Overview

overview

10

Static

static

10

2025-02-27...ch.exe

windows7-x64

10

2025-02-27...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatch.exe

  • Size

    3.8MB

  • MD5

    04ba1382d3b32b13b5be3e1dc1bf9a0c

  • SHA1

    e10fbf5f3b3c4f8a948471346e3db15fd8743490

  • SHA256

    471ed649fe4f91930ff3b2dcbd14c47904975844a22269635deda338e2bc8498

  • SHA512

    f7152d5684655decd1896d97014641522153e0e648abb279029a48b9a7f50e27be3b9eff31ac8889735302e561a25a9cde9a8dd4eed580453068260e1c7b7143

  • SSDEEP

    49152:TcV8Ytr1dhrwierOjeAzBruTqQt02+Pg1:TWrHh28gqQ+Q

Score
10/10
ramnitzebrocybackdoorbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Zebrocy

    Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

    trojanbackdoorzebrocy
  • Zebrocy Go Variant 2 IoCs
  • Zebrocy family
    zebrocy
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatch.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatchmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatchmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2896
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    097762d98ed9d932614cef4fba4bbcd3

    SHA1

    94dfd4fe19ff3c2254f9f6ba0252432b3589af8d

    SHA256

    d9c89094296c6bf296ba00c3bed1ec210ef933f341a26f78d2df7cc5441a472c

    SHA512

    d94ccdaa69868672d5bbbc90c78efe0880c2c0ce653f7368159400b6ceff46e29a831b84fda1e253228202764de41e7855fa236f78f2d975342538be24adb76d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    cee2c4c86f680994901eccefd77420fa

    SHA1

    b053ac533c89b8d7c5af3b18b05ae10a99abdf7e

    SHA256

    b981e9b73fde7491e5b8444508dc0d7d9194fc5865fb176f0308d6d2e081ec9b

    SHA512

    17d04f023db69ab05fb7b6900f4a9f3ac700cc080506b2a8d3ec07c1862d0db010322606bed74a58f1a47cc39ffb4710f9611124807bf958d9edebbf51a7e192

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    eb107d4984cbc186e34f5dd5b158e41c

    SHA1

    171b84a9d211522b94bf48f4ef04ba8ef8a5ca0f

    SHA256

    acd55fe7c24a32d4755d873601aecbe185d463f48485ff73cd0006bd9aa5c02c

    SHA512

    9f6aee9ca9f65fb6bbba547d9947ad3e7b9081ae2797e696c775851fa3b59e542ef3dbdeaf3cfc5ab47251cbc43ae847363eebd26eb2965cd8df5856c56c8612

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    037e29660345bc37a65eb0d45b033748

    SHA1

    04dd807cd45e5c660f38b4928aaebbc4cc33c724

    SHA256

    f39b8ce52884402b625f3a7f5ccfe3e142e814d92fbcb14a2b9a336a08150070

    SHA512

    0b988b3ea05d0c51346fcbe61260248776b27aec9405d941976d1dbc74163690408281c493de352704cb15363820e9778bd49b082a21ef89661a35ee0f70b3da

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6355770aabbf8db00f173e773fb197fc

    SHA1

    5a3d7aa3102a91487ae04b258866e3b5505c2670

    SHA256

    6fe0d4894d768d698251ea92acfac4f8664b2fed900ecc12a7bb56d11630148f

    SHA512

    c6d69f29130e4b54ab7d89fb376fca1323390ed6bff804a886b7879e63d2a068417b7c15532e0cd0491e6fa9b6cd4bb791f74f5a543652ed8aa65a8d8c5dbe17

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5cd9a0a9e17e00fadd62570f28429c68

    SHA1

    22c7125e48ca28b197e98ab1225f0096991af92d

    SHA256

    04fa239597719a57a8b75cfd7d8d34a1f2891e14ccb8c113da237ec442d31b3d

    SHA512

    75b453eb9133dacafe1b677655951b3e124ee05a80646187ff2538aa90e8bc28766c9c15fc55fea9e66a5ebd89eecc7a648d208a7d426fadf0055e75936e307e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e644a13147248775ee6dc2a304e3e93c

    SHA1

    ecddbb23a17706c91ae8d354c3c5d95d88d264e0

    SHA256

    8d16437f743a452bf41c97ecbe257ce87a4f9ef8d4759496fa623a11f12a718b

    SHA512

    0029b927d1c0149bb8a1290bc830878b5e1dfe8e83e2407da42366b12f30e1d0ccb5039541963398c40c5abfa47622bb5fbbb113b92682a836ae14ad78eb8fef

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9bb06f24560eee9e7930e8887c301222

    SHA1

    3becd3f5fd1e9e660d59060281567ccb52dac004

    SHA256

    e5a252d0edd84a843f56aac75beeb80c58c1989c6f5abdbc72db83fc0c2afbe7

    SHA512

    6d104cf392e9e5b7cf054a3f32cf89a3647cd53146abb0e7f7546c928a36be9ad6c1e925482dda6461bda86ed8dd1f1b2943180cf56a191e6915d4ccc635eda2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    906b0b47c26266f002148d57dc7a5ab7

    SHA1

    4786eba82bf7a38e734b0f020bc79231746298e5

    SHA256

    3049f088bdd9dd44d4c90e3af2828d31a4d01439239be927c5ac02ff6164a08c

    SHA512

    06aad58efa35f28024ae8558c1e003976de89dc742f3c556e9f5b155f5baabe0b0617cfc262ad43b403f75512ae3ae2dc72119d9901e0e41b2defcd79c1491a5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    75410bee189c6fd6bfdc2639d2ce8039

    SHA1

    dcbda24b81b02b2dcc71dd888359cd515bf8a8e4

    SHA256

    3b4d7f19d292a7a71a8c84b0e694d3286090b9984e1bd698133ae7626369494a

    SHA512

    921a0a9e013c266589e68f26999cc4f53bd9bb9582381a5d23697614ad7b150a31ea44461126a706dfb529a0805898f05b684c39230d48f9898516f575aab3f6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    77c46b360ba9930bece0fdf22334f17a

    SHA1

    3b3f3de876a4c40e133a538d93a05c38b65a198e

    SHA256

    eab20a672b953d53e65d79a14850a0fbc06518c7f3bbb186ef6c9b874e050d88

    SHA512

    a8fb8394565fafbf4bc64b894dfcc941131a7e5feb8764cf23124f09f70025fe787f2fdd8d2ed61a4d3a0157ef038372989828eecfe0d53513b0e39545735f74

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    cd63a3ad84ec96235713f91429032fa3

    SHA1

    b7d5eeeff1f48d6902a0b90f8a4486caa953966e

    SHA256

    e1a84f9fdaecd38602860e70f96df811746c4bdc9ba2f7498867fc79d362bda5

    SHA512

    4db5d34615cb8231012cd7c07330072df45f7f500208a6f62498776e8014b746a932bf3ffebff6dedc3f3677f3895afcd9f8709c6dceb6d84225fee18848a117

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5b898b1475769abca664dedbfccc686e

    SHA1

    7e2d7a3c70410324feacb8cfa160e85ac2fe2b98

    SHA256

    7b7332bd5983ea901878fac7dcee82afb0a6a2b784df6371b2fada15bc77e745

    SHA512

    dccc922484f37db121262ddb58be38b1861d9750114b126aa64f862b3ac0d3060b211e5dfbf3c7eb46f5f3f4a689501870ea2ee249c8040eca17a4b68bcfeeec

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c3e0302d69730df33a07936727f1f25b

    SHA1

    a0faa6bfdb46e59b94225ce433ea163bb6bc260e

    SHA256

    f683bf7440a067e18ae5b3f99291f07c5748e09e60af5ec98632af0517c7cd90

    SHA512

    0492ae482c60a0570fcf70223502bc49a75b06a0e60d7d4b589bb668ec72341ef6c61a9dc47584c825938db5f72baf5b6be6dfda248e1a759c24426dc258aef9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    17751acdaac5a28c74bb39aff1d88ae8

    SHA1

    988b530a7ee9c9cde7a70c6259c475f381967779

    SHA256

    f2caa4f9629b527f16af9e4f8727c57696173dcc051cd6992e6111992409bc05

    SHA512

    1877c9203a2fa774183f3289fd824b2b77cb943bce8a82b8e9c8b0385da343a91b321682cf2cc2263ed61532dc0524cc209ef5c3443e469d53c22928c625124f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    33b11120fda7bc46ae7984dfcd5ee877

    SHA1

    75a222939125aeb52d7a78e34e215affc3426374

    SHA256

    6046c824f76e742c69b55a60113e0dae48bd4d2b40f83dddddc9954fa5f84fe1

    SHA512

    40fdbc643d83d04e7c548c1df9b7c253a41d54c8d5e98314e3f1a3d7435777449e5ec2ba53701b2d9b232a17a3b88838b8dd749a4e048447f5ec0cabb1743494

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3924DA41-F4D3-11EF-B525-D686196AC2C0}.dat
    Filesize

    5KB

    MD5

    25ac8691865ba4a64881babcc3ebdf3e

    SHA1

    428672121e121045c35bbd7629f41c0611d0ff88

    SHA256

    5b24eea2f20cde4053acb01f33ceab6e2144c19feee1605d9227740b70f99776

    SHA512

    478a2616bdaf97ae874be7066366146c40423e9c7f433d0d58d8530f14dabf08c17a2582db73dfac7f2c6429044285d1dc89a1ae1f908756533d25c9b211b571

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3926AF01-F4D3-11EF-B525-D686196AC2C0}.dat
    Filesize

    4KB

    MD5

    4fe80bd074961bcdc4cc8ce072de7aec

    SHA1

    7b17e97ab2c600097f130a8d75d4676c835676c2

    SHA256

    82af3a4616c8d13e2c513a7f9b1fdd85463f371f4c9269e457c67b1d89f24c38

    SHA512

    5eeb6c6a5b2cfa366332c38fd9aa7814fbc212362e1558a7eeffe387c66885774ffb3c0826371ffcb40288889451fbacd0baca3fadb76e175a2da81da3fe0b92

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatchmgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabEE09.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarEE9D.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • memory/536-9-0x0000000000310000-0x000000000036D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/536-8-0x0000000000310000-0x000000000036D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/536-18-0x0000000000400000-0x00000000007EB000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/536-1-0x0000000000400000-0x00000000007EB000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2052-17-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-11-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2052-12-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-14-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2052-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-13-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2052-16-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2052-21-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download