ramnit | b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935

General

Target

b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe
Size

2.4MB
MD5

d14ab4192771b0eb817a7efd4791a141
SHA1

921a80ddaa048c07e26c90c9ee72930bdcd9985d
SHA256

b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935
SHA512

96a5f6475fd5de9d0740972553ac45255888f744895e3628afa553b444dc5c51c18e72c3dbfa3488ac2d62274f8d171a3b6abe4d72246410831bc0551793a1f1

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exeDesktopLayer.exe

pid process

1396 b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
1684 DesktopLayer.exe

pid	process
1396	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
1684	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/1396-125-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px1199.tmp	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327337566"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1639593153"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884979"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8CBA73BA-B066-11EB-A11C-7E556571BED2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1633186561"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884979"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327288980"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1633343015"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327305574"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884979"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exe

pid	process
1684	DesktopLayer.exe
1684	DesktopLayer.exe
1684	DesktopLayer.exe
1684	DesktopLayer.exe
1684	DesktopLayer.exe
1684	DesktopLayer.exe
1684	DesktopLayer.exe
1684	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe

pid	process
2020	iexplore.exe

pid	process
2020	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exeiexplore.exeIEXPLORE.EXE

pid	process
2204	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe
2020	iexplore.exe
2020	iexplore.exe
3576	IEXPLORE.EXE
3576	IEXPLORE.EXE
3576	IEXPLORE.EXE
3576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exeb5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 2204 wrote to memory of 1396	2204	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
PID 2204 wrote to memory of 1396	2204	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
PID 2204 wrote to memory of 1396	2204	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
PID 1396 wrote to memory of 1684	1396	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe	DesktopLayer.exe
PID 1396 wrote to memory of 1684	1396	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe	DesktopLayer.exe
PID 1396 wrote to memory of 1684	1396	b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe	DesktopLayer.exe
PID 1684 wrote to memory of 2020	1684	DesktopLayer.exe	iexplore.exe
PID 1684 wrote to memory of 2020	1684	DesktopLayer.exe	iexplore.exe
PID 2020 wrote to memory of 3576	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 3576	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 3576	2020	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe
"C:\Users\Admin\AppData\Local\Temp\b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
C:\Users\Admin\AppData\Local\Temp\b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
8b98c6e15294bc40da3cefe4edaf4239

SHA1
adad48d3d0df469a89d11c57eb7d83e53b87e463

SHA256
f68c724058e29413bd07ea56477af94e05f3297121f385eb4b7db0f738dc8913

SHA512
7947a5cfbe74877a1d868a6fa9b30f9984751f4605409713a083ddbd1c4c64e1a56d367da7b26587bdd29e463f5c17cc28bb45e2fca46a8087313fc5f918895c

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
8b98c6e15294bc40da3cefe4edaf4239

SHA1
adad48d3d0df469a89d11c57eb7d83e53b87e463

SHA256
f68c724058e29413bd07ea56477af94e05f3297121f385eb4b7db0f738dc8913

SHA512
7947a5cfbe74877a1d868a6fa9b30f9984751f4605409713a083ddbd1c4c64e1a56d367da7b26587bdd29e463f5c17cc28bb45e2fca46a8087313fc5f918895c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
f24c21cc3be7daee3b2334dfbf6cc685

SHA1
3f5fc1985d1e6396c501c2b1529ba2b3974433a5

SHA256
9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

SHA512
e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
f678931a524678361beac60c51ae4821

SHA1
12a9fbf47f4b6174e9d0ef63cd33419ea978492d

SHA256
6dddd4332f4a60f101de7ddb4a055e86a6fe6d3bd69d4c26e7dde6cd8bfab088

SHA512
b5e017723870077aad67ac4c7e814470963da6bf72d2c177d95df240303a21a8dd3a813c32ba1f14acc9952d00b3a660e143940c746f57a6de332f2e75cc1e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CQBLGWHC.cookie
MD5
e5cee00095b44c78718d3cc10f6ab424

SHA1
ef67974012f3d1a5400215704ba0c44e9187016a

SHA256
922a3c4c346cc2ef5fdfb8ae5c3220904dd7a8e313b25fd28f8614776970914d

SHA512
e184d2e9072a9cb6d7bb49bf9cd9a5ee95a5b4a96ca828090ceac38fc25d0b72643de6df25c2ffe1889648aa174a725d631532fbeb186ce76f783996a8660cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TNGU1TGR.cookie
MD5
19efe25a69d1e396a1388dba4bce7153

SHA1
086a9d123840279cd3a471253439f50cfb653718

SHA256
2e4bdea464e4b191671bf90be568ed40ab1117a7d696af3b0fdd20c708a5aaa1

SHA512
8020601b877082ba5f8e6c1e13f42da1cca238508afe53b368bec2c88f823fdff379f9e88ff83110bb9668a029b2f2bec868944e039b2e26e44b5f808b3e01ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
MD5
8b98c6e15294bc40da3cefe4edaf4239

SHA1
adad48d3d0df469a89d11c57eb7d83e53b87e463

SHA256
f68c724058e29413bd07ea56477af94e05f3297121f385eb4b7db0f738dc8913

SHA512
7947a5cfbe74877a1d868a6fa9b30f9984751f4605409713a083ddbd1c4c64e1a56d367da7b26587bdd29e463f5c17cc28bb45e2fca46a8087313fc5f918895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5c6c407900323c075b22bcf983d851b718aa57146a8bca08b02bb6cdbcd3935Srv.exe
MD5
8b98c6e15294bc40da3cefe4edaf4239

SHA1
adad48d3d0df469a89d11c57eb7d83e53b87e463

SHA256
f68c724058e29413bd07ea56477af94e05f3297121f385eb4b7db0f738dc8913

SHA512
7947a5cfbe74877a1d868a6fa9b30f9984751f4605409713a083ddbd1c4c64e1a56d367da7b26587bdd29e463f5c17cc28bb45e2fca46a8087313fc5f918895c

Download Submit
memory/1396-124-0x00000000001F0000-0x00000000001FF000-memory.dmp

Filesize
60KB

Download
memory/1396-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1396-114-0x0000000000000000-mapping.dmp

Download
memory/1684-117-0x0000000000000000-mapping.dmp

Download
memory/1684-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2020-121-0x0000000000000000-mapping.dmp

Download
memory/2020-122-0x00007FF830B60000-0x00007FF830BCB000-memory.dmp

Filesize
428KB

Download
memory/3576-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads