ramnit | 433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01

General

Target

433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe
Size

656KB
MD5

b155477a13c1106c26ad16839fcaf351
SHA1

97a96e199037e0c6a925697df057fab5b94a8e6f
SHA256

433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01
SHA512

0a916db3651b58a9c5c0f5ece38295eecad12007f98ea4132b12facd938b2759ee368448e9b8766b336b6185a308cb9c240ca224605f97e480b596132bb7437c

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exeDesktopLayer.exe

pid process

4804 433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe
3200 DesktopLayer.exe

pid	process
4804	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe
3200	DesktopLayer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe	upx
behavioral2/memory/3200-136-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4804-133-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx

Drops file in Program Files directory 3 IoCs

Processes:

433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px6946.tmp	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1712 3184 WerFault.exe 433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe

pid	pid_target	process	target process
1712	3184	WerFault.exe	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{490CC6A1-9D8A-11EC-B9A4-EA77FA5385F2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "520543532"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30945687"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30945687"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30945687"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "520543532"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "555075954"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "353362760"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exe

pid	process
3200	DesktopLayer.exe
3200	DesktopLayer.exe
3200	DesktopLayer.exe
3200	DesktopLayer.exe
3200	DesktopLayer.exe
3200	DesktopLayer.exe
3200	DesktopLayer.exe
3200	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

3980 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3980 iexplore.exe

pid	process
3980	iexplore.exe

pid	process
3980	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exeiexplore.exeIEXPLORE.EXE

pid	process
3184	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe
3980	iexplore.exe
3980	iexplore.exe
4656	IEXPLORE.EXE
4656	IEXPLORE.EXE
4656	IEXPLORE.EXE
4656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 3184 wrote to memory of 4804	3184	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe
PID 3184 wrote to memory of 4804	3184	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe
PID 3184 wrote to memory of 4804	3184	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe
PID 4804 wrote to memory of 3200	4804	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe	DesktopLayer.exe
PID 4804 wrote to memory of 3200	4804	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe	DesktopLayer.exe
PID 4804 wrote to memory of 3200	4804	433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe	DesktopLayer.exe
PID 3200 wrote to memory of 3980	3200	DesktopLayer.exe	iexplore.exe
PID 3200 wrote to memory of 3980	3200	DesktopLayer.exe	iexplore.exe
PID 3980 wrote to memory of 4656	3980	iexplore.exe	IEXPLORE.EXE
PID 3980 wrote to memory of 4656	3980	iexplore.exe	IEXPLORE.EXE
PID 3980 wrote to memory of 4656	3980	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe
"C:\Users\Admin\AppData\Local\Temp\433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe
  C:\Users\Admin\AppData\Local\Temp\433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3980 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 544
  2⤵
  - Program crash
  PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3184 -ip 3184
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
41d7deabd752bfa4aa82a881fe8c303d

SHA1
907849dddd7dcee67ccf394cc6fef52ab6aa1f55

SHA256
b4f683e97813d33a5fa11c16fed0ae7952d424f7abb42e609f5a09b27998e429

SHA512
85db66c139f801d64a874434d3fd44639239fe8bc31b3ebc57812d942d51dbab414156aacc78c58c8a72c687a996da566cbe26e3b8b361563743948d441a6f6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
b00be85c890a08b039fdb4e1d0f5744d

SHA1
13a7cfe107ca8695485d6fdbcf8ab9b2a716b6aa

SHA256
6477a088e8a8d7821fd1258a1b5993c5f0ec9febdd86381a775f6099b5a3d1c6

SHA512
d1441f1d8e124f8a1969229daf92c35b53badb4024220cb02e54b8ff44d45cf26875251ab6bca14ab1d14af9739242ab94f21e7e59e7623588af6bc8dfe34d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\433f7c13d86115e1437ed42dce4bf44a1d4c6f2edf7b3245fab2b749e78daf01Srv.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/3184-138-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3200-136-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3200-135-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3200-137-0x00000000771D0000-0x0000000077373000-memory.dmp

Filesize
1.6MB

Download
memory/4804-133-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads