Overview

overview

10

Static

static

3

3ac11012aa...34.exe

windows7-x64

10

3ac11012aa...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe

  • Size

    8.0MB

  • MD5

    27038a95bd4709a40755ae920e606b03

  • SHA1

    6c5586ff2404b8ea37e5b3ac8ead7b778a6f2d9a

  • SHA256

    3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34

  • SHA512

    bc108a0f98ab58e77dced11492e880a36ea3578c2c910c759e557a9bae4ff309df2f4b477ce9c8d88d3d3b760ab870a38faf072b61294c79d815fb3e5856fa64

  • SSDEEP

    49152:dc75uCs+mC5d9CjZPl+jD63UxrWvNE+XJmJO5byML3GtHsEO+rTBtAYc1wxWRmri:dc77HBAdZN1fyMWzYZ/XOr

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
      C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
        C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4736
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4664
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3980
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3980 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:228
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3156
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3156 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    fdba1e1aaafa78dc1bc5319f2afb6f86

    SHA1

    5432b1fa5f940052c9f9117307b2c97a7950cab2

    SHA256

    83c001e05993c8e603aec23cc4fa21a1515943496a69e18ab4a1196294b5354d

    SHA512

    ad7a1db5d9f4ac4edc07dfaacd2dd5aa15d8e228b2e096f9add822e4be84c66db28729583f9fdd5ae4f20fe685854cf2c35ced250a19df3b001c7b563c78a13e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    b0af16f38a0016b1e2bc010b22314420

    SHA1

    09a872cc857722c9407498c59fee5af061e8bcdb

    SHA256

    04e38e058ed46415ac3735a73b977ce86c11e00afdcc59a3044d86c6dc64a894

    SHA512

    6fe0971bbcd1b7e5de0861f5337f1127e21f03ed83aabd4a8743f4b5435bf29cf86479e92288d6f99775e4fb0ceb654b19101604d86141e616559ec8abcf205d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    e7ccaf0a832c7237909b02e5091b790b

    SHA1

    ef406efe5aa2dc808de9495ce4fc36fd54be2745

    SHA256

    1351ec135a0e84a1b055a884e0f55660b9a5899ffe996f20fcbaa2a82d8ea046

    SHA512

    223477214202a146ad6f2cde5819bf11ab3437214db4d274b03e2a0757977595c3eee62b9491534850525c76a73a3a50227b425d31271b8099207d6c474d0619

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    2619e0708b1f2525115dac3e7789c0c5

    SHA1

    b0cb07e025766de485671807481f2cc668b84feb

    SHA256

    4e2dfc102fcb4b8d4f37982d01d5f5a43af5e6cca17aee0e7b78f4266b47f9e9

    SHA512

    bd76e941acbdd4bf4411d382cdfd8238f0375ed54c043dda93bcbe8ffe5b0bb626b26dc6b4928f32cf2e27677e0fbd12e0c6b464846ab575484598497f60f406

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    a78233f60e96921cbc0bfe6abf58dea4

    SHA1

    446e050a9f9cc919960771c044073db44700e32f

    SHA256

    473609cf82bf0889e8bd2de65ae5f5edce231f3cfe3e32b108bcc5ab60484a0b

    SHA512

    bc8ab33ecff2874a60b44b899622f57cd61875e2507704b509cd959998ded29857557f902be5762271eafb397412c26d9e7178c73a90202f6fe2ba0eeed0658e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19880E1C-D30F-11EF-B9D5-D6A59BC41F9D}.dat
    Filesize

    3KB

    MD5

    519bbd07ea827093ef1c2c71cb5dd5f5

    SHA1

    526055ce44d6adbd035d04ee8fbac8b39ceed7a8

    SHA256

    0082f1f5fe44c2e612f806e267d65f380bf7d962b4d536fafc292c0e75328c36

    SHA512

    6884ffe5d15f01b50b224bf00b061fbb6a1ef72a53490f2f736f8bfadd21c99ac82e7e12e4d82d26a19f270a5c06cfe4d78ea955d3042b9cc5226fae83b2554d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19880E1C-D30F-11EF-B9D5-D6A59BC41F9D}.dat
    Filesize

    5KB

    MD5

    f735ef73c1cd05685dc276b371a3b960

    SHA1

    baa7e26026c238b1cbd6284cf8504dc3b41233b3

    SHA256

    cc26a745f4435ec39378ce793948bab575a231dac35a89571afbe1290685f099

    SHA512

    44b3dc184e12555909b9c4e1dde84a64165df3d4901064e5933aa60d406d2375b0280f2da77707a0a53fc2f3bee54a9d07b4ff0ce75f46443c32e20cd8fe1e31

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{198CD310-D30F-11EF-B9D5-D6A59BC41F9D}.dat
    Filesize

    3KB

    MD5

    09a22cec3f717dbad47db80c2e3ef2f6

    SHA1

    190124b199b93fd863c005f3f19b799d15017bbd

    SHA256

    1bd4cb3137fb1223ba5a3591d9207f781bd27243e0028c610bfb931dbd406db1

    SHA512

    f06e03f5c77f496aae81ee89631fdc9a6413ca8f1da2c906cd99640558aeea553345ce5500f3d3e29c2d0c997e1cba56b9183e5833edda805e8d344cfb411503

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
    Filesize

    111KB

    MD5

    ccc937bcd06f7bfa99abbdf16d4af87b

    SHA1

    22c08152fa73d1d055919283604fcf4685ba0e9a

    SHA256

    6841eefc56ca10ac8b40a71b23f471fa4fc36d71f19fb0bbfe548035f9cdab27

    SHA512

    875e2cdf0d158e00684d6a30b4adebb7f18c6f2918fa2328eddae173193cabe111badb72ce354cec223b409d713356854bf6125103bb06bd0496d9e615095d4b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/612-31-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/612-22-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/612-21-0x0000000000490000-0x0000000000491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/612-19-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/844-24-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/844-10-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/844-25-0x0000000000510000-0x0000000000511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/844-26-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2924-11-0x0000000000440000-0x000000000044F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2924-12-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2924-4-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3140-0-0x0000000000670000-0x0000000000E79000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/3140-34-0x0000000000670000-0x0000000000E79000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/4664-28-0x0000000000440000-0x0000000000441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4664-33-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download