Overview

overview

10

Static

static

3

18fbcd1063...aN.exe

windows7-x64

3

18fbcd1063...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18fbcd1063ce3bf6f652b1e9115aea48236ba80c3344d1107672c8cad9b6b9aaN.exe

  • Size

    92KB

  • MD5

    8fbf23d29c72c820871f0a3c8a530e60

  • SHA1

    96d99798cad1a8655f0f37463aca1f72e9daf3f0

  • SHA256

    18fbcd1063ce3bf6f652b1e9115aea48236ba80c3344d1107672c8cad9b6b9aa

  • SHA512

    b891ad198057089e929c4c57cbd62a480b7c61999ebfa9842391daf1344dc76bc44a94e6f4978deea51e78a01c255f85279b04bb50a37774e190cec2934808a7

  • SSDEEP

    1536:DVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApX:bnxwgxgfR/DVG7wBpX

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18fbcd1063ce3bf6f652b1e9115aea48236ba80c3344d1107672c8cad9b6b9aaN.exe
    "C:\Users\Admin\AppData\Local\Temp\18fbcd1063ce3bf6f652b1e9115aea48236ba80c3344d1107672c8cad9b6b9aaN.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2212
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 208
            4⤵
            • Program crash
            PID:3488
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3924
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3924 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4896
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2212 -ip 2212
      1⤵
        PID:4700

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        92KB

        MD5

        8fbf23d29c72c820871f0a3c8a530e60

        SHA1

        96d99798cad1a8655f0f37463aca1f72e9daf3f0

        SHA256

        18fbcd1063ce3bf6f652b1e9115aea48236ba80c3344d1107672c8cad9b6b9aa

        SHA512

        b891ad198057089e929c4c57cbd62a480b7c61999ebfa9842391daf1344dc76bc44a94e6f4978deea51e78a01c255f85279b04bb50a37774e190cec2934808a7

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        2c48c73220d62a8faffe599e95896274

        SHA1

        452cd4222360fe7e881055d815ec65a2bbac564b

        SHA256

        35a3978f9dea3056b0c4a0a1945d785bb7a0022484782f414fa9ffa04f3d5967

        SHA512

        6547f2798297acc7ac11506328ef05f29074655f3e5a60adb188106c769806a2b1a8a15c7bd38c39da560df7df953798561398245667095536fc5748692cc9d8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        e65be67e7027ba83dd8b54b9a3ea5ba5

        SHA1

        888cf55e66af116034b9fa9f354c629639f2409e

        SHA256

        be89df23af844408d7e13793c0483aa8c7bd75d9f7ce18908d5753cd2a5dcf71

        SHA512

        4bd549f006b87c188c0781210be21be3d319ca66121de08dde6b74cd41749b4a0ef701aca38a91c87a2202e154a678f0de27d1dfb9e518481ccb508f0f1481c4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F6D27CB2-D8FA-11EF-B319-CE95CE932DF6}.dat
        Filesize

        3KB

        MD5

        e310c3c699582d6135855a49df831357

        SHA1

        03223604de0da9516f4d96f8a2f30519cc0f92ee

        SHA256

        79b9b6c28ad023fe8b6e83a71248c71290bb2c20680c9c72547f4868ef60c0f4

        SHA512

        6e3dff31464c85d1b3db25923113b47ef8b508b47fcd1b20df2879c938a8333436a737c99d0052944eb8336ef333865e728f3b5996fc2ad56b4ee8dbd133998c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F6D4DEFD-D8FA-11EF-B319-CE95CE932DF6}.dat
        Filesize

        5KB

        MD5

        8f6ed60afff98edeb71ee84783cc2941

        SHA1

        0dadc79149cc5a6a279dec5e217fddcba0b5bc32

        SHA256

        254755eb05a76c7825bcee5f06a874aaf6cfa51e3e3b00edbd0bf6e311a09fc3

        SHA512

        87cbcb0308c9ba05e8c8550b4e3167730380d794173c934d7f4334e21172286edf05eda86e4c3636d359a9da54873c6e0041f9d081e22e3f471eedf9b55c83ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/2212-32-0x00000000008E0000-0x00000000008E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2212-33-0x00000000008C0000-0x00000000008C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2776-36-0x0000000000400000-0x0000000000431000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2776-37-0x0000000077B32000-0x0000000077B33000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2776-35-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2776-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2776-19-0x0000000000400000-0x0000000000431000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2776-20-0x0000000000400000-0x0000000000431000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2776-34-0x0000000000400000-0x0000000000431000-memory.dmp

        Filesize

        196KB

        Download

      • memory/2776-30-0x0000000077B32000-0x0000000077B33000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2776-38-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2776-41-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2776-29-0x0000000000060000-0x0000000000061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4636-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4636-17-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4636-4-0x00000000008F0000-0x00000000008F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4636-3-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4636-5-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4636-0-0x0000000000400000-0x0000000000431000-memory.dmp

        Filesize

        196KB

        Download

      • memory/4636-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4636-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4636-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4636-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4636-2-0x0000000000400000-0x0000000000431000-memory.dmp

        Filesize

        196KB

        Download

      • memory/4636-1-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download