Overview

overview

10

Static

static

3

2025-03-03...xz.exe

windows7-x64

10

2025-03-03...xz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03/03/2025, 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe

  • Size

    16.2MB

  • MD5

    b7440dc351ffe15cca82aab34d07e734

  • SHA1

    d21c8f5ff2f1525e8df402820829255a9e53601c

  • SHA256

    22648bdc393ffb7830ae3e47d4aa7a52d5d98e519b03d6cc32df8f8e7132b035

  • SHA512

    71b297ad9fee3353349b3a78215fc91e2efadadfb32f3ac83fcc52c191a2ec38510d229102c50c93a53bdf9b999ea656b5e2815ea355a692eaca61e1080f8321

  • SSDEEP

    196608:qeXaEgT/xxqZbtQBu1rw1aUsvrsSmeaon:T+0JQEBw1aUsvrsSTaon

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2532
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7e6c3de028c5202321297e5882139e36

    SHA1

    fb716615d76be8368011ac35f5b31fb1079d4a32

    SHA256

    cd3009db6a19294df6df3bb1f554609267a38eb72eae0d360475a611db4114a3

    SHA512

    95753a8aea4d0c12d5f61456a62b1a86e5b66357bcc0124eebf5c79cdcc324b2146210a0ce66ec1d0338bbe216b348c261ec19c0862c90d12c9a9b985b3af321

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6d1ada600cc4b1bd1a4444c4999e7ba1

    SHA1

    9125f33e2b48af3479b0191186c33d4d2b3beb26

    SHA256

    7525afb051130f422ffcab5a3545d218890547b7a81828ea15c2d82c713a1ece

    SHA512

    2946b8f00fb9884d89cdaaaa384baa910d49cd3baef34a81fb82f097506bf16740abc4d98dc0a1eace374f71f9480d9b975b6f0bb6f9833e9d8840ab34c8dbcf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    356e0f013648b54431cf8e53751900a7

    SHA1

    cf73396e50e185a5094b6ddc767cb35a019007cd

    SHA256

    045dba96355dfb35f74403f92f1591a8be0506c4b64838fdd9d1a4d40d778f5e

    SHA512

    61b897efea764c18f6b236738feb496954cc08662bd6d7b80715aa4f66895f484b719fae0ac8fae893c3c1ec8dce9a6cc838fe5f123f3c58523bc089b8e0bb30

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    077043d1d755a765d700b3c9ab18df45

    SHA1

    9221137dd9a051b9e8c48c55457c3b0164e70c81

    SHA256

    711b733f08714cfc0630d424d92c5587220106ccadafe9ebfa85e15e1d09b107

    SHA512

    f1ce0c5e3aebc80b8f3e341bff9339af2440098fcf9ee2ec8c19b8c8c2ea120ae3dcf92906ba9d340a68ed15149c0deae312570491772c82cdad2b9599069c69

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4643b87b4f017d2181cb6ba91725ba68

    SHA1

    436f47c4e6ed207e43e28f626795b41d841d8fb7

    SHA256

    43bbf88fa536a782458802f5e5055692a8fed7578cf0c70f30e85dc8ed5ae16b

    SHA512

    2a383ba41cb19534b593a762b9e52d31f767d8ba273757887fc0dfdb9a6ba1ad1462de5512a24f9f11bbb4da6c4840c05e8139539e24c81208fcfffd305928c4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    29b2c7caaff86163eb9257fad73f954a

    SHA1

    1bedfc0b6174886b2509eb535c38d2cb0657465a

    SHA256

    2e5fd837d5f132fb44d7126eaeec1f26fde462947176b5c9e38fe3f7cf540983

    SHA512

    9291b34fe3609ccde764f37a83c3e6dfae0a2b9455147c7d3a53e740b7a1f3c325e8a767ae2015cc995ea4daf1d39570245591139497ebb4fa7cb939ab989433

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e0773fb34f2d4abc14dec009d6d0d16a

    SHA1

    120fe96b181336ffc84f7047d4210f8d3498005d

    SHA256

    fd5ffeb1e501735237823dae2e8b7654c11368d875854ab364cb5b399d7c1679

    SHA512

    e26c49acc4ee13b8e1224077afe08246473968370a55a212d3f450749f90859fd568a81345582fac3608b073a4d2aefbab70ef85fc6b5b08061986d7cb5dd9df

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6b288ed53dcd13317011531c4d3fb5bc

    SHA1

    a7f7cf7bb74a220e2e65ddda8d951ca87afd421b

    SHA256

    63b5c913b29c09cd6dbea890419f1db8ca04f1bbdd7d945321a28f109e74fb0f

    SHA512

    48dc187683e48b1d7d26f235a53888c1d53efc00aed823962ef936cc7f9fce742275b13858ee61e3fd641fe30075196944d0ea08c66f2f04f3d3b4ab5e910a29

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3f698be0d6d2fb9c151ef58d153a9100

    SHA1

    c3e40a223434ba24aedcb61888c295cc2b166fe9

    SHA256

    a213e92419771733539fb152c27078e3010efaa0c542db1b246383b32cb2b68b

    SHA512

    a65923d60064d4ed50ca06bfba85200551fa0016ad65291c80df085c0338cf003b42bdec4d376764c25a857ecc0cc8ea114129d24f0b1067af0bab60003a7cc4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e5b033f7bfc84b947ea3784cdd35a2a1

    SHA1

    c26c3e3343bc8f8ba9c8becc8d9ef02c63fccecc

    SHA256

    b4a52e66415898421bb5a379fd6c0c5b763116c29ccef1513a3bba5e565cada9

    SHA512

    bf6b60cb0399277b20e86a32e82972a4d62c5f22061e030d15e4a65ae231877162563f3de1d789175ff60d156da2f393854193d33aea38dffbc5bd6d7e30f1bf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    da31eb0b169bb7f6a784932b25a7e98f

    SHA1

    46497d473cadb0976cc7388d72b7455a7e9fd34a

    SHA256

    7a4bf56a2c3ed78c7d611b38daeaa91b45ff01e6b012af930db5bdf13d184452

    SHA512

    aebd59c8ead02760e7509672b06be6a6948592d3b9f07a29fc19e5d1e2549d0f0b275d40326da8a7a12a5be5686fbcc6d5a21bacc86abc42fcca8a8f639a758f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    28eea58fab0b7b7d4c2e497a4a632df0

    SHA1

    c84fd509d683c2665d2b76008653426689881387

    SHA256

    23aa74e7e767dab49ce56293b9d05527b696f1f3649ac213bcc746e46a52c738

    SHA512

    76037a808a3009be5958c5c0b7ebff13be196a353f724dc8e9f0cfea16d71ccbb49e1f7f6ac93071c394385c12a88da8d8fb4aa24a21fdb15d7f6083007d1207

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    99773ae5d0dff4eb5c4d8b315af3aac4

    SHA1

    e3e492c66dae72d6f609a4efd2c7b20e847eb63c

    SHA256

    ac4ae1caceefdef14f20e27ba685d492d54d3ce316381e5c3b26cb4281477008

    SHA512

    1da8bc8e50b42759202c2bace484d5c26d7b19e989112e627b6eede23b7992927925cd6cea5062c8b1df19b3657e0aa1e2e51d3b52789b43e2d694ae7dd7941b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6db0d0b3f70ba2adbf2e50be007d1ca6

    SHA1

    cfc9248656016ebf3f45104b366c8f2cd0bc28fe

    SHA256

    fa7924d5c4a3cb74e87451f2b41fecdda2b42aee803ff25214c60afab0bd2cdc

    SHA512

    9c9b8a75ab13567688007cac3486c75eae20abcb85665c78f5d8e01b4c4b0ad34d69e91d3b81966170af9139fad0c5773cd278f01cfccc1c593f5e1db75463c4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    23bae042f9f185024ef68a80be943eff

    SHA1

    eff71910a95f4f5915a87bf37994f8c3c6f052ba

    SHA256

    b27594b01418f280d602c6b59fea1662f9c6455164b003d99da543a3d4609d8a

    SHA512

    eebd7f866595351180b49fe0ab9ed6598da1541b945dc92f51b352e73f43b5a7a6a421b301482a4541e7e106d3933e201949fe3d476fdb7b7f30835745047fe1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d5b1627030595157b92c613c167a37d9

    SHA1

    6866e2d458e850c679199135a62cd48c527aef96

    SHA256

    6caed55248e784b340bcadad0401ac01d2a82829d2c6e2ef2beff50c73aa14ea

    SHA512

    a8f13acf7c0615a70fcc16f8dce8238acfdc08d3427da2636693a923dee458c7d354af087d53750e225baa1d5b7f36d8a3fb4379b1d3a925a14632ede06a6206

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    70978e14b2dbfc8b05a702ac80657ea1

    SHA1

    a7144890032e286053b38c39add413b03b88b0c0

    SHA256

    dca213d676059dd593d35e07e6049e44b000dc3bfe76e47e2623bec6a8c63b41

    SHA512

    21d306a68c085144f4417a21f9784d3ee585485b435d8e218b3cc2d9c2057988b039ae7dca71b73dee47f0ff0e5ae0906348a83509c559527889d09416b242ba

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    271d29bd45247accb5b3b290980d5018

    SHA1

    4a6c5838043e2dc988e9276ccfec74d7904e7405

    SHA256

    dd6dd6743d2aafca0340ae81e41eecfa8a9b2762949486c23217c907d572c74c

    SHA512

    6975b37c61b0154313a9f0510df8c859f06a7cb22d1db2b15a601c22e2836db9d57ed355be0b85a4884ee0d344f00a6d634aacc341ccca0d2620dbe82e0660ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D2BB0661-F7CC-11EF-80AB-7A300BFEC721}.dat
    Filesize

    5KB

    MD5

    aac09610e6db5a29d39c1f094ce1cea6

    SHA1

    884e2101d6169f77160f51a6903dd5a16c7137fe

    SHA256

    2453ad49d641590df313d89e834caa8ebf20c07d34e4b31604761856995ff5ec

    SHA512

    d36d4fb061927aff5e581bc4d7dd233dd382254cda767d5d5dc43068c45077519ef09fddd677b4a7aecc710163648350394cc0a33339e5a6b44afaa7f36a904a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D2BD67C1-F7CC-11EF-80AB-7A300BFEC721}.dat
    Filesize

    4KB

    MD5

    e9dad00cabf7056eff008b50b5aae827

    SHA1

    00e80a10a49e75a65be9ce7f097e99e018215e18

    SHA256

    115b48de6f562c5f4473fe13a587f3a1d5e3bc21b6438bc937fef0a7ec8d7e78

    SHA512

    5af1f7301faa16743194886dcffa22c3729ea3a163a1caba74fc7e895f51c9e7ff1de6d5cbc3bd2ea22cef747ba07da423d96d1bf7f45a4bb14cdbe8ed962c93

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabFAE5.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabFBC2.tmp
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarFC24.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • memory/2064-10-0x00000000000E0000-0x0000000001145000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2536-12-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2536-9-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2536-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2536-11-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2536-15-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download