Overview

overview

10

Static

static

3

778ca73699...da.exe

windows7-x64

10

778ca73699...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    778ca736990c712c5eb464234f1d05904fd75d969556ad9cbe262070d0352bda.exe

  • Size

    88KB

  • MD5

    ef33fe40bcb4caac404839d83889f250

  • SHA1

    002b7951e8e836f446dabd81cb894fa8b9e1b864

  • SHA256

    778ca736990c712c5eb464234f1d05904fd75d969556ad9cbe262070d0352bda

  • SHA512

    f58f9c4ec34e074305af7b13646a3887d986a673932ff7d4524bee1c23b630db638f09c395e2fb1c2a4811bb0d4fb46852f3422e556c271a447ec665f84cc087

  • SSDEEP

    768:w06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9j:+R0vxn3Pc0LCH9MtbvabUDzJYWu3BE

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\778ca736990c712c5eb464234f1d05904fd75d969556ad9cbe262070d0352bda.exe
    "C:\Users\Admin\AppData\Local\Temp\778ca736990c712c5eb464234f1d05904fd75d969556ad9cbe262070d0352bda.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:628
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 204
            4⤵
            • Program crash
            PID:2536
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3440
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3440 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:672
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:924
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:924 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2388
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 628 -ip 628
      1⤵
        PID:2624

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        88KB

        MD5

        ef33fe40bcb4caac404839d83889f250

        SHA1

        002b7951e8e836f446dabd81cb894fa8b9e1b864

        SHA256

        778ca736990c712c5eb464234f1d05904fd75d969556ad9cbe262070d0352bda

        SHA512

        f58f9c4ec34e074305af7b13646a3887d986a673932ff7d4524bee1c23b630db638f09c395e2fb1c2a4811bb0d4fb46852f3422e556c271a447ec665f84cc087

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        0ada2095c461df5a751955aa41dd491e

        SHA1

        8366c54b31e1ddc8016aa22aab8c83f73c690810

        SHA256

        80cd542688ed3a45669b53243c3f4922d6eb21a34d8dfeebc6c101484d3bac09

        SHA512

        135991affe343d4358bb15a693effa7a6813d6715e555729d2aa04a98555e13fded55d3100a41a92a5beb57c68fbdacb199a3e66407944e37880b28d42d79e7c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        58c02ebaa5ec530fbd365dd2db258ca4

        SHA1

        d1ac476792a33fefccb92b94514851fc8306e333

        SHA256

        3367eacf22f361d0af259df1ff44a7fb0f1186ca54080c02e6cf3b143bc22418

        SHA512

        5ceaa01c6cff3431c63babcada51c3da9ae7fadeca8787c199178443a233f4fb0d59f85d09b0fd669fe850bbd7a7ace5b6075e72899a68ede4f5a15cd82a554e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{92AB3C09-D73D-11EF-A7EA-F6235BFAC6D3}.dat
        Filesize

        3KB

        MD5

        8cae65e954aff8ddb37871e35e13d158

        SHA1

        18ca7b0ae69ecb4ed11845e792e88150bbabc9c0

        SHA256

        108b95718124128d440e65c64f272833d73513d34a50aa8e1f23ebb794ae7096

        SHA512

        82002e3d4b8b793cddadfecbd2844718f1c61edf4ba2b0ef097b8f9ff7a183cc323a2f742d669a6abc75b3fd8410612416bc18a15fb9255bc4b333660ac2033c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{92B00219-D73D-11EF-A7EA-F6235BFAC6D3}.dat
        Filesize

        5KB

        MD5

        127545f577608c54e3636aba41a3e6c7

        SHA1

        9c30560c96047bf368b070c73936ff733f2609c1

        SHA256

        e2689943d0d3adef9a02539a411d1711bdf909524669fa021195ce20f72f2357

        SHA512

        8ebdf1ad5d5a2068074f2f84a2b5ef6c74c3af7928721d546d860648723e3d0c2879563f768586253000e05c323161470c653d05f9680da0efdedc057f2bf784

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/628-32-0x0000000000A10000-0x0000000000A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/628-31-0x0000000000A30000-0x0000000000A31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3848-17-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/3848-28-0x0000000077252000-0x0000000077253000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3848-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3848-26-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3848-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3848-39-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3848-37-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3848-33-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3848-34-0x0000000077252000-0x0000000077253000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4004-0-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/4004-8-0x0000000000900000-0x0000000000901000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4004-3-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4004-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4004-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4004-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4004-5-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4004-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4004-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4004-2-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/4004-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download