ramnit | dffb3f5725f3cc1322766b53b4fda64c830c7745e395a8b71926f9736fd877ae

General

Target

dffb3f5725f3cc1322766b53b4fda64c830c7745e395a8b71926f9736fd877ae.dll
Size

208KB
MD5

441d8a1ea39645f6e91883627a84e3c0
SHA1

a10b024b27f8ab2c1826db8dc2f52c1e3654b040
SHA256

dffb3f5725f3cc1322766b53b4fda64c830c7745e395a8b71926f9736fd877ae
SHA512

23212ec749f5e5f68399d7846c288ffe23d9fd7d39813edd9db83ec4a5b2e59ef39138588aa56c1de1d6bf9e3c01d3f0e98fd208cb7cae9ed854731be2bd01b8
SSDEEP

3072:uvHDrpT7s0rsQQuYVqsxPj2UhbyQfQ5KoldqHbDTmcLRkA:qHDra0rTQswPjvFDfPoldqHbNB

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

regsvr32mgr.exe

pid process

1328 regsvr32mgr.exe

pid	process
1328	regsvr32mgr.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1328-137-0x0000000000400000-0x0000000000451000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

regsvr32mgr.exe

pid process

1328 regsvr32mgr.exe
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1284 1328 WerFault.exe regsvr32mgr.exe

pid	process
1328	regsvr32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

pid	pid_target	process	target process
1284	1328	WerFault.exe	regsvr32mgr.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}\ = "ISettings"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}\ = "IMCCS"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\ = "IEDID"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}\NumMethods\ = "16"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}\ = "IOverlay"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\NumMethods\ = "9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}\NumMethods\ = "17"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dffb3f5725f3cc1322766b53b4fda64c830c7745e395a8b71926f9736fd877ae.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\ = "ITVParam"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\ = "IDisplayConfig"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}\NumMethods\ = "7"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}\NumMethods\ = "8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}\ = "IScheme"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}\NumMethods\ = "10"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}\ = "IOpenGL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\NumMethods\ = "12"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\NumMethods\ = "11"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\ = "IRotation"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\NumMethods\ = "17"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 208 wrote to memory of 4724	208	regsvr32.exe	regsvr32.exe
PID 208 wrote to memory of 4724	208	regsvr32.exe	regsvr32.exe
PID 208 wrote to memory of 4724	208	regsvr32.exe	regsvr32.exe
PID 4724 wrote to memory of 1328	4724	regsvr32.exe	regsvr32mgr.exe
PID 4724 wrote to memory of 1328	4724	regsvr32.exe	regsvr32mgr.exe
PID 4724 wrote to memory of 1328	4724	regsvr32.exe	regsvr32mgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dffb3f5725f3cc1322766b53b4fda64c830c7745e395a8b71926f9736fd877ae.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\dffb3f5725f3cc1322766b53b4fda64c830c7745e395a8b71926f9736fd877ae.dll
2⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 468
4⤵
- Program crash
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1328 -ip 1328
1⤵
PID:2096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~TM10C9.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
144KB

MD5
609c9eadac4c1cc48b5f89be6c36e276

SHA1
f047b565fdb73d5b75ffaed7b2faa335e82b3514

SHA256
e982967b3a8613149cd29d659a4b4aa6241ef8e4f124458785220e76e8b18325

SHA512
246dab455d7b7661126e79bb9b1b2aee2fee26790b8fde0779d529cfceb295b9df2fb5aca2da1ab3d52f22b4157a46ea8b164e7aa02e842aca2cd27076d85fb5

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
144KB

MD5
609c9eadac4c1cc48b5f89be6c36e276

SHA1
f047b565fdb73d5b75ffaed7b2faa335e82b3514

SHA256
e982967b3a8613149cd29d659a4b4aa6241ef8e4f124458785220e76e8b18325

SHA512
246dab455d7b7661126e79bb9b1b2aee2fee26790b8fde0779d529cfceb295b9df2fb5aca2da1ab3d52f22b4157a46ea8b164e7aa02e842aca2cd27076d85fb5

Download Submit
memory/1328-133-0x0000000000000000-mapping.dmp

Download
memory/1328-137-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1328-138-0x00000000021B0000-0x0000000002201000-memory.dmp

Filesize
324KB

Download
memory/1328-140-0x0000000077600000-0x00000000777A3000-memory.dmp

Filesize
1.6MB

Download
memory/4724-132-0x0000000000000000-mapping.dmp

Download
memory/4724-136-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads