ramnit | 67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662

General

Target

67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe
Size

228KB
MD5

00d8b22278e3bf540badb67f4cc95542
SHA1

5618e2742527f4e0d64c8cdabf4c547469473d8e
SHA256

67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662
SHA512

f591dbe24dfa3f4c8beac27c10c33dc973621de7c1ded6977475de3aff611d8f1e9dd26c3c173eb60a0a2956acaacf903e2ce6cb09ff712b32c92134282c0ee6

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exeDesktopLayer.exe

pid process

1216 67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
1940 DesktopLayer.exe

pid	process
1216	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
1940	DesktopLayer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1216-74-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe

pid	process
1040	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe
1216	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe

Drops file in Program Files directory 3 IoCs

Processes:

67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px4B2.tmp	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327730734"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{14675421-B46B-11EB-B4DC-42CE7BDC056B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

1940 DesktopLayer.exe
1940 DesktopLayer.exe
1940 DesktopLayer.exe
1940 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1752 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1752 iexplore.exe
1752 iexplore.exe
832 IEXPLORE.EXE
832 IEXPLORE.EXE

pid	process
1940	DesktopLayer.exe
1940	DesktopLayer.exe
1940	DesktopLayer.exe
1940	DesktopLayer.exe

pid	process
1752	iexplore.exe

pid	process
1752	iexplore.exe
1752	iexplore.exe
832	IEXPLORE.EXE
832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 1040 wrote to memory of 1216	1040	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
PID 1040 wrote to memory of 1216	1040	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
PID 1040 wrote to memory of 1216	1040	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
PID 1040 wrote to memory of 1216	1040	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
PID 1216 wrote to memory of 1940	1216	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe	DesktopLayer.exe
PID 1216 wrote to memory of 1940	1216	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe	DesktopLayer.exe
PID 1216 wrote to memory of 1940	1216	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe	DesktopLayer.exe
PID 1216 wrote to memory of 1940	1216	67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe	DesktopLayer.exe
PID 1940 wrote to memory of 1752	1940	DesktopLayer.exe	iexplore.exe
PID 1940 wrote to memory of 1752	1940	DesktopLayer.exe	iexplore.exe
PID 1940 wrote to memory of 1752	1940	DesktopLayer.exe	iexplore.exe
PID 1940 wrote to memory of 1752	1940	DesktopLayer.exe	iexplore.exe
PID 1752 wrote to memory of 832	1752	iexplore.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 832	1752	iexplore.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 832	1752	iexplore.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 832	1752	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe
"C:\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
C:\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QT4WGCDT.txt
MD5
4b5511ba4de7d8002dc8b203a7fcfb54

SHA1
0dacd52f946a7383703052ce84156ad12c6c1568

SHA256
6be0a75d1b632162a537942c28788a2cc12d56e6458c8f68fe48a5d7bfe47db2

SHA512
63c1da965833202d0ba55ad47bcaf6b601a706f06915268cc64590f6876688f6b14645a9c48fbd7d2fe29c31284b0c3ca10c39d9fe40f250a1ec6c3a30b260aa

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
\Users\Admin\AppData\Local\Temp\67fca67d693881c64958232a25e4a2c841e473bc335b699f2b955a14895d8662Srv.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
memory/832-72-0x0000000000000000-mapping.dmp

Download
memory/1040-59-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1040-75-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/1216-61-0x0000000000000000-mapping.dmp

Download
memory/1216-74-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1216-73-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/1752-71-0x0000000000000000-mapping.dmp

Download
memory/1940-66-0x0000000000000000-mapping.dmp

Download
memory/1940-70-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads