Overview

overview

10

Static

static

3

2025-03-03...xz.exe

windows7-x64

10

2025-03-03...xz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/03/2025, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe

  • Size

    16.2MB

  • MD5

    b7440dc351ffe15cca82aab34d07e734

  • SHA1

    d21c8f5ff2f1525e8df402820829255a9e53601c

  • SHA256

    22648bdc393ffb7830ae3e47d4aa7a52d5d98e519b03d6cc32df8f8e7132b035

  • SHA512

    71b297ad9fee3353349b3a78215fc91e2efadadfb32f3ac83fcc52c191a2ec38510d229102c50c93a53bdf9b999ea656b5e2815ea355a692eaca61e1080f8321

  • SSDEEP

    196608:qeXaEgT/xxqZbtQBu1rw1aUsvrsSmeaon:T+0JQEBw1aUsvrsSTaon

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2624
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e2265554e75411692c99f64ecbab7dea

    SHA1

    9f7ac0bad5357b790f8fe4479995b4a66a46d70e

    SHA256

    9563d253bced827f557b26e0c69f0fcc43b2d12c0158eea5d7aa2126dc57a1ae

    SHA512

    c77f799aea033727c05f45a60f52d102297a7d2dd44d8dfb4394bdf3ad501b0062e411d81cb9736ab04b9ab47d4c9fdcc2901d165a3c89460c60a3b53eb4896b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0b056b78e69f7e78b3bf6a7be6c41068

    SHA1

    6c6236f818bd37710cf898c09e7662da9379e0a2

    SHA256

    b5655d479328afbfb11b91d6075e20ad42ff7b2571b9855e60e43116ad4def99

    SHA512

    129a146bef9011ea59fcee9f0435520c25fd7a9441f71683cd29db5d9d1915a8dd5b2f5c87fb0b49de507140c17b76acfffe43cef49b9afe104b194443be1c06

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    17c3ba2364ba535302520fc5f343cb9e

    SHA1

    f1d3e6d148ed918f63ddc6fb7e1cb2d17c64163a

    SHA256

    42c0055f81a4041c0ea8a2dbd3016da8a8915e776a8bc55402b3bc114d20762c

    SHA512

    b597888a1bf4e589812641a0464446b78a14c327d032f044d30322dc77fb878295764cb0defd267f7c26de36cf0dfddb2125f6cbc5f6c05c7e9939d1e20ea3bb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0e65e752c4676d899b43b84e7492a2ed

    SHA1

    d3b90f271002fe84a8975dff21a67908b549f97e

    SHA256

    124f0be15aa7798a24bc6512f0b1719effb3fbe77add580cb717ec6177a700e1

    SHA512

    253741d90b97741bf91db3ca2ca4abe2cd57776d8f30585d715ee1f02fdbf108e2e392e360ca2ed879c35b24ecf2df9b67b1f7d22a7301051c66e2f2c22cfc8d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fe8e44419b45d873031190bd9c13adb4

    SHA1

    45fb32992b63d0dff20bc7ba14ab0ff4adc03aac

    SHA256

    da507374ef36f6fbba330f08d1a45f96e0c84fc43b5bdb1e7bace4d3b35b681d

    SHA512

    c06583bcb3f314d498ef9fc8233fbcb25cc98c0a3995185e073ff8a42301395236d12a62219a643c19cdf84303acf843687f693d04483403c5c483a66c0608ea

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2fc9e89d5863ea77ef6381bf75cd983e

    SHA1

    10b562e35200b0b28a908e55ebd0b6c6c8aac1cc

    SHA256

    0c23c7ae21b290756784091f4b102367553c452729ca2d7572ca1d49aa635633

    SHA512

    7260be13ad876a2c44a7014ca011a4cf1e12eababcf919ade616cd233054c1969ba14d3ab4f2046e0f59536f79684e5e5890bee4186ed69ecf84174711b8736e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    84b6f7b388240702fff954ca5381aa10

    SHA1

    f156d4355a6e3e97849451e5d6b176af4ecad8b1

    SHA256

    9266d2ff9a1bbce8bc729e8fbfa57c9d027768d2819dfbb92f7beb3654189e83

    SHA512

    e755f14137c9b593e2e6f0f43612e382536093a7af84d4be9165ffcd614d5b1fd3350b90154b421776fc2fe99afff6923012b3ca6a14932a8067eddbba3d015a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e93c247a07c6b1bd3a4f2ed93b40014f

    SHA1

    1d4a6d7a42b51470359fb4f4b0b1965e29450b8c

    SHA256

    30ab3c70c2d78de36bec578cf22d02d3532021ea540d453c28089711090bced5

    SHA512

    e793b2bc33226a4fdc79073b503d5ab517c9be2f24cef803b2db0cc70487cd373e492c640076deedebb4d89ade4f295c042aed62751ad882e668a1b087cb4323

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    dae6ffc2df3b94782e5bc9299a1eeeb6

    SHA1

    6fe029adefaa7f4fe9cd55c698880969cc8ec1b8

    SHA256

    f83b8808d6c074cc531691590ccbe65738d5c1914560187a77398e4b2e9acb03

    SHA512

    ed021d9de2ebe53438d4295a3549a2cd610e9ad73298352717a6a3b37f9f709f938aea337f0e606a3e92dde46bce2dff4e84541698a4c1edd5ee13902df7691d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DA4E9C61-F7CD-11EF-BF50-D686196AC2C0}.dat
    Filesize

    5KB

    MD5

    9587162620de57fcc7b38c6999102804

    SHA1

    dad57e860c91039fe2bdff9c1d9face558eb715d

    SHA256

    c825c0f2b5e3bed1068568fbf52b6cc13b9833869d3e711d9e5f863d97b25584

    SHA512

    4a5c86ee65ce0be306163370797b090705fc1e22c51d2e1d20099d7c6bca64c946f4d1f803fb35e215c6b9f1ff787f42b4728ecd1cb4964bd50bd4c43acd25b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DA4EC371-F7CD-11EF-BF50-D686196AC2C0}.dat
    Filesize

    4KB

    MD5

    db16be60e7b70e0c63fea8c7153bcbb9

    SHA1

    7a04e3a942100ac604ee45bee6467eb9f960c4f5

    SHA256

    3c17388c42613512cbd25fa5366501b1dbe9b389a558ab1fef1a09e4bdc5e113

    SHA512

    63b33eb0e76fccceda686515b80c29e6157e0aed35b18bb2140d8bfb2ae5050ced9df495a08203526afc484594ce7dadfddc8eed0dfe2577d461037148483a59

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF5EB.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2025-03-03_b7440dc351ffe15cca82aab34d07e734_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • memory/2372-10-0x0000000000350000-0x00000000013B5000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2540-16-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2540-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-9-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-11-0x00000000779EF000-0x00000000779F0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-12-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2540-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download