ramnit | 3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270.exe
Size

296KB
MD5

07b3ca069b15aa568d4b9f2e5a7321c0
SHA1

cf15da437426e3ca1d33aab0d40e6d8cc37e95da
SHA256

3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270
SHA512

4ed2575879f8a5155fc4195abbeabfefd9492fc6c655143e065e7852188a1c0ac73eccac8f364931dfa38fca705a8b123505423f83fdc58605a77342f2b3fa93
SSDEEP

6144:h3Khq6OGHo5rdx0P4FcZZ+hSamXrODW8+:h3KhqEHo5rdyPyY+hSgW

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
3592	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe
1408	DesktopLayer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000022e05-133.dat	upx
behavioral2/files/0x000b000000022e05-134.dat	upx
behavioral2/files/0x000c000000022e06-136.dat	upx
behavioral2/files/0x000c000000022e06-137.dat	upx
behavioral2/memory/3592-139-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1408-141-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px9F71.tmp	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "568684163"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988158"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3D914F03-4371-11ED-B696-E62D9FD3CB0B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988158"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371603906"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "376027353"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "376027353"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988158"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1408	DesktopLayer.exe
1408	DesktopLayer.exe
1408	DesktopLayer.exe
1408	DesktopLayer.exe
1408	DesktopLayer.exe
1408	DesktopLayer.exe
1408	DesktopLayer.exe
1408	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
8	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
684	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270.exe
684	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270.exe
684	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270.exe
8	iexplore.exe
8	iexplore.exe
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 3592	684	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270.exe	82
PID 684 wrote to memory of 3592	684	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270.exe	82
PID 684 wrote to memory of 3592	684	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270.exe	82
PID 3592 wrote to memory of 1408	3592	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe	83
PID 3592 wrote to memory of 1408	3592	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe	83
PID 3592 wrote to memory of 1408	3592	3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe	83
PID 1408 wrote to memory of 8	1408	DesktopLayer.exe	84
PID 1408 wrote to memory of 8	1408	DesktopLayer.exe	84
PID 8 wrote to memory of 2084	8	iexplore.exe	85
PID 8 wrote to memory of 2084	8	iexplore.exe	85
PID 8 wrote to memory of 2084	8	iexplore.exe	85

C:\Users\Admin\AppData\Local\Temp\3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270.exe
"C:\Users\Admin\AppData\Local\Temp\3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe
  C:\Users\Admin\AppData\Local\Temp\3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
046bedf3b97e782edc5343dc24a1c485

SHA1
ebad04906d01fdb00719463e729f201a043433ae

SHA256
4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

SHA512
18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
369ec546afe47739a78229da6ecd34dd

SHA1
d723a4b89be299aac5f5bc9ad61e3b8c45a6092e

SHA256
91c9f9882a6d7f30d839514cc7a286750949fa7062e6bf7605f82af3392f1d33

SHA512
5eb0c69270c439bc90a03db38a4bda670d130336e54f1ae94fc6bf4415bf693707484d90125c5d83e5d1feed60c72f01f573551a40119452b35c8c7ea43fbbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3af616f463d7cf5e1468aa4cee6a348de5cefc9b26de0dde3b5f08e2efb98270Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/684-143-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/684-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/684-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1408-142-0x0000000000550000-0x000000000055F000-memory.dmp

Filesize
60KB

Download
memory/1408-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3592-140-0x0000000000580000-0x000000000058F000-memory.dmp

Filesize
60KB

Download
memory/3592-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download