ramnit | a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84

General

Target

a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
Size

109KB
MD5

5136003f12ee4676b47c4c902c495200
SHA1

7f596e40832b6855ec156ae2170529700d8dcdb2
SHA256

a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84
SHA512

6f4f2fd0b4ec5ab927257cdfad1f50d0c5652a229e1a7bf14c11cc49e1025f982324e75003543fd9ce8b27da3da71478ac89ec2a9971e2c5f220442584a45b01
SSDEEP

1536:sLOC0FvV4OguHxjhpA4Bm7uW0vSUsghQevBFkutIbgTuFqKRr0aF5frleGhd9Tf8:YwV4OgSzBmh04eZFkz3Rr0gwGj9Tf8

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/784-54-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/784-57-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375997497"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF53CA01-6B66-11ED-9C90-C6457FCBF3CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF559EC1-6B66-11ED-9C90-C6457FCBF3CF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe

pid	process
784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe

description pid process

Token: SeDebugPrivilege 784 a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

2028 iexplore.exe
1428 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe

pid	process
2028	iexplore.exe
1428	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1428	iexplore.exe
1428	iexplore.exe
2028	iexplore.exe
2028	iexplore.exe
1980	IEXPLORE.EXE
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 784 wrote to memory of 2028	784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe	iexplore.exe
PID 784 wrote to memory of 2028	784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe	iexplore.exe
PID 784 wrote to memory of 2028	784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe	iexplore.exe
PID 784 wrote to memory of 2028	784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe	iexplore.exe
PID 784 wrote to memory of 1428	784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe	iexplore.exe
PID 784 wrote to memory of 1428	784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe	iexplore.exe
PID 784 wrote to memory of 1428	784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe	iexplore.exe
PID 784 wrote to memory of 1428	784	a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe	iexplore.exe
PID 1428 wrote to memory of 1204	1428	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1980	2028	iexplore.exe	IEXPLORE.EXE
PID 1428 wrote to memory of 1204	1428	iexplore.exe	IEXPLORE.EXE
PID 1428 wrote to memory of 1204	1428	iexplore.exe	IEXPLORE.EXE
PID 1428 wrote to memory of 1204	1428	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1980	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1980	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1980	2028	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe
"C:\Users\Admin\AppData\Local\Temp\a0e7a684f59ea105af6052414ce26b37e539eb015197f877e03ca311a2fd9e84.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF53CA01-6B66-11ED-9C90-C6457FCBF3CF}.dat

Filesize
3KB

MD5
875597859dabe6e748a32d133b9238e7

SHA1
9c3a403e9c32ede3640aedc742d4c80ccaf90b0a

SHA256
7da0e639a285ed3f753643413fefc00d06acf24e7927fd9ae58a30fbd1145f9a

SHA512
9bed7dc86186167de8e03421ae661d566f2ecdcbd6d2345e444e90c04a41fb9feb420a75cf2da20c8e4bfc0277d012665bd6bbda73ab466d1442b4d26b77ec69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF559EC1-6B66-11ED-9C90-C6457FCBF3CF}.dat

Filesize
4KB

MD5
97538ab1d2735331d2ed1d44970ff40d

SHA1
26dcda8eba087cda6984f8aab2d29632e8668a9e

SHA256
fd684c7a93356ad553915b138242144f8ff27fa1c2c0759a107f08efabb4fa0c

SHA512
5f8140ca172c969ebea768ffca666b29a37d87d178ca3e30c8b74b25eec5f026c4367c5485025c6c8683cca09e1520b4451679e1e0e07335c642358e8257a30a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\837HIC8K.txt

Filesize
600B

MD5
b68c33a9b2082a191edafb9efa8686de

SHA1
5a9c0a5aed78849476dd3592709894388eb07d27

SHA256
5f3d301c970f849d10ecc406f4a4b85658413e1875bc65f0f5f61b59b069a786

SHA512
edb7f6b4a9229d8fa14a6c43d79edaf591eaef30e7d5e31d8f9038d3f0eba17ed2cdda3f1af711edc63f680d24d6b07a823f34ea97e39119b0a55f60f88169d1

Download Submit
memory/784-54-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/784-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads