ramnit | 64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d

General

Target

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe
Size

465KB
MD5

5e70d1a7802b5063eed5d6fed1989fac
SHA1

8bde6039ba52a525ed908f36b19ee14bcf81e642
SHA256

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d
SHA512

fb495fc449946cf979cb04e9fab726bd7cf98f857c9c09faadd66944bf031f465983b7e163b7203aae0d06ab3eac980c1124aea44d0ab1ff7ee4df2e17122175

Score

10^/10

ramnit banker collection spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exeDesktopLayer.exe

pid process

1764 64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
1656 DesktopLayer.exe

pid	process
1764	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
1656	DesktopLayer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1764-62-0x0000000000400000-0x0000000000442000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1656-65-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe

pid	process
1096	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe
1764	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe

Drops file in Program Files directory 3 IoCs

Processes:

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px16AC.tmp	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{539D7AA1-A02E-11EC-B89F-C2DA94358FB2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "353653114"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

1656 DesktopLayer.exe
1656 DesktopLayer.exe
1656 DesktopLayer.exe
1656 DesktopLayer.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

468 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

468 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

468 iexplore.exe
468 iexplore.exe
1056 IEXPLORE.EXE
1056 IEXPLORE.EXE
1056 IEXPLORE.EXE
1056 IEXPLORE.EXE

pid	process
1656	DesktopLayer.exe
1656	DesktopLayer.exe
1656	DesktopLayer.exe
1656	DesktopLayer.exe

pid	process
468	iexplore.exe

pid	process
468	iexplore.exe

pid	process
468	iexplore.exe
468	iexplore.exe
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 1096 wrote to memory of 1764	1096	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
PID 1096 wrote to memory of 1764	1096	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
PID 1096 wrote to memory of 1764	1096	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
PID 1096 wrote to memory of 1764	1096	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
PID 1764 wrote to memory of 1656	1764	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	DesktopLayer.exe
PID 1764 wrote to memory of 1656	1764	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	DesktopLayer.exe
PID 1764 wrote to memory of 1656	1764	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	DesktopLayer.exe
PID 1764 wrote to memory of 1656	1764	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	DesktopLayer.exe
PID 1656 wrote to memory of 468	1656	DesktopLayer.exe	iexplore.exe
PID 1656 wrote to memory of 468	1656	DesktopLayer.exe	iexplore.exe
PID 1656 wrote to memory of 468	1656	DesktopLayer.exe	iexplore.exe
PID 1656 wrote to memory of 468	1656	DesktopLayer.exe	iexplore.exe
PID 468 wrote to memory of 1056	468	iexplore.exe	IEXPLORE.EXE
PID 468 wrote to memory of 1056	468	iexplore.exe	IEXPLORE.EXE
PID 468 wrote to memory of 1056	468	iexplore.exe	IEXPLORE.EXE
PID 468 wrote to memory of 1056	468	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe
"C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe"
1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1764

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:468 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IJ8RUC9H.txt
MD5
abcbf6ccbcd4a7db71c11bd660291dd5

SHA1
9929c6c4a6e55358ee2a12d0ca59bb4c4f521ef6

SHA256
3dac0bf27ce11b10907a5a8204568b84ecefa1828d541d070ca9d5d941923e8b

SHA512
d27fc8adfa4cb81b05d174496f367550c487488671dd415575dda3f01390400af406de5721199b4d8afa8afea922a9f2d5c2ea04f4db2ffbbe6031bfabab455a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
memory/1096-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1656-64-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1656-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-66-0x0000000077CE0000-0x0000000077E60000-memory.dmp

Filesize
1.5MB

Download
memory/1764-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads