ramnit | 9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 10:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll
Size

1.3MB
MD5

1ebcc343bd2d2e1f47ac0fed7ec850b5
SHA1

9cd66157339ee7e267df2c6de9a37905b0bf22b5
SHA256

9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26
SHA512

04946480d63ddb58dc866860b98565702bf829c13e9acf8b0e69c724cf6198f7f5e3f07e66977416d3a5e401e989b6d4cce234a5a3ecf81e14c19c2c2d079471
SSDEEP

12288:jSfXvPnSkeJr2F21G0ukd/W8YmU/fI60KbKIkWTVurjUc0u99ARk1FM83pm0OyPW:uPvP8T2onlOYHc4v2ayVpSC

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2036	rundll32mgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001331d-56.dat	upx
behavioral1/files/0x000a00000001331d-57.dat	upx
behavioral1/files/0x000a00000001331d-59.dat	upx
behavioral1/memory/2036-63-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2036-66-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1060	rundll32.exe
1060	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2004	1060	WerFault.exe	28

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF295B31-6990-11ED-BB11-F263091D6DCE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375795655"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF27AD81-6990-11ED-BB11-F263091D6DCE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2036	rundll32mgr.exe
2036	rundll32mgr.exe
2036	rundll32mgr.exe
2036	rundll32mgr.exe
2036	rundll32mgr.exe
2036	rundll32mgr.exe
2036	rundll32mgr.exe
2036	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	rundll32mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
744	iexplore.exe
780	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
780	iexplore.exe
744	iexplore.exe
780	iexplore.exe
744	iexplore.exe
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1060	940	rundll32.exe	28
PID 940 wrote to memory of 1060	940	rundll32.exe	28
PID 940 wrote to memory of 1060	940	rundll32.exe	28
PID 940 wrote to memory of 1060	940	rundll32.exe	28
PID 940 wrote to memory of 1060	940	rundll32.exe	28
PID 940 wrote to memory of 1060	940	rundll32.exe	28
PID 940 wrote to memory of 1060	940	rundll32.exe	28
PID 1060 wrote to memory of 2036	1060	rundll32.exe	29
PID 1060 wrote to memory of 2036	1060	rundll32.exe	29
PID 1060 wrote to memory of 2036	1060	rundll32.exe	29
PID 1060 wrote to memory of 2036	1060	rundll32.exe	29
PID 1060 wrote to memory of 2004	1060	rundll32.exe	30
PID 1060 wrote to memory of 2004	1060	rundll32.exe	30
PID 1060 wrote to memory of 2004	1060	rundll32.exe	30
PID 1060 wrote to memory of 2004	1060	rundll32.exe	30
PID 2036 wrote to memory of 780	2036	rundll32mgr.exe	31
PID 2036 wrote to memory of 780	2036	rundll32mgr.exe	31
PID 2036 wrote to memory of 780	2036	rundll32mgr.exe	31
PID 2036 wrote to memory of 780	2036	rundll32mgr.exe	31
PID 2036 wrote to memory of 744	2036	rundll32mgr.exe	32
PID 2036 wrote to memory of 744	2036	rundll32mgr.exe	32
PID 2036 wrote to memory of 744	2036	rundll32mgr.exe	32
PID 2036 wrote to memory of 744	2036	rundll32mgr.exe	32
PID 744 wrote to memory of 1820	744	iexplore.exe	34
PID 744 wrote to memory of 1820	744	iexplore.exe	34
PID 744 wrote to memory of 1820	744	iexplore.exe	34
PID 744 wrote to memory of 1820	744	iexplore.exe	34
PID 780 wrote to memory of 1920	780	iexplore.exe	35
PID 780 wrote to memory of 1920	780	iexplore.exe	35
PID 780 wrote to memory of 1920	780	iexplore.exe	35
PID 780 wrote to memory of 1920	780	iexplore.exe	35

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:780 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1920
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 232
    3⤵
    - Program crash
    PID:2004

Network

DNS

api.bing.com

iexplore.exe

Remote address:

8.8.8.8:53

Request

api.bing.com

IN A

Response

api.bing.com

IN CNAME

api-bing-com.e-0001.e-msedge.net

api-bing-com.e-0001.e-msedge.net

IN CNAME

afd.e-0001.e-dc-msedge.net

afd.e-0001.e-dc-msedge.net

IN CNAME

e-0001.fbs1-e-msedge.net

e-0001.fbs1-e-msedge.net

IN A

13.107.46.80

204.79.197.200:443

ieonline.microsoft.com

iexplore.exe

152 B
3
204.79.197.200:443

ieonline.microsoft.com

iexplore.exe

152 B
3

8.8.8.8:53

api.bing.com

dns

iexplore.exe

58 B
192 B
1
1

DNS Request

api.bing.com

DNS Response

13.107.46.80

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF27AD81-6990-11ED-BB11-F263091D6DCE}.dat

Filesize
3KB

MD5
b32fb656422ed9b176092e2087ad6344

SHA1
5304e2e6535f8688e4890de0fb1733791d535af5

SHA256
e6ae5bced3cfafa833d4af85ba9a5eff52bba3ec9042d790935ea680c30e00ef

SHA512
b4ccbd1bc9251bef9f99a70cf4d1987916b3833638d0af9c2cde7d906cfbd56c3c59923ce460834eb298205eb9a4f5a04bab7e5ee3e0f67c0b28ee7c0ef9f7ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF295B31-6990-11ED-BB11-F263091D6DCE}.dat

Filesize
5KB

MD5
6e160d701fc2e49641fc5f8a19411893

SHA1
4ddf309f38e4ced23c27bb2a31a0a67fcef77e3c

SHA256
d74a62fdb194e6660b9321a1f68a29e25efcb2147aae5fe8bb363b600456dcfd

SHA512
95633433e87080b88bf0b9cff9f02e90e5a67e86f4b60b85b6801b1ebe7c5da9a5e4ce8a69861f6040c67b992ae4d490f4c077ab16c80b0d6060de0707484de3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OAJ6UQ9Z.txt

Filesize
601B

MD5
a49e7d4ee647a5b1f88806b24256e1b6

SHA1
439abe73ddb1c6c3659f2cdb69b298b1b90b4b43

SHA256
d8387bc3e92b3c600c3331872d73762da29d1036259d89676ecf66d792a7f002

SHA512
c9612d178f43caa2dacb3b65e198c831466c6b1a090ef037af2cf9cd4ab205396d72092a495147b5915933943eba1d2edad51b9ec149a7d1fa192fddd924fdef

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
98a8ced05b34189b8b36760049b2ea36

SHA1
a5271250fb91d891c7df0cae7812ed68907ae076

SHA256
e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

SHA512
8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
98a8ced05b34189b8b36760049b2ea36

SHA1
a5271250fb91d891c7df0cae7812ed68907ae076

SHA256
e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

SHA512
8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
98a8ced05b34189b8b36760049b2ea36

SHA1
a5271250fb91d891c7df0cae7812ed68907ae076

SHA256
e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

SHA512
8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

Download Submit
memory/1060-55-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1060-61-0x0000000010000000-0x0000000010151000-memory.dmp

Filesize
1.3MB

Download
memory/1060-62-0x00000000006A0000-0x0000000000703000-memory.dmp

Filesize
396KB

Download
memory/2036-63-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2036-66-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download