ramnit | 087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2a

General

Target

087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2a.exe
Size

443KB
MD5

dc6b0680a083cc318c5421e18ab207c9
SHA1

0aa198049f41243337c9cc32030388eb1ff58c39
SHA256

087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2a
SHA512

e82db9d9718d41b645780e9a6c54703570c1c56440c5d0efb04023d4e254cf1f03c87df9d3bec0317d787af689d7a2e07109ac9eac03f191c8e0ce32f932a064

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exeDesktopLayer.exe

pid process

804 087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
1948 DesktopLayer.exe

pid	process
804	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
1948	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe	upx
behavioral2/memory/804-119-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx

Drops file in Program Files directory 3 IoCs

Processes:

087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxF19.tmp	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886198"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3389255883"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5128012-B529-11EB-A11C-F29CEA8FB389} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3380818686"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327812712"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886198"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327829306"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886198"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327861298"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3380818686"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exe

pid	process
1948	DesktopLayer.exe
1948	DesktopLayer.exe
1948	DesktopLayer.exe
1948	DesktopLayer.exe
1948	DesktopLayer.exe
1948	DesktopLayer.exe
1948	DesktopLayer.exe
1948	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

812 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

812 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

812 iexplore.exe
812 iexplore.exe
1264 IEXPLORE.EXE
1264 IEXPLORE.EXE
1264 IEXPLORE.EXE
1264 IEXPLORE.EXE

pid	process
812	iexplore.exe

pid	process
812	iexplore.exe

pid	process
812	iexplore.exe
812	iexplore.exe
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2a.exe087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 3152 wrote to memory of 804	3152	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2a.exe	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
PID 3152 wrote to memory of 804	3152	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2a.exe	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
PID 3152 wrote to memory of 804	3152	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2a.exe	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
PID 804 wrote to memory of 1948	804	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe	DesktopLayer.exe
PID 804 wrote to memory of 1948	804	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe	DesktopLayer.exe
PID 804 wrote to memory of 1948	804	087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe	DesktopLayer.exe
PID 1948 wrote to memory of 812	1948	DesktopLayer.exe	iexplore.exe
PID 1948 wrote to memory of 812	1948	DesktopLayer.exe	iexplore.exe
PID 812 wrote to memory of 1264	812	iexplore.exe	IEXPLORE.EXE
PID 812 wrote to memory of 1264	812	iexplore.exe	IEXPLORE.EXE
PID 812 wrote to memory of 1264	812	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2a.exe
"C:\Users\Admin\AppData\Local\Temp\087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
C:\Users\Admin\AppData\Local\Temp\087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:804

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
57010df1ded674ce061f8af29a2e6fbb

SHA1
83e50ef272059dc3fab93e694d5e220dc48bf0c4

SHA256
68492169f14b36562d813f4ae7506f4b324b85f0e6aec352a37faba29b289616

SHA512
211ecb686dec8e8dd57cc8aeebdb8953f81aa56eebec9b463df4d41d98942317ed001ae5ffc9cc0c3ce5c542317cd0838447b885016697411b99f68190bd430b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
54440ee8f0438528bbd44afa59170aae

SHA1
23134c2d89814907e0d4646de275ed9779a83169

SHA256
304e50a7b5d508309a4eced4ba985a7f5fb739a86363e84a0326ff97ac91976f

SHA512
e0ee956b80f49b2cffce626c703b99f978e158b005d23ff7ef19170cffdf373b7eec2d81f580f54499fcd15b79c09ea476e5098a71ea8bd3dae1db941e891ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QGO9XHZ5.cookie
MD5
9fb8a8a3e6809a0453c8bad544b30321

SHA1
5bccfc5ee7706fee2f1266e4f171b8ba609710fc

SHA256
b529f6192433f7012e59fd42c6238417ce7b9d0b0d5f3f791a82aed996325456

SHA512
aab31b51088fe5fdbcb12d42ff698fdaa407b85e65392cefb6b48573c520567b5bb00efe633c5cb963d1ccd88b9e8b6a47c1f9f7b8a84d1daa230d0eef256fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RN9Z7I5T.cookie
MD5
059324e531fe63499daddb9cc16fbe79

SHA1
c1a322946e09cdb9a6a510987fe4a198786bd299

SHA256
986e04e84d8856b41b66ec8e906d114733b4c1f4b80c1d7c6615a05d1b3204bf

SHA512
2dd955a036cffdb7c9583ff0345451ca45eb811f004a5862bc503f417a562acd5c2f01f852b89471be27c248b85b835cd7ff54ea2ee536cc6d45f716aca1054f

Download Submit
C:\Users\Admin\AppData\Local\Temp\087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
C:\Users\Admin\AppData\Local\Temp\087e2690cf320941bd5f23fbdfee6ae692c8518eb073bd256a2106d28f71ee2aSrv.exe
MD5
da18881ccaefeaa4942af9291cb34826

SHA1
e4f33c21684bede05ccea60dd0767250ff2b3aba

SHA256
1d736643af18fe45f74f67a68c3268b39e7dbd84aaaf46dba5e23e48e8402842

SHA512
2420cf80794f4e74fb95934698714d4386e022d68c0c4e181d9d6e189bf3fab09f920e6e9128e423a1dbf357558bab628133d1084a7a306617c3a9c2461a5901

Download Submit
memory/804-118-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/804-119-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/804-114-0x0000000000000000-mapping.dmp

Download
memory/812-124-0x0000000000000000-mapping.dmp

Download
memory/812-125-0x00007FFD68B30000-0x00007FFD68B9B000-memory.dmp

Filesize
428KB

Download
memory/1264-126-0x0000000000000000-mapping.dmp

Download
memory/1948-123-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1948-120-0x0000000000000000-mapping.dmp

Download
memory/3152-116-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads