ramnit | 1281f7fffd63f60b1f87c13d81d0af5f8a4133005e9a319a21478f71be9d8b20

Analysis

max time kernel
130s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 17:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1281f7fffd63f60b1f87c13d81d0af5f8a4133005e9a319a21478f71be9d8b20.dll
Size

817KB
MD5

8300cb5608b418931cb8b815761b824f
SHA1

7f9e29a3033bc8482fe50671e143275cf48c7b5a
SHA256

1281f7fffd63f60b1f87c13d81d0af5f8a4133005e9a319a21478f71be9d8b20
SHA512

5b0ab8fd3b73b3086564843d7ec5e55a956a058c8c1df076aba79ec823a8120b8d26f9513cdc3f55122375c40cb85e69ae47e1b55d0a854831512480ac967b41
SSDEEP

24576:mbEPDddPu015nWvNvBrvZtPD8VXMeBAGb:eqDddPV1+5bPb8tMk

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
936	rundll32mgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/936-62-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/936-64-0x0000000000400000-0x0000000000496000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1692	rundll32.exe
1692	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373979293"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3977661-590B-11ED-BDAB-FE41811C61F5} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	rundll32mgr.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
560	iexplore.exe
560	iexplore.exe
560	iexplore.exe
560	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
560	iexplore.exe
560	iexplore.exe
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
560	iexplore.exe
560	iexplore.exe
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
560	iexplore.exe
560	iexplore.exe
560	iexplore.exe
560	iexplore.exe
976	IEXPLORE.EXE
976	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1692	1900	rundll32.exe	27
PID 1900 wrote to memory of 1692	1900	rundll32.exe	27
PID 1900 wrote to memory of 1692	1900	rundll32.exe	27
PID 1900 wrote to memory of 1692	1900	rundll32.exe	27
PID 1900 wrote to memory of 1692	1900	rundll32.exe	27
PID 1900 wrote to memory of 1692	1900	rundll32.exe	27
PID 1900 wrote to memory of 1692	1900	rundll32.exe	27
PID 1692 wrote to memory of 936	1692	rundll32.exe	28
PID 1692 wrote to memory of 936	1692	rundll32.exe	28
PID 1692 wrote to memory of 936	1692	rundll32.exe	28
PID 1692 wrote to memory of 936	1692	rundll32.exe	28
PID 936 wrote to memory of 560	936	rundll32mgr.exe	29
PID 936 wrote to memory of 560	936	rundll32mgr.exe	29
PID 936 wrote to memory of 560	936	rundll32mgr.exe	29
PID 936 wrote to memory of 560	936	rundll32mgr.exe	29
PID 560 wrote to memory of 1968	560	iexplore.exe	31
PID 560 wrote to memory of 1968	560	iexplore.exe	31
PID 560 wrote to memory of 1968	560	iexplore.exe	31
PID 560 wrote to memory of 1968	560	iexplore.exe	31
PID 936 wrote to memory of 1080	936	rundll32mgr.exe	32
PID 936 wrote to memory of 1080	936	rundll32mgr.exe	32
PID 936 wrote to memory of 1080	936	rundll32mgr.exe	32
PID 936 wrote to memory of 1080	936	rundll32mgr.exe	32
PID 560 wrote to memory of 1372	560	iexplore.exe	33
PID 560 wrote to memory of 1372	560	iexplore.exe	33
PID 560 wrote to memory of 1372	560	iexplore.exe	33
PID 560 wrote to memory of 1372	560	iexplore.exe	33
PID 936 wrote to memory of 1132	936	rundll32mgr.exe	35
PID 936 wrote to memory of 1132	936	rundll32mgr.exe	35
PID 936 wrote to memory of 1132	936	rundll32mgr.exe	35
PID 936 wrote to memory of 1132	936	rundll32mgr.exe	35
PID 936 wrote to memory of 964	936	rundll32mgr.exe	36
PID 936 wrote to memory of 964	936	rundll32mgr.exe	36
PID 936 wrote to memory of 964	936	rundll32mgr.exe	36
PID 936 wrote to memory of 964	936	rundll32mgr.exe	36
PID 560 wrote to memory of 976	560	iexplore.exe	37
PID 560 wrote to memory of 976	560	iexplore.exe	37
PID 560 wrote to memory of 976	560	iexplore.exe	37
PID 560 wrote to memory of 976	560	iexplore.exe	37
PID 560 wrote to memory of 1020	560	iexplore.exe	38
PID 560 wrote to memory of 1020	560	iexplore.exe	38
PID 560 wrote to memory of 1020	560	iexplore.exe	38
PID 560 wrote to memory of 1020	560	iexplore.exe	38

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1281f7fffd63f60b1f87c13d81d0af5f8a4133005e9a319a21478f71be9d8b20.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1281f7fffd63f60b1f87c13d81d0af5f8a4133005e9a319a21478f71be9d8b20.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1968
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275470 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1372
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275488 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:976
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:3748875 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1132
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XID1P7AH.txt

Filesize
603B

MD5
5947d7f3528d39338cbe221eb190fe11

SHA1
28402588326db60853af961bc63c6f6c4f9a39dd

SHA256
2559ddb2562701a7e5a4d78aeb919a1ce08815fb633d99c35777fe14673a4f8d

SHA512
1f0e8643ccdb68460245cf57087c4bca5a6e01bc5c1ee784ca394a1b7725ee869fa10666adb473c87993c5801ce10e22d0276e4f42f8ce09bc5121be6da0789b

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
192KB

MD5
72864b90643b2ff7a3e4c06b03ad2ce7

SHA1
52f60736728362514dec7880f67009408bf744da

SHA256
c0dc483d5d52f102a46125ba7b79757cf535aaf6075ff1bf0b255243d0b88c43

SHA512
b6f2abb30dedc588601324a203f348f453443a28de2a82b16ae175621471126680bf239e502e5c4f848955a6031e211976a3aa24eaa9e1e56b06c30916a23bf2

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
192KB

MD5
72864b90643b2ff7a3e4c06b03ad2ce7

SHA1
52f60736728362514dec7880f67009408bf744da

SHA256
c0dc483d5d52f102a46125ba7b79757cf535aaf6075ff1bf0b255243d0b88c43

SHA512
b6f2abb30dedc588601324a203f348f453443a28de2a82b16ae175621471126680bf239e502e5c4f848955a6031e211976a3aa24eaa9e1e56b06c30916a23bf2

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
192KB

MD5
72864b90643b2ff7a3e4c06b03ad2ce7

SHA1
52f60736728362514dec7880f67009408bf744da

SHA256
c0dc483d5d52f102a46125ba7b79757cf535aaf6075ff1bf0b255243d0b88c43

SHA512
b6f2abb30dedc588601324a203f348f453443a28de2a82b16ae175621471126680bf239e502e5c4f848955a6031e211976a3aa24eaa9e1e56b06c30916a23bf2

Download Submit
memory/936-61-0x0000000002000000-0x00000000020F0000-memory.dmp

Filesize
960KB

Download
memory/936-62-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/936-64-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1692-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download