ramnit | 602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d

General

Target

602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll
Size

593KB
MD5

6ade6fd07766bfcee12779da5731f0f9
SHA1

2fbbfcaec9d68129bac35ea6c4638497e1a4aa54
SHA256

602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d
SHA512

b55f8ed44befa1d337839b8ed4cd7ea82d57269873eed3d80bd3c96deaf87b5fe5d71e1c34e81b46e36a631e2b452aaced827c9f24bb002cec3228126a202a10

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

rundll32Srv.exeDesktopLayer.exe

pid process

4000 rundll32Srv.exe
700 DesktopLayer.exe

pid	process
4000	rundll32Srv.exe
700	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/4000-123-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

Processes:

rundll32Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA6E4.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

868 1428 WerFault.exe rundll32.exe

pid	pid_target	process	target process
868	1428	WerFault.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327238372"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327238315"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C5140896-B56C-11EB-B2DB-DAB543A68B6E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327238484"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

rundll32.exeDesktopLayer.exeWerFault.exe

pid	process
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
700	DesktopLayer.exe
700	DesktopLayer.exe
700	DesktopLayer.exe
700	DesktopLayer.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
700	DesktopLayer.exe
700	DesktopLayer.exe
1428	rundll32.exe
1428	rundll32.exe
700	DesktopLayer.exe
700	DesktopLayer.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 868 WerFault.exe
Token: SeBackupPrivilege 868 WerFault.exe
Token: SeDebugPrivilege 868 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

776 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

776 iexplore.exe
776 iexplore.exe
584 IEXPLORE.EXE
584 IEXPLORE.EXE
584 IEXPLORE.EXE
584 IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	868	WerFault.exe
Token: SeBackupPrivilege	868	WerFault.exe
Token: SeDebugPrivilege	868	WerFault.exe

pid	process
776	iexplore.exe

pid	process
776	iexplore.exe
776	iexplore.exe
584	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 708 wrote to memory of 1428	708	rundll32.exe	rundll32.exe
PID 708 wrote to memory of 1428	708	rundll32.exe	rundll32.exe
PID 708 wrote to memory of 1428	708	rundll32.exe	rundll32.exe
PID 1428 wrote to memory of 4000	1428	rundll32.exe	rundll32Srv.exe
PID 1428 wrote to memory of 4000	1428	rundll32.exe	rundll32Srv.exe
PID 1428 wrote to memory of 4000	1428	rundll32.exe	rundll32Srv.exe
PID 4000 wrote to memory of 700	4000	rundll32Srv.exe	DesktopLayer.exe
PID 4000 wrote to memory of 700	4000	rundll32Srv.exe	DesktopLayer.exe
PID 4000 wrote to memory of 700	4000	rundll32Srv.exe	DesktopLayer.exe
PID 700 wrote to memory of 776	700	DesktopLayer.exe	iexplore.exe
PID 700 wrote to memory of 776	700	DesktopLayer.exe	iexplore.exe
PID 776 wrote to memory of 584	776	iexplore.exe	IEXPLORE.EXE
PID 776 wrote to memory of 584	776	iexplore.exe	IEXPLORE.EXE
PID 776 wrote to memory of 584	776	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4000

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:776 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 680
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
418f4d192a75ef7f17c747644068ed55

SHA1
9ca9147e3854ad7eefff4a0262babbe31ab6d172

SHA256
9354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186

SHA512
23ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2

Download Submit
memory/584-129-0x0000000000000000-mapping.dmp

Download
memory/700-118-0x0000000000000000-mapping.dmp

Download
memory/700-121-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/776-126-0x0000000000000000-mapping.dmp

Download
memory/776-127-0x00007FFFABC30000-0x00007FFFABC9B000-memory.dmp

Filesize
428KB

Download
memory/1428-114-0x0000000000000000-mapping.dmp

Download
memory/1428-128-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4000-115-0x0000000000000000-mapping.dmp

Download
memory/4000-122-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/4000-123-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads