ramnit | 602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d

General

Target

602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll
Size

593KB
MD5

6ade6fd07766bfcee12779da5731f0f9
SHA1

2fbbfcaec9d68129bac35ea6c4638497e1a4aa54
SHA256

602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d
SHA512

b55f8ed44befa1d337839b8ed4cd7ea82d57269873eed3d80bd3c96deaf87b5fe5d71e1c34e81b46e36a631e2b452aaced827c9f24bb002cec3228126a202a10

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

rundll32Srv.exeDesktopLayer.exe

pid process

2020 rundll32Srv.exe
2036 DesktopLayer.exe

pid	process
2020	rundll32Srv.exe
2036	DesktopLayer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/2020-76-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32Srv.exe

pid process

1924 rundll32.exe
2020 rundll32Srv.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

Processes:

rundll32Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px1D7F.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1988 1924 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1988	1924	WerFault.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF3636B1-B55B-11EB-AB32-6E76A0352788} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327834207"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

rundll32.exeDesktopLayer.exeWerFault.exe

pid	process
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
2036	DesktopLayer.exe
2036	DesktopLayer.exe
2036	DesktopLayer.exe
2036	DesktopLayer.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1988 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1988 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1996 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1996 iexplore.exe
1996 iexplore.exe
1552 IEXPLORE.EXE
1552 IEXPLORE.EXE

pid	process
1988	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1988	WerFault.exe

pid	process
1996	iexplore.exe

pid	process
1996	iexplore.exe
1996	iexplore.exe
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 664 wrote to memory of 1924	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 1924	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 1924	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 1924	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 1924	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 1924	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 1924	664	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 2020	1924	rundll32.exe	rundll32Srv.exe
PID 1924 wrote to memory of 2020	1924	rundll32.exe	rundll32Srv.exe
PID 1924 wrote to memory of 2020	1924	rundll32.exe	rundll32Srv.exe
PID 1924 wrote to memory of 2020	1924	rundll32.exe	rundll32Srv.exe
PID 2020 wrote to memory of 2036	2020	rundll32Srv.exe	DesktopLayer.exe
PID 2020 wrote to memory of 2036	2020	rundll32Srv.exe	DesktopLayer.exe
PID 2020 wrote to memory of 2036	2020	rundll32Srv.exe	DesktopLayer.exe
PID 2020 wrote to memory of 2036	2020	rundll32Srv.exe	DesktopLayer.exe
PID 1924 wrote to memory of 1988	1924	rundll32.exe	WerFault.exe
PID 1924 wrote to memory of 1988	1924	rundll32.exe	WerFault.exe
PID 1924 wrote to memory of 1988	1924	rundll32.exe	WerFault.exe
PID 1924 wrote to memory of 1988	1924	rundll32.exe	WerFault.exe
PID 2036 wrote to memory of 1996	2036	DesktopLayer.exe	iexplore.exe
PID 2036 wrote to memory of 1996	2036	DesktopLayer.exe	iexplore.exe
PID 2036 wrote to memory of 1996	2036	DesktopLayer.exe	iexplore.exe
PID 2036 wrote to memory of 1996	2036	DesktopLayer.exe	iexplore.exe
PID 1996 wrote to memory of 1552	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1552	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1552	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1552	1996	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 268
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C8WLG890.txt
MD5
fbeab2b1fa3ffbc16e675ad68e45b512

SHA1
b62e6d96cdb187acccc8054d7be33b868acd6825

SHA256
7f8b70840fb3e3b23941837e7d5f7c4a762f89d6b81a978c84abdcbba503262c

SHA512
4e3d0c1af38d08621c995a98e6570b5c984422006d62094a08a4e63d7a42e56ca37c815e1816634b73e84d2e9b7e9d9781677a4cda169e79ff4d169233be2cc4

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
\Windows\SysWOW64\rundll32Srv.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
memory/1552-80-0x0000000000000000-mapping.dmp

Download
memory/1924-77-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1924-61-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1924-60-0x0000000000000000-mapping.dmp

Download
memory/1988-73-0x0000000000000000-mapping.dmp

Download
memory/1988-82-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1996-81-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1996-74-0x0000000000000000-mapping.dmp

Download
memory/2020-63-0x0000000000000000-mapping.dmp

Download
memory/2020-75-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2020-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2036-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2036-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads