Overview

overview

10

Static

static

3

2025-01-14...or.exe

windows7-x64

10

2025-01-14...or.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2025 16:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-14_2ea92aef62e2e3442061bfac63200d82_icedid_ramnit_ruftar_strictor.exe

  • Size

    7.7MB

  • MD5

    2ea92aef62e2e3442061bfac63200d82

  • SHA1

    54741ea20f2f8f195383bb62e9ceb5c21375fa64

  • SHA256

    3cb768625bc63e2075e7f07e10a06822aaabb858abcfd3cc3ee44b1246c95162

  • SHA512

    2f65089554f8b979266ca559c98949906520c0544079217776d4b6bbef73040108aa44d79e2424deb252bf7eb35a8ef600cf0f18046a50a4c68bbafa01038f3b

  • SSDEEP

    49152:K3ORwRazeYFRu6cjZ72WIJfJnugVaryxMNdPyORo7veIAe+/rvATWFNyALrcVMdH:Z+6/9KN9ie3rcVZAnDhKy

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-14_2ea92aef62e2e3442061bfac63200d82_icedid_ramnit_ruftar_strictor.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-14_2ea92aef62e2e3442061bfac63200d82_icedid_ramnit_ruftar_strictor.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\SysWOW64\drivers\lsass.exe
      "C:\Windows\system32\drivers\lsass.exe"
      2⤵
      • Drops file in Drivers directory
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2860
    • C:\Users\Admin\AppData\Local\Temp\2025-01-14_2ea92aef62e2e3442061bfac63200d82_icedid_ramnit_ruftar_strictor.~tmp
      "C:\Users\Admin\AppData\Local\Temp\2025-01-14_2ea92aef62e2e3442061bfac63200d82_icedid_ramnit_ruftar_strictor.~tmp"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\AppData\Local\Temp\2025-01-14_2ea92aef62e2e3442061bfac63200d82_icedid_ramnit_ruftar_strictorSrv.exe
        C:\Users\Admin\AppData\Local\Temp\2025-01-14_2ea92aef62e2e3442061bfac63200d82_icedid_ramnit_ruftar_strictorSrv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2824
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4c688822358bc14c311f385ca0038669

    SHA1

    443eb1e70fa4df86ac5cefaae6577df2cb00cf11

    SHA256

    be567556b0bfbc4608f54be04c5a9ff0601ca052f9752234e4555232e4f74269

    SHA512

    671336a6e1d2bb0eeb49c81580a6f2eab42b391d6979ca568d8d302b469d756ac3631d46b7a78ece5b7da12630133d43b61f7966caf1d3c2b3c6c6d33ad9ab1a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0d232153435fad752d57a6ebf87757ed

    SHA1

    533047b75930d70104686927736a36a5a0aefdd3

    SHA256

    3795f7d86212e2fac90e04177602a9dbffd9cdd790461a0427503f6f2a15313d

    SHA512

    cb7db3d405aa24e8d8eaf7fde1669c3206ef0c20d47ee62cf1814041c27243dade16a0c4cfed7a0f926acc7c8a12a10fa11751758fdc5a61dc475602eb691884

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    09ce256f69ff5ac0c393fd88e57b57b9

    SHA1

    670c4887c850ca4bcb81ce75cf8fb0584a6cdc76

    SHA256

    f28824671388afbeb94281db3eaf579803a2300e63f5630164c88ff8bfaaf7b3

    SHA512

    4036ee89df44c0330e8bf66bcf542045e1a428e338bc27617239dc585fb1e3ae238ab4507bfd94c1f7226e1d019924a877d84080991a2403664d6d21cf5d0ad9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ce022d93514ae10ff9a26feb8344a9b9

    SHA1

    f2362a6731a0e8abbcd1ea49ea73e233f56fc7b3

    SHA256

    6279888be64cd724975259d89b16149750b2e44c36e1a520704f1a4a2299cd56

    SHA512

    78ff631b66bf0e8143950e12cbaccd048b655b0bde8ba7e67c3bd149321d767c1ce7d2bc9762e757c344acdb378f0ce544deba67e0dacd2aff0e5b7994a3b533

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    08fbefc4a6933ff1df261273247d3ee4

    SHA1

    9357a74873c6ae62913f8318aebaceb1b6c22794

    SHA256

    9e8d343592897d9d32be615eddce0888a638666954ba12c57da429793c4006ca

    SHA512

    a0704f3dd2040e08890fbdc1e8fc47a94e94354cfa53b2d26110758935302d809f4655f919423ef933b3247f49e8e256f74863626442a81649bb9896fb6c197e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cfd3900d8c6790c900c00eba2cbe28eb

    SHA1

    aed569c83d55816e186cfb4c8479b171d620ec92

    SHA256

    32a8c659411eed459aa88c91283b4019983cd57ade349246fc27364485edff41

    SHA512

    c836d45bcdb4865985039149dd257f832b046e3f54d4ea139e8f091e5240aca6c19b33412105155ddba7c5431237cd34b1a56462252ad29447c0978449affde6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1ae77244658e871e5456bbb6b63c5b83

    SHA1

    cedc9f88f46e64dc9cd3992eb9c7f0a7b7a9da0c

    SHA256

    50b9844a3b7c58740be9b2776abfcd2f05812c377087721450e78711526d282d

    SHA512

    430eb03db7531d043705786782404945dca114fd38857c0f382626257730c2c1bd61a09cdf8dd19ccb4246806dcec51aaefe181468f6cae1151df578571c5060

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e6026f0ef3e6edf746e71898b19dc3e6

    SHA1

    8602c999c16d4a0e80cb9324c1b007ff6338af1d

    SHA256

    edccf8a43c2004ee31264eb947bf6460a1b864488f024d8be33acbd6872a2cf7

    SHA512

    32e68c8824716910e7919c40015d6b06147daf0a663a5ed727d1b505be8ce328008d07ede23c59d82ea731f9f6863ec57591d627d088194dde4722a335bf445d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    047ac2a360c287b15b6c41a356d37a58

    SHA1

    c83fd72e2d336c15841077efbe5f63535149fb28

    SHA256

    0b0a1b5790bee4e502fda4fbb99506cd641556cee3a1310a5c11ff90e64e2987

    SHA512

    dfa65929e0e173c9c524a69895be03effd3c3b37d8755b34582311b3d347694a1b142f1db3cd91d2ebb9bfe3bb3585ab3e5d6bd65c967e5fe40df5d55ed4f595

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1c6bdd6898d336eebc583e23a3fa82f0

    SHA1

    8b00b2d5d6220197e89e5f4f581c774763699697

    SHA256

    b2ef3a87be6f029c901d2a3a14ed924d01e050ae2943a80e93a164e9daddd6a0

    SHA512

    7d8a50b12b6104f19c203df471fc315cc54766367fcc8538e18c0ced76b98df926192c4383023644e4fd0c99b669294851243b13f6f72b79810bae004bbf1a3f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e4ed5360db851e7ccbf81e7d3cdb2959

    SHA1

    25d07d019967487a591c03c5245340d12cc7c18f

    SHA256

    628dd75e7c668fe50c93aae380c2e515f2c1421a2af9a5e3dcaccfac8737e0df

    SHA512

    2a1036985e625a23d2fe7e4fba68bd4c7bc9da5754197b28d85d622139affde987cc37f72fba5a8e3632695351dbfc4927fb0e48c9263708027d9f860115f89c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2c39227ca25cffb7be8a8361be2f7e6d

    SHA1

    fd1203a1b4bf1db022987f6237ff38271deabd15

    SHA256

    4a4e45f3517db85eedbc0d8f1055c4d5ef6ccfb91c0546b6e23d847fca36f490

    SHA512

    47b724ab22b6618a5e0ed1bd1f476d1f11e16f993e9b69f4e3c6b86a7e1f929cf31a7a228e847fceb287cb7ac1ebdcb0e4483e3ad8ad5186ca050364d0ece03d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b5597d492beedd3ddaed31e04bbb1f28

    SHA1

    35fa5796430cb095dc65de6bf177d64ad1332b62

    SHA256

    1035ce026388f993a17e8789ee068c672caac8dd663577e5d246e4f149180a7b

    SHA512

    eb5d9c1917ea8eadc4db9a42f5e83515af2bc4307112cb6aee52e2d7d6ff2224239dcb4089c0ef9362b3b01644f3994c3eb926aab5487151485c8ec1f5d90783

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e75891d87ccf6e2ab40c369428357acd

    SHA1

    9c16cf941b70b65b60e6a20a324083e413967d58

    SHA256

    8e50ad658e017174c5303276a665c43790b521a8ee9cc348e0052999799757c0

    SHA512

    018815dcea1db93aea8a21786fea3be8eafeb01ad4444f237c1161c4607d025b5f991086c5f513e335871f5e3070ca8aba2fd345b01fd252f8dcd661329bfe4d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    91ecedf6f498d58fcfd620cf85ae01a3

    SHA1

    869beb3b5f90917fd4ea6b3dc62d97dd9a2c6e58

    SHA256

    9bd4a6ef14f15aaa932e771657e65d0ad774979eda90e61fc6eb3377ab6095ba

    SHA512

    c45e177fea182efbd9f9238bc052c52e0ff4203a573e2fbcdac4040e26c9a3b943850db99f2fee5dee3fb63470ff1b350d40d74b9e11979318d645e123fb5329

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ca271b7f1aaf9303366c6447ac383202

    SHA1

    10e560b8e102d4ee995ff9494180d9078bfb3e31

    SHA256

    0e1ec0519705fa35909d8695a1c1620773fc958db77baf9e4937fa8ac1f4acb5

    SHA512

    580991f9259ce5a9297977da3b7488ab83bf703e44e74b2fa424bc0d6cc5862aa270e03d7f5da40ebddb8bca4e0cac6ccc9ffd93a5cc7ae4be84a88d52f94e33

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    346f747fef6be21595a668fc850a9cbd

    SHA1

    d49516ffaea7838a126570be0ff9446ff13e09a3

    SHA256

    d532d52f70acc5023deb58f6f00ee60de854dd4c6af6b29826eacb39fbe48d9e

    SHA512

    b2479559b634b9f7484fbd11190a4ec49afa7e4810f3b24ec3dd1244afdf2fe03fdf4a1daf78c18678f08eaf3d7e1c06131136fb2e47ae21dfc4eabe1b354b28

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a039ebc51065c32e319eeb4620af9806

    SHA1

    c5fcf3e8e8a5283fdb0622244f56ff1d8ccceee6

    SHA256

    d05beb42f51cf1ad843616530503f51b623ff5ecb5c1a707555de9598c8efb49

    SHA512

    7f9dbea31e171ef44b863aa3de2fb6b744cb3e9b65021196730b19309a4ea2bf70a18fc55e10371f030c090981fef8689ff292be468e0e119f5d69de0ab5ecb8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c4a2557a2712952aac8903e90fc45097

    SHA1

    2db6d4ac067ebaa10605f38df59fda5e18b6c758

    SHA256

    d7a2a3c50959d6de63e27e2d02909973c9bc1d9ad5e57fceffc13307d19b5c64

    SHA512

    df88e960f0df0889907008ab425e58641a76ddc5cf85c4449ac3f30db8654aafd0319a7ba758e1a0550ead8042533c06264f2f74e272f3a84e875c6b0fbe3f73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-01-14_2ea92aef62e2e3442061bfac63200d82_icedid_ramnit_ruftar_strictorSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabFE5D.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarFF0D.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2025-01-14_2ea92aef62e2e3442061bfac63200d82_icedid_ramnit_ruftar_strictor.~tmp
    Filesize

    7.6MB

    MD5

    7dad81914d8bb0bf4fcabf067305a999

    SHA1

    602440c638cd7b5cfa3d666bf5b145ebf8e954df

    SHA256

    10244d53e27a2385c491ef411f029ee07aec3baf087b665010a624d51a31965b

    SHA512

    cf61740bb07a2244b9aa28df4e86b1d9869568fdf2a676737c2e8da3e34998ba87566969bde5839382f6913c44277819621610fba402c14118174555de66e12d

    Download Submit

  • \Windows\SysWOW64\drivers\lsass.exe
    Filesize

    32KB

    MD5

    c451134261557ae5fe1ee308d0ae1b98

    SHA1

    e55a9ddd2e3b3083a76d091b13748f55c2caeae3

    SHA256

    c5eb765654730a8a3dc53997549d97542b419cc5f3fccb9d4a487d1a04dd6481

    SHA512

    5e9606529d2fea3ac3932f7f08fddc13497f9b3dfe66d61dfa14a68cd37d12cb40dd2a7071c6d8db346cfceded2b2947ec1d3c0291b15d250b75aee7adf52be3

    Download Submit

  • memory/2568-189-0x0000000000B10000-0x00000000012B7000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2568-26-0x0000000000140000-0x000000000016E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2568-22-0x0000000000B10000-0x00000000012B7000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2708-39-0x0000000002BB0000-0x0000000003357000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2708-16-0x0000000002BB0000-0x0000000003357000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2816-28-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2816-25-0x0000000000230000-0x000000000023F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2816-24-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2824-36-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-38-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2824-34-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2860-469-0x00000000003D0000-0x00000000003D2000-memory.dmp

    Filesize

    8KB

    Download