ramnit | 139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab

General

Target

139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab.dll
Size

175KB
MD5

6da623293e4972585d1395adc5dc4b0d
SHA1

de4e53f8bef0577e0d9b074bb85818e98dce4792
SHA256

139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab
SHA512

f984134fe6a4a205d454f529deeefd5c80283cd43c283188660cb115988c41ca62e29b4e9a1be1aee63e80675006c95d78a85a1a727415f56e3979514a8ca7b4

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

rundll32Srv.exeDesktopLayer.exe

pid process

1528 rundll32Srv.exe
1376 DesktopLayer.exe

pid	process
1528	rundll32Srv.exe
1376	DesktopLayer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1376-68-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1528-64-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32Srv.exe

pid process

912 rundll32.exe
1528 rundll32Srv.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe

pid	process
912	rundll32.exe
1528	rundll32Srv.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

Processes:

rundll32Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxC8BC.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

1308 912 WerFault.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

1376 DesktopLayer.exe
1376 DesktopLayer.exe
1376 DesktopLayer.exe
1376 DesktopLayer.exe

pid	pid_target	process
1308	912	WerFault.exe

pid	process
1376	DesktopLayer.exe
1376	DesktopLayer.exe
1376	DesktopLayer.exe
1376	DesktopLayer.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exe

description	pid	process	target process
PID 1668 wrote to memory of 912	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 912	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 912	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 912	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 912	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 912	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 912	1668	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1528	912	rundll32.exe	rundll32Srv.exe
PID 912 wrote to memory of 1528	912	rundll32.exe	rundll32Srv.exe
PID 912 wrote to memory of 1528	912	rundll32.exe	rundll32Srv.exe
PID 912 wrote to memory of 1528	912	rundll32.exe	rundll32Srv.exe
PID 912 wrote to memory of 1308	912	rundll32.exe	WerFault.exe
PID 912 wrote to memory of 1308	912	rundll32.exe	WerFault.exe
PID 912 wrote to memory of 1308	912	rundll32.exe	WerFault.exe
PID 912 wrote to memory of 1308	912	rundll32.exe	WerFault.exe
PID 1528 wrote to memory of 1376	1528	rundll32Srv.exe	DesktopLayer.exe
PID 1528 wrote to memory of 1376	1528	rundll32Srv.exe	DesktopLayer.exe
PID 1528 wrote to memory of 1376	1528	rundll32Srv.exe	DesktopLayer.exe
PID 1528 wrote to memory of 1376	1528	rundll32Srv.exe	DesktopLayer.exe
PID 1376 wrote to memory of 1112	1376	DesktopLayer.exe	iexplore.exe
PID 1376 wrote to memory of 1112	1376	DesktopLayer.exe	iexplore.exe
PID 1376 wrote to memory of 1112	1376	DesktopLayer.exe	iexplore.exe
PID 1376 wrote to memory of 1112	1376	DesktopLayer.exe	iexplore.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:1112

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:275457 /prefetch:2
2⤵
PID:1524

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 228
1⤵
- Program crash
PID:1308

C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1528

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
8KB

MD5
fe2677dd75c9cfa24efed67ffa2d77a1

SHA1
728ccbeecb6e64807d31d9bad152d5f814e50295

SHA256
06355b7d8b37042826bc12d1b0abf2722b9fce19d70920765f2019ffe487d347

SHA512
0b6c4870d3115b5fae2d8ee8a5e1bfb390ad896c5ee74d4fc07a9189582ab8186c6b9950a35622c3de5135048eb3d15fb3f74ca80a787f37bfbe47767de34fdd

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
1KB

MD5
3def49b0d3a607cf44bf442d7966131d

SHA1
6951aa21b9b18c45d62d4221a01b1a47b4de2fbb

SHA256
21a5cbb39b634d744a7bb8f8283875f8ce64118d4775c2412ce2d8b3c7fffaf6

SHA512
52535996c8f997ce11e8aa7fa4824ab8488678c97be1285e3e66248bb071a427d1191984aff5ba3a36de6101748a99075fdcc5cb4474afa2920325540dc9dac2

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
Filesize
25KB

MD5
06a2a39a8897763483a40dd0f987044d

SHA1
6e6fd5a242796223fcebec0551e30b57813ca7e6

SHA256
935c08891ddd7d9a43b5ba06a9cb73984df5cf8a07165cc8b2855d3350ca30dd

SHA512
a26a2ff2f38db308afd4ad79497f508445cbe6c58555ddf423cddb69b24839e398f445e967903c1f0e7c8fa2d78cb92343092e9bf10092d29c642d9c90966f93

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
Filesize
24KB

MD5
47e8c635c2fae83546163b264eb9c813

SHA1
f2334ddcfc48f5006cf30612be7cb78b7d083f6a

SHA256
78bb6f534b49830e43c347f73c88a6af77e65d801fe64186ada103d06d0bbc00

SHA512
00ee7941959b911b0f626da48a162ac9a3cfc1c78e65f00e4b0fcdf1edcf4891caef5be6f5bc72bce6925c1d6b26058fa772706c0b6e0736ab62e37adf26359e

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
10KB

MD5
4d89720108b173f0075224ed2aa61769

SHA1
d76b45a6c4d1f806f51a7b1e00c2db33126006d9

SHA256
1117682cd5162bf8eade7116f58d6d0a624c5a149bab927f14e60a8c89c95686

SHA512
7465907ad9cc657d220dc71e28e539bf04ab4ef28826d7690a4b1d5d1d97914740faa3869a02c914870b1f226ec562315f626d75da356e8b94de9cbd9907585d

Download Submit
\Windows\SysWOW64\rundll32Srv.exe
Filesize
27KB

MD5
522c49ad1ef9428d011cce88f07ff89a

SHA1
97ad4e1ecec13fb497a955c11be7b6a141768eb5

SHA256
2d48dbcd3daca4b0397ed160b05de1f9cc031722c340d02042d01b9ed297599f

SHA512
15db7a6b63827e1e0b7846b68ac791d96200c95b9640af55202e93c619510476c91ca7d2db9983dfb5df57f6d374c2e599fd337bab2bf4d175b6594690943597

Download Submit
memory/912-55-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/912-54-0x0000000000000000-mapping.dmp

Download
memory/912-69-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/912-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1308-61-0x0000000000000000-mapping.dmp

Download
memory/1376-68-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1376-63-0x0000000000000000-mapping.dmp

Download
memory/1528-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1528-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads