Overview

overview

10

Static

static

3

3ac11012aa...34.exe

windows7-x64

10

3ac11012aa...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe

  • Size

    8.0MB

  • MD5

    27038a95bd4709a40755ae920e606b03

  • SHA1

    6c5586ff2404b8ea37e5b3ac8ead7b778a6f2d9a

  • SHA256

    3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34

  • SHA512

    bc108a0f98ab58e77dced11492e880a36ea3578c2c910c759e557a9bae4ff309df2f4b477ce9c8d88d3d3b760ab870a38faf072b61294c79d815fb3e5856fa64

  • SSDEEP

    49152:dc75uCs+mC5d9CjZPl+jD63UxrWvNE+XJmJO5byML3GtHsEO+rTBtAYc1wxWRmri:dc77HBAdZN1fyMWzYZ/XOr

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
      C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
        C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4988
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:384
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1072
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1072 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3660
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:532
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:532 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    fdba1e1aaafa78dc1bc5319f2afb6f86

    SHA1

    5432b1fa5f940052c9f9117307b2c97a7950cab2

    SHA256

    83c001e05993c8e603aec23cc4fa21a1515943496a69e18ab4a1196294b5354d

    SHA512

    ad7a1db5d9f4ac4edc07dfaacd2dd5aa15d8e228b2e096f9add822e4be84c66db28729583f9fdd5ae4f20fe685854cf2c35ced250a19df3b001c7b563c78a13e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    e14321c320b3cbd5cf35c25698050229

    SHA1

    1c52bb08f8b1e860309a62b621e6ac7da696ac94

    SHA256

    c502cfdd7a199bfb2fb26d51ec96d39a03b3e3c6568c959dac292be9ab80c5ae

    SHA512

    0156215c61f51c388767a646092095bcbbd25ad53cdf1bb62aab11dbac45a193adb0a747d8fe2011b56b71fe51be2ae1ca004b840044cd2b03aeed77d1ead9b9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    e3db10d092dd31aa80adc809b2453f52

    SHA1

    8f7c9bfb2d632b4e847211fadead9223da572d74

    SHA256

    74cfd8563a57217b6fba11d0d876fc2c96cee5b5e289f7e18a653578a7283c96

    SHA512

    6c9397aea2613c089e0159137dfc7b71230633a195c5c27087c2435b2bdbceab100b386a96850577ab5567e47ae0285086094c3693512404c7114a0a55fe171c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    9251acf234b841478b2b099668ebc454

    SHA1

    61028c500a3e3be5ad3ac558d0d3ed1ffdeb47e2

    SHA256

    da219bbee8af0eff75996b84c0c3dd1b6e588090f39dd236f27e3339b3634f82

    SHA512

    516f85bfd1457b8f5775f24812c2f585e9bd4bec00d01bd30c2d3c7e9245796810bd73c00bf5dcd2391fe2ecf847e3e5cd24cf1aeb6f822d100c546fef82d25b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0CE76889-D311-11EF-91C3-E6FB6C85BB83}.dat
    Filesize

    4KB

    MD5

    e7a5dffe81f3324710874995533c9830

    SHA1

    dda38540d7ba32928e2c7f95a035771fb7ac09e8

    SHA256

    d7b4ca1a884c996e9541ee09f48de775b676bbde3b8067f4254288ebe12aa9e2

    SHA512

    aa74491524b8d83dd119736e7753381e0ef0784537f543535b2e84b3edaa168c6fffcf056d14c1723d1c5a3915990b41b51e075f8107ddc11074d459628688b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0CF5B633-D311-11EF-91C3-E6FB6C85BB83}.dat
    Filesize

    5KB

    MD5

    105dd796e4dfda6c3f78c6f42fb29b36

    SHA1

    27f0df3a9334a9e0fd8c8042737f926c339b4c10

    SHA256

    dfdd5300864c602452b6dcd722c34178f7b54d799ad99960a71fc6617ce598b8

    SHA512

    275d1703850f2cbb5413e8521c2d9b5daed1a68ae02022cfdabc179a426cdfa5ee03890cf1e644e460c0a51ad4d26a9d2f28ae392e7b6738c10f1403b2c54567

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0CF81895-D311-11EF-91C3-E6FB6C85BB83}.dat
    Filesize

    5KB

    MD5

    5bc4d0e06b06fd41955c27d11a26b85c

    SHA1

    489e119c16d176ce6e56e9589fe78f8cc227cc6e

    SHA256

    73de5bd52106a0ee68f8500a2794a2c06f0cab341d5a5ac4bc9d63129f9feca9

    SHA512

    871d63067cb65f7dfb5f3278a67d391275e2b19c6b2aa3a1eb2c3cb1c32ed6069d26b404e113202c7ec23281e51ec538cb339a74078f81c561d7463ede2f4443

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
    Filesize

    111KB

    MD5

    ccc937bcd06f7bfa99abbdf16d4af87b

    SHA1

    22c08152fa73d1d055919283604fcf4685ba0e9a

    SHA256

    6841eefc56ca10ac8b40a71b23f471fa4fc36d71f19fb0bbfe548035f9cdab27

    SHA512

    875e2cdf0d158e00684d6a30b4adebb7f18c6f2918fa2328eddae173193cabe111badb72ce354cec223b409d713356854bf6125103bb06bd0496d9e615095d4b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/1912-33-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1912-25-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1912-23-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1972-29-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1972-28-0x0000000000520000-0x0000000000521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1972-27-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3552-34-0x0000000000570000-0x0000000000D79000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/3552-1-0x0000000000570000-0x0000000000D79000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/4988-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4988-20-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4988-15-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4988-16-0x0000000000590000-0x0000000000591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5080-13-0x0000000000450000-0x000000000045F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/5080-14-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/5080-4-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download