ramnit | 857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74

General

Target

857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74.exe
Size

325KB
MD5

77bbb5e6a85642cb111f909c91234099
SHA1

9cab825b30a018574889dc7952ff7c03de928495
SHA256

857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74
SHA512

dd49355a5aa1cd2ba10c028741ed26e574963ee858bebaa92735dd6d297458de7b8458cebbabf9d53be77b5ad0d4aabe2f88bbf2cb211571318ee606b8263d50

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exeDesktopLayer.exe

pid process

636 857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
860 DesktopLayer.exe

pid	process
636	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
860	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/636-123-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px2512.tmp	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "326955356"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2573065760"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884202"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884202"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "326971950"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327003942"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884202"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2582753533"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C4AD13EF-AD5D-11EB-A11C-E62B3DD6123B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2573065760"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exe

pid	process
860	DesktopLayer.exe
860	DesktopLayer.exe
860	DesktopLayer.exe
860	DesktopLayer.exe
860	DesktopLayer.exe
860	DesktopLayer.exe
860	DesktopLayer.exe
860	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1092 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1092 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1092 iexplore.exe
1092 iexplore.exe
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE

pid	process
1092	iexplore.exe

pid	process
1092	iexplore.exe

pid	process
1092	iexplore.exe
1092	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74.exe857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 3680 wrote to memory of 636	3680	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74.exe	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
PID 3680 wrote to memory of 636	3680	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74.exe	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
PID 3680 wrote to memory of 636	3680	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74.exe	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
PID 636 wrote to memory of 860	636	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe	DesktopLayer.exe
PID 636 wrote to memory of 860	636	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe	DesktopLayer.exe
PID 636 wrote to memory of 860	636	857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe	DesktopLayer.exe
PID 860 wrote to memory of 1092	860	DesktopLayer.exe	iexplore.exe
PID 860 wrote to memory of 1092	860	DesktopLayer.exe	iexplore.exe
PID 1092 wrote to memory of 2920	1092	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 2920	1092	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 2920	1092	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74.exe
"C:\Users\Admin\AppData\Local\Temp\857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
C:\Users\Admin\AppData\Local\Temp\857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:636

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
10987a1d727697d22e9613985bf39eba

SHA1
d92fa559cdea14bdc068eb5388f4a8725d9d290c

SHA256
8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

SHA512
31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
cf493187057b0d94c3c8450bba8a7e6c

SHA1
19fa71e6f73634d842daed982f6705cef9afaab1

SHA256
b0d5f7d1810cc7bed04285eea456682ef9d47e5c279062465a8180f861f7dce8

SHA512
aa4289aa7dd4758edc1b5ed792cf097f8c29bf5a5c8cf0ac3a5df60591ef6aa9614203b231720d6ce7265859023e4b97433d62aa51db59e4cacc8a54c9e9f0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q5G1MNRY.cookie
MD5
e9418ac41ad34cc545e83023b9424602

SHA1
e1a1c8a429ef3c0c8059d8d03604d662577492d2

SHA256
bddcd99456d932db57818b0cee22ff774036dadb6ce50b5ddae1133932469725

SHA512
7c13945bd91364de9a32094f9ec3d7f7d35cbda4bb3c10dd6d91a4caada72322f2449e13c6886588a7de832c7c8ba4e165a39d86ba5071f7bc4111c0fb00b1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SUNDAASP.cookie
MD5
fe28d4bf621d69303c6658fd9d62b0b6

SHA1
94eaa06fa0f09eeebdd9ae9b74106116409ece26

SHA256
52b53ce6f3c1a35f343060787c78f5fa82524aa23530eac27ec32365315c6531

SHA512
46e3deed199ae55f362213fcaa0f7d5b3716080c2db6cfd8a5c2240c794332d22a5dc55d2af56d9b4943ede685581072773bc6ec7be79df560220e4f4ef7d77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\857d908eafb6e1260343a1ee7e23d19b031a46efec68977062caeeb73765fc74Srv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/636-122-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/636-123-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/636-114-0x0000000000000000-mapping.dmp

Download
memory/860-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/860-117-0x0000000000000000-mapping.dmp

Download
memory/1092-124-0x00007FF88D4A0000-0x00007FF88D50B000-memory.dmp

Filesize
428KB

Download
memory/1092-121-0x0000000000000000-mapping.dmp

Download
memory/2920-128-0x0000000000000000-mapping.dmp

Download
memory/3680-125-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads