ramnit | 174d303881482e038c04f95484d15088eb4160cf5bd3f21aba0c12c9b50a3637

General

Target

174d303881482e038c04f95484d15088eb4160cf5bd3f21aba0c12c9b50a3637.dll
Size

634KB
MD5

54c458c60d0d147b01354bbd497bdf90
SHA1

3cb11814ce54e4d63a7edd018e8d8da43103c224
SHA256

174d303881482e038c04f95484d15088eb4160cf5bd3f21aba0c12c9b50a3637
SHA512

3598a962a7ad35014e5d495327f25301facf1df3033dab9aa007c752125ae55626fea8de496285e1ee8a9b41fa0b23b727cfd483f94bddb81a03b175fc4553a0
SSDEEP

6144:Y0pzrbBgbYYiu6mlQaMgovZuI57y3pkAEHe9drzZe/gVQmOu8pUk+mUHtQ2mUfzi:Y0dBErvg5vapzrlUgCPpUk+urEzdjwN/

Score

10^/10

ramnit banker spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

regsvr32mgr.exe

pid process

1496 regsvr32mgr.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeregsvr32mgr.exe

pid process

1484 regsvr32.exe
1484 regsvr32.exe
1496 regsvr32mgr.exe
1496 regsvr32mgr.exe
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

936 1496 WerFault.exe regsvr32mgr.exe

pid	process
1496	regsvr32mgr.exe

pid	process
1484	regsvr32.exe
1484	regsvr32.exe
1496	regsvr32mgr.exe
1496	regsvr32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

pid	pid_target	process	target process
936	1496	WerFault.exe	regsvr32mgr.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DA6ABC4-BDCD-4317-B650-262075B93A9C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F6CB6A20-CC18-4424-AE57-6F2AA3DC2059}\ = "IEnvelopedData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB166CF6-2AE6-44DA-BD96-0C1635D183FE}\ = "IUtilities"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.Signer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41DD35A8-9FF9-45A6-9A7C-F65B2F085D1F}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22A85CE1-F011-4231-B9E4-7E7A0438F71B}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E61E52-0E57-4456-A2F2-517492BCBF8F}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB769053-6D38-49D4-86EF-5FA85ED3AF27}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA55E8FC-8E27-451B-AEA8-1470D80FAD42}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72BF9ADA-6817-4C31-B43E-25F7C7B091F4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DA6ABC4-BDCD-4317-B650-262075B93A9C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED4E4ED4-FDD8-476E-AED9-5239E7948257}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBAB033B-CDD0-4C5E-81AB-AEA575CD1338}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA55E8FC-8E27-451B-AEA8-1470D80FAD42}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA55E8FC-8E27-451B-AEA8-1470D80FAD42}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A0780F8-9E6B-4BB0-BF54-87CD9627A8B4}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8973710C-8411-4951-9E65-D45FD524FFDF}\ = "IPolicyInformation"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E298C47-ABA6-459E-851B-993D6C626EAD}\ = "IBasicConstraints"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3604C9DD-A22E-4A15-A469-8181C0C113DE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8973710C-8411-4951-9E65-D45FD524FFDF}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC7A72A7-C83A-4049-85F4-4292DE9DBFD3}\TypeLib\ = "{BD26B198-EE42-4725-9B23-AFA912434229}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51017B88-1913-49AD-82BE-6BB7C417DCF2}\ = "ISigner"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F6CB6A20-CC18-4424-AE57-6F2AA3DC2059}\TypeLib\ = "{BD26B198-EE42-4725-9B23-AFA912434229}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72BF9ADA-6817-4C31-B43E-25F7C7B091F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A24104F5-46D0-4C0F-926D-665565908E91}\TypeLib\ = "{BD26B198-EE42-4725-9B23-AFA912434229}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{47C87CEC-8C4B-4E3C-8D22-34280274EFD1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A0780F8-9E6B-4BB0-BF54-87CD9627A8B4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7EA907-5810-4FCA-B817-CD0BBA8496FC}\TypeLib\ = "{BD26B198-EE42-4725-9B23-AFA912434229}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.ExtendedProperty	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.ExtendedProperty\CLSID\ = "{9E7EA907-5810-4FCA-B817-CD0BBA8496FC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7EA907-5810-4FCA-B817-CD0BBA8496FC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{47C87CEC-8C4B-4E3C-8D22-34280274EFD1}\TypeLib\ = "{BD26B198-EE42-4725-9B23-AFA912434229}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0BBA0B86-766C-4755-A443-243FF2BD8D29}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F7F23E8-06F4-42E8-B965-5CBD044BF27F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.Settings	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3A12E08-EDE9-4160-8B51-334D982A9AD0}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.OID\CurVer\ = "CAPICOM.OID.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.Utilities\CurVer\ = "CAPICOM.Utilities.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A24104F5-46D0-4C0F-926D-665565908E91}\TypeLib\ = "{BD26B198-EE42-4725-9B23-AFA912434229}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3D460F2-E7F3-4AF3-8EC6-8EB68C61C567}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.Store\CLSID\ = "{78E61E52-0E57-4456-A2F2-517492BCBF8F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.SignedCode.1\ = "SignedCode Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41DD35A8-9FF9-45A6-9A7C-F65B2F085D1F}\TypeLib\ = "{BD26B198-EE42-4725-9B23-AFA912434229}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E61E52-0E57-4456-A2F2-517492BCBF8F}\ProgID\ = "CAPICOM.Store.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{659DEDC3-6C85-42DB-8527-EFCB21742862}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84FBCB95-5600-404C-9187-AC25B4CD6E94}\ = "ISignedCode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.PrivateKey\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.SignedData\ = "SignedData Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.OID.1\CLSID\ = "{7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD26B198-EE42-4725-9B23-AFA912434229}\2.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E298C47-ABA6-459E-851B-993D6C626EAD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB769053-6D38-49D4-86EF-5FA85ED3AF27}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA55E8FC-8E27-451B-AEA8-1470D80FAD42}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE2C051D-33A1-4157-86B4-9280E29782F2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.Signer\CLSID\ = "{60A9863A-11FD-4080-850E-A8E184FC3A3C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3604C9DD-A22E-4A15-A469-8181C0C113DE}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7EA907-5810-4FCA-B817-CD0BBA8496FC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CAPICOM.Utilities.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{976B7E6D-1002-4051-BFD4-824A74BD74E2}\ = "IEKU"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B57C04B-1786-4B30-A7B6-36235CD58A14}\TypeLib\ = "{BD26B198-EE42-4725-9B23-AFA912434229}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CA65D842-2110-4073-AEE3-D0AA5F56C421}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E38FD381-6404-4041-B5E9-B2739258941F}\TypeLib\ = "{BD26B198-EE42-4725-9B23-AFA912434229}"	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1876 wrote to memory of 1484	1876	regsvr32.exe	regsvr32.exe
PID 1876 wrote to memory of 1484	1876	regsvr32.exe	regsvr32.exe
PID 1876 wrote to memory of 1484	1876	regsvr32.exe	regsvr32.exe
PID 1876 wrote to memory of 1484	1876	regsvr32.exe	regsvr32.exe
PID 1876 wrote to memory of 1484	1876	regsvr32.exe	regsvr32.exe
PID 1876 wrote to memory of 1484	1876	regsvr32.exe	regsvr32.exe
PID 1876 wrote to memory of 1484	1876	regsvr32.exe	regsvr32.exe
PID 1484 wrote to memory of 1496	1484	regsvr32.exe	regsvr32mgr.exe
PID 1484 wrote to memory of 1496	1484	regsvr32.exe	regsvr32mgr.exe
PID 1484 wrote to memory of 1496	1484	regsvr32.exe	regsvr32mgr.exe
PID 1484 wrote to memory of 1496	1484	regsvr32.exe	regsvr32mgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\174d303881482e038c04f95484d15088eb4160cf5bd3f21aba0c12c9b50a3637.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\174d303881482e038c04f95484d15088eb4160cf5bd3f21aba0c12c9b50a3637.dll
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 164
4⤵
- Program crash
PID:936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
175KB

MD5
7f077af519dccbe9d89ae8c5e02e8a20

SHA1
bcee09a12ffb2c1f29f47d99755b1068121250e3

SHA256
9abd3761ca59a14e479dd7cc16acae67dcc81b145f5400785d9a8d11c5182fa0

SHA512
61a5f453bf27372e7984c564c1f7e9b43e60e2246a615a2c7bcc4e46120fe94bdcd6965cb3c8c2510cc8da4a8d0afa46d038be000fdad6568669f5bb623b1e0d

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
175KB

MD5
7f077af519dccbe9d89ae8c5e02e8a20

SHA1
bcee09a12ffb2c1f29f47d99755b1068121250e3

SHA256
9abd3761ca59a14e479dd7cc16acae67dcc81b145f5400785d9a8d11c5182fa0

SHA512
61a5f453bf27372e7984c564c1f7e9b43e60e2246a615a2c7bcc4e46120fe94bdcd6965cb3c8c2510cc8da4a8d0afa46d038be000fdad6568669f5bb623b1e0d

Download Submit
\Users\Admin\AppData\Local\Temp\~TM9703.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM9733.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
175KB

MD5
7f077af519dccbe9d89ae8c5e02e8a20

SHA1
bcee09a12ffb2c1f29f47d99755b1068121250e3

SHA256
9abd3761ca59a14e479dd7cc16acae67dcc81b145f5400785d9a8d11c5182fa0

SHA512
61a5f453bf27372e7984c564c1f7e9b43e60e2246a615a2c7bcc4e46120fe94bdcd6965cb3c8c2510cc8da4a8d0afa46d038be000fdad6568669f5bb623b1e0d

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
175KB

MD5
7f077af519dccbe9d89ae8c5e02e8a20

SHA1
bcee09a12ffb2c1f29f47d99755b1068121250e3

SHA256
9abd3761ca59a14e479dd7cc16acae67dcc81b145f5400785d9a8d11c5182fa0

SHA512
61a5f453bf27372e7984c564c1f7e9b43e60e2246a615a2c7bcc4e46120fe94bdcd6965cb3c8c2510cc8da4a8d0afa46d038be000fdad6568669f5bb623b1e0d

Download Submit
memory/1484-57-0x0000000000970000-0x0000000000A13000-memory.dmp

Filesize
652KB

Download
memory/1484-56-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1484-55-0x0000000000000000-mapping.dmp

Download
memory/1496-60-0x0000000000000000-mapping.dmp

Download
memory/1496-66-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1496-67-0x00000000772A0000-0x0000000077420000-memory.dmp

Filesize
1.5MB

Download
memory/1876-54-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads