ramnit | 5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 20:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24.exe
Size

88KB
MD5

419c0ddf617416ca9c3988fb24429880
SHA1

3be5001244fb683a7223eb0fb9b746a43e221bae
SHA256

5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24
SHA512

837925060852a21d1fd3a2a525bd2accbb981124f97dc728ec7be1fde3210bf76155fc6e3589f985403dce982d56baab787f2577575cbc1d7e6a4b40cbf0e87c
SSDEEP

1536:gJjkBBW8uspOTjYIZ53IE2CchsSNGuk/QhKKIRaTLaShZV36:glkBBxuoOTjYIEEisSiAKrAvhX

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
976	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe
2200	DesktopLayer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022dd6-133.dat	upx
behavioral2/files/0x0003000000022dd6-134.dat	upx
behavioral2/files/0x0004000000022de7-136.dat	upx
behavioral2/files/0x0004000000022de7-138.dat	upx
behavioral2/memory/976-137-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2200-139-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBB36.tmp	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "475409936"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987930"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371505983"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987930"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "486973332"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "475409936"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{47D0052B-428D-11ED-A0EE-DE60447A8195} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987930"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2200	DesktopLayer.exe
2200	DesktopLayer.exe
2200	DesktopLayer.exe
2200	DesktopLayer.exe
2200	DesktopLayer.exe
2200	DesktopLayer.exe
2200	DesktopLayer.exe
2200	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3932	iexplore.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1660	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3932	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3932	iexplore.exe
3932	iexplore.exe
4676	IEXPLORE.EXE
4676	IEXPLORE.EXE
4676	IEXPLORE.EXE
4676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 976	1660	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24.exe	83
PID 1660 wrote to memory of 976	1660	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24.exe	83
PID 1660 wrote to memory of 976	1660	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24.exe	83
PID 976 wrote to memory of 2200	976	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe	84
PID 976 wrote to memory of 2200	976	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe	84
PID 976 wrote to memory of 2200	976	5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe	84
PID 2200 wrote to memory of 3932	2200	DesktopLayer.exe	85
PID 2200 wrote to memory of 3932	2200	DesktopLayer.exe	85
PID 3932 wrote to memory of 4676	3932	iexplore.exe	86
PID 3932 wrote to memory of 4676	3932	iexplore.exe	86
PID 3932 wrote to memory of 4676	3932	iexplore.exe	86

C:\Users\Admin\AppData\Local\Temp\5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24.exe
"C:\Users\Admin\AppData\Local\Temp\5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe
  C:\Users\Admin\AppData\Local\Temp\5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3932 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fd70739fca5345a28f924f9102ae10ee

SHA1
6ce3f92183544f3bf52cb76364591589cb940a19

SHA256
f238404cc643efddef8ff430f128cdc8ec1513969eaac24b5e5bce81248a91e7

SHA512
a787d3a2bceeaed2f2a29f357df6ae17d5b9f66a3c561550d5f83c308ad26a1ddf876488151ff5e51ce93bfb9d0c7b8ca812d595e8d3ebdda7d805707ac1b278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
5b7c786778becd0e23bf87bed3e64c37

SHA1
a2f23ab6d2eac1e4835f21957c6363b4324a02b2

SHA256
b16e5328e7840fbbfa9d320a80e8bc493ca21fefc0a1feb6d169092c7efda508

SHA512
21f0408eae6dc721e526a8066500826d3c30cf377619b9616d0fb3b7e5dede869c8a9e66d834880ca4af5af46e1cf3289642bee13743dfa68428fe2952d8a56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c70008c8e65eeccbcd797732c85c723e9460cdb6b83908cc2c15787f2f1da24Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/976-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1660-140-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1660-141-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2200-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download