ramnit | b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f

General

Target

b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe
Size

7.7MB
MD5

58a1c4a869e803d4092b6293e1c8718d
SHA1

f4b9a3f1b009b0eeea40955707a85eeaae20b2c3
SHA256

b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f
SHA512

bd4010fd6171874065e0332e2d389b4133b49e316c91c67be4e72c9295f3518c027efedc7fbbbb2b3ba81123d03ac8f7a78815e830141aaa3683dd00804d9069
SSDEEP

196608:+QFNk63SELzcfabKmXniJ5jzRdP8V+vR0DMvsKE7:+QzlXfKvmXniJN23DwVE7

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
560	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe
1572	DesktopLayer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001230d-56.dat	upx
behavioral1/files/0x000900000001230d-58.dat	upx
behavioral1/files/0x000900000001230d-61.dat	upx
behavioral1/files/0x0009000000012319-62.dat	upx
behavioral1/memory/560-65-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0009000000012319-64.dat	upx
behavioral1/memory/1572-69-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1172	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe
1172	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe
1172	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe
560	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe
1172	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px9DD6.tmp	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 560	1172	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe	27
PID 1172 wrote to memory of 560	1172	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe	27
PID 1172 wrote to memory of 560	1172	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe	27
PID 1172 wrote to memory of 560	1172	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe	27
PID 560 wrote to memory of 1572	560	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe	28
PID 560 wrote to memory of 1572	560	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe	28
PID 560 wrote to memory of 1572	560	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe	28
PID 560 wrote to memory of 1572	560	b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe	28

C:\Users\Admin\AppData\Local\Temp\b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe
"C:\Users\Admin\AppData\Local\Temp\b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe
  C:\Users\Admin\AppData\Local\Temp\b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\b83780c64e418156e994d4a442aa052a233333169d310735ed564c551e2d077fSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\nso9D89.tmp\ButtonLinker.dll

Filesize
7KB

MD5
dd85ac7d85c92dd0e3cc17dfd4890f54

SHA1
a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa

SHA256
27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504

SHA512
e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1

Download Submit
\Users\Admin\AppData\Local\Temp\nso9D89.tmp\System.dll

Filesize
67KB

MD5
8fef2ddc02a88527acf5f875aa79590a

SHA1
b3ebe53a0037789c155992eee0547de1a76712b9

SHA256
5b06944f0b948937d87a68d0d584f8de8f169298f5db95336f55696079e88d50

SHA512
7f231356313b7aa4882bfd205529d65022397c91a5aab3658d655524aa3bfe855432ac35cd455f8750530e1b9582e71c710abb94d610ff1ec3e13d5a193d19de

Download Submit
\Users\Admin\AppData\Local\Temp\nso9D89.tmp\System.dll

Filesize
67KB

MD5
8fef2ddc02a88527acf5f875aa79590a

SHA1
b3ebe53a0037789c155992eee0547de1a76712b9

SHA256
5b06944f0b948937d87a68d0d584f8de8f169298f5db95336f55696079e88d50

SHA512
7f231356313b7aa4882bfd205529d65022397c91a5aab3658d655524aa3bfe855432ac35cd455f8750530e1b9582e71c710abb94d610ff1ec3e13d5a193d19de

Download Submit
memory/560-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1172-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1172-68-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1172-70-0x0000000000530000-0x000000000055E000-memory.dmp

Filesize
184KB

Download
memory/1572-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing