5612da155117c3c9bd46e369306f86e39775f12bcd2b15397637fbd2210914

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    60917b41b5a788d44aae3ec77c10bc32

    SHA1

    a6953f8a81cac423e8f1247f4f7c5ce705e0865e

    SHA256

    6c42157b65814532ca50581cd61893d2c50b13d66f2e4a6c7d0e50cba3dcd9e8

    SHA512

    9555f44d176b28676221e6e893d3293ed1e0080feb5f6bcb9bc9e914407dd2a9d7d70de88dfeab1640e94caa5dd992768bb0dce88118f69029a52b1e4d6709c5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0dd8413a7ac59dd4266d9b3cafb7a05a

    SHA1

    632906d37fc3517cd8451757212dfc87dd865e70

    SHA256

    617798eef1c9bbbf99a2c80afb8b8c9b8ef128786498728ac272f5d50cb183f2

    SHA512

    10f5f0c312c155778eb6cd06002af8205d7eda8ab835dea859b70c35574f885c05e32bbcf6cb25bf6c972d7e5b05649e58a2fa7f65f4a5da47d1e6a13ee50521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-01-14_0b8cd5cc5f79f82fc95da3030b9d4012_icedid_ramnit_ruftar_strictor.~tmp
    Filesize

    7.6MB

    MD5

    43b0082c86fcacde96efa032bd0eb071

    SHA1

    be7c211c377990a9f4eb96da36a18b69c01d6555

    SHA256

    e9d1b415c3f9d50ff4399414a6034bed731c8e5d51dc88efb311124816786dbb

    SHA512

    c00011372827304332a96d1c84a48f44619c60bf43519a90f5c34c12e405b98d1a9cf71f855e15ddd42d19a0929a3d3a0f4c4aff2abba6346cb72f8590bdd74d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-01-14_0b8cd5cc5f79f82fc95da3030b9d4012_icedid_ramnit_ruftar_strictorSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab5F24.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar603F.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Windows\SysWOW64\drivers\lsass.exe
    Filesize

    32KB

    MD5

    c451134261557ae5fe1ee308d0ae1b98

    SHA1

    e55a9ddd2e3b3083a76d091b13748f55c2caeae3

    SHA256

    c5eb765654730a8a3dc53997549d97542b419cc5f3fccb9d4a487d1a04dd6481

    SHA512

    5e9606529d2fea3ac3932f7f08fddc13497f9b3dfe66d61dfa14a68cd37d12cb40dd2a7071c6d8db346cfceded2b2947ec1d3c0291b15d250b75aee7adf52be3

    Download Submit

  • memory/2124-38-0x00000000027A0000-0x0000000002F46000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2124-15-0x00000000027A0000-0x0000000002F46000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2144-469-0x00000000002F0000-0x00000000002F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2148-36-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2148-35-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2316-28-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2316-24-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2316-27-0x0000000000230000-0x000000000023F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2944-23-0x0000000000120000-0x000000000014E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2944-17-0x0000000001020000-0x00000000017C6000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2944-40-0x0000000000120000-0x000000000014E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2944-39-0x0000000001020000-0x00000000017C6000-memory.dmp

    Filesize

    7.6MB

    Download