ramnit | 64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d

General

Target

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe
Size

465KB
MD5

5e70d1a7802b5063eed5d6fed1989fac
SHA1

8bde6039ba52a525ed908f36b19ee14bcf81e642
SHA256

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d
SHA512

fb495fc449946cf979cb04e9fab726bd7cf98f857c9c09faadd66944bf031f465983b7e163b7203aae0d06ab3eac980c1124aea44d0ab1ff7ee4df2e17122175

Score

10^/10

ramnit banker collection spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exeDesktopLayer.exe

pid process

2172 64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
2304 DesktopLayer.exe

pid	process
2172	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
2304	DesktopLayer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/2172-133-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/2304-136-0x0000000000400000-0x0000000000442000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe

Drops file in Program Files directory 3 IoCs

Processes:

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px3D83.tmp	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30946363"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30946363"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "680536967"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30946363"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "686474426"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "353653113"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "680536967"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{541D179C-A02E-11EC-B9A4-724718AA7C81} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exe

pid	process
2304	DesktopLayer.exe
2304	DesktopLayer.exe
2304	DesktopLayer.exe
2304	DesktopLayer.exe
2304	DesktopLayer.exe
2304	DesktopLayer.exe
2304	DesktopLayer.exe
2304	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2684 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2684 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2684 iexplore.exe
2684 iexplore.exe
3840 IEXPLORE.EXE
3840 IEXPLORE.EXE
3840 IEXPLORE.EXE
3840 IEXPLORE.EXE

pid	process
2684	iexplore.exe

pid	process
2684	iexplore.exe

pid	process
2684	iexplore.exe
2684	iexplore.exe
3840	IEXPLORE.EXE
3840	IEXPLORE.EXE
3840	IEXPLORE.EXE
3840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 2016 wrote to memory of 2172	2016	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
PID 2016 wrote to memory of 2172	2016	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
PID 2016 wrote to memory of 2172	2016	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
PID 2172 wrote to memory of 2304	2172	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	DesktopLayer.exe
PID 2172 wrote to memory of 2304	2172	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	DesktopLayer.exe
PID 2172 wrote to memory of 2304	2172	64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe	DesktopLayer.exe
PID 2304 wrote to memory of 2684	2304	DesktopLayer.exe	iexplore.exe
PID 2304 wrote to memory of 2684	2304	DesktopLayer.exe	iexplore.exe
PID 2684 wrote to memory of 3840	2684	iexplore.exe	IEXPLORE.EXE
PID 2684 wrote to memory of 3840	2684	iexplore.exe	IEXPLORE.EXE
PID 2684 wrote to memory of 3840	2684	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe
"C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519d.exe"
1⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2172

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a6358390c67d49a9d6e454caf41c5905

SHA1
d5cdef9e72d601c9eb67aab7e2e8ec1a90b17d93

SHA256
77f18d3ffdbf0be368777e42b6c206cf84f0f0a4445dfa4308cb798ec1b09281

SHA512
8a5cea19cbb384147be989d30c02ec13793f5c0ab77ede76710a524dd2fc4c9488a0a0979ca16034da846175c71b7019e0f96ca91e2bb6e1c78c19fe2d3cffd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
54ed59238164f1ee9231590e70aba4cb

SHA1
1493509a132963b07e5c9722848f94381aa2abab

SHA256
15c06f74a19f3200e7ee314314c1c593bf892e41cdba68ea090724e20cea8980

SHA512
67c3d7d3099b8c1f4b0df583c2859a5c1f582160ce0385d311cebba0f4ad42d15ba017579351b87117687f335882568610a3c3e2ba4a24c2ec27d9b427fa404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\64e61504a3a8085ef0454000b85af56f5c299a3c1a3fcdb6a57d1dbc5609519dSrv.exe
MD5
5b97603af0fc8f1dd40fc69bd6ca89cf

SHA1
18d63dbde43a5bc700ae55b9a013c596021ccd13

SHA256
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52

SHA512
2064f951456fe29693f2653c88d44c2e6644af1087abc0d0d87ee5b81aae4c68cb7b459672741fe2cf635feda7994695741ca066493d80b90c470289bacd8acd

Download Submit
memory/2172-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-135-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2304-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-137-0x0000000077A30000-0x0000000077BD3000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads