ramnit | 69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd

General

Target

69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe
Size

1.1MB
MD5

ad93867ba0fd1f688e6ec043f25d3448
SHA1

60f2311fb773b960162a2069647f7b2e6a3714ed
SHA256

69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd
SHA512

22eab07de24cbf95ab8af046a8adab89a74d7322f846e84234c5d7c7432d81a7f39da7f38ee2e4cfb93e6f7dbfbcb6ec226b5e159ac1535fa6b70f77d418bc7c

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exeDesktopLayer.exe

pid process

1740 69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
1864 DesktopLayer.exe

pid	process
1740	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
1864	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/1740-124-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px306C.tmp	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe

Drops file in Windows directory 1 IoCs

Processes:

69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe

description ioc process

File opened for modification C:\Windows\vdo2.ini 69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe

description	ioc	process
File opened for modification	C:\Windows\vdo2.ini	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3836093712"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886306"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327859144"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3836249600"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3847343416"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886306"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{103C986A-B596-11EB-A11C-4E8E8FD83A77} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886306"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327875737"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327907729"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exe

pid	process
1864	DesktopLayer.exe
1864	DesktopLayer.exe
1864	DesktopLayer.exe
1864	DesktopLayer.exe
1864	DesktopLayer.exe
1864	DesktopLayer.exe
1864	DesktopLayer.exe
1864	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2156 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2156 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2156 iexplore.exe
2156 iexplore.exe
740 IEXPLORE.EXE
740 IEXPLORE.EXE
740 IEXPLORE.EXE
740 IEXPLORE.EXE

pid	process
2156	iexplore.exe

pid	process
2156	iexplore.exe

pid	process
2156	iexplore.exe
2156	iexplore.exe
740	IEXPLORE.EXE
740	IEXPLORE.EXE
740	IEXPLORE.EXE
740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 2016 wrote to memory of 1740	2016	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
PID 2016 wrote to memory of 1740	2016	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
PID 2016 wrote to memory of 1740	2016	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
PID 1740 wrote to memory of 1864	1740	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe	DesktopLayer.exe
PID 1740 wrote to memory of 1864	1740	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe	DesktopLayer.exe
PID 1740 wrote to memory of 1864	1740	69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe	DesktopLayer.exe
PID 1864 wrote to memory of 2156	1864	DesktopLayer.exe	iexplore.exe
PID 1864 wrote to memory of 2156	1864	DesktopLayer.exe	iexplore.exe
PID 2156 wrote to memory of 740	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 740	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 740	2156	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe
"C:\Users\Admin\AppData\Local\Temp\69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccd.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
C:\Users\Admin\AppData\Local\Temp\69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1740

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a0a5a4d72ad62fd610b043c84033deaf

SHA1
aa5c3deaba3b479e004880b369f63f2b59b23b9a

SHA256
35d20d28885d84fef2a2e06125bf9626fbab13b99d1238a435a444a8db1cb9c6

SHA512
20dd0d4276e854bca2767bd4cf7f04068a23742ff33926a7ba5296d2b0a453d456f37662e443c4df2fc3027bbead658a8ca6f8be40a61c82e3d6085cf85b9243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1a9090570403bd1d3690417c10d9155a

SHA1
f35ff3d92fd762b757d80308d08da8959bfa0b85

SHA256
cbd6630a60c01c039c49b193af01cac8c72d648b3af5c8594a0cddc25e43f7c8

SHA512
5593c12578aeb04e70d1826f69980b4340c14230032bd816d19b938648c30450a10b0bdd7744655d300e7b0b9b6a70c174de5bcf7bb80071d1d33a6a17e077b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JYK1V3OM.cookie
MD5
6758d70c02131d1b5637a82ff1c877a5

SHA1
5f241d9122bb1b60b64c4f53b61a6dd296ea9dfc

SHA256
5bc1371bbf7f6c7902e535ee488ff51e435002d20016ee281ebc291e518f748e

SHA512
d83cc04789a1a3ebeacdb861d43daa196c5cf9dca0bf0b10a6e8379f9dc9f7e3a979f01c9d51ab9a5ed295d764f42de0b1d5682237c68a69a73c94f1d9d5d92f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YQZ7SD6M.cookie
MD5
4920f19649612a2aeecfc9aabbd92c54

SHA1
8378d6319c9bcca11bd5e727dba7d577f70312f7

SHA256
9cd0ccfcc08e3edbbe215e1d4abad333124e1a83c7ba552d7e0f09bd339cc27d

SHA512
e4e0d270ead590223f0629b79be7bda871a2930ef813f9e9d34507f6398bacaa4bd9cfa25d6da3eb38e74de4176e9bb27c323ce08ac2bec3ad42418635217c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bf015d296b139c3a20d8ac219dbbabb2f1e9ee6f44c3d1c36a14aab329cccdSrv.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
memory/740-128-0x0000000000000000-mapping.dmp

Download
memory/1740-123-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1740-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1740-114-0x0000000000000000-mapping.dmp

Download
memory/1864-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1864-117-0x0000000000000000-mapping.dmp

Download
memory/2016-125-0x0000000000540000-0x00000000005EE000-memory.dmp

Filesize
696KB

Download
memory/2156-122-0x00007FFDFDAB0000-0x00007FFDFDB1B000-memory.dmp

Filesize
428KB

Download
memory/2156-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads