ramnit | 1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb

Analysis

max time kernel
162s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
Size

135KB
MD5

0f97e3eb5d8f3ff7433ee79f473938b7
SHA1

a092ae9baca1cb1d857f338b6b0bf5d5aede249a
SHA256

1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb
SHA512

aa240e52b849488f1494ea038ad1cd9f7d78c2c5656d2a090ac0547a55da3cab0999be21fa14aab0a661661f91ca6139d830b4fa82e4fbe5948dd6c7877d2bb0
SSDEEP

3072:CWT3yCfxZfucU3s+q8g53z4JZPKL5K0Ub2nl:CWzyWTGN3sI+3zKP8rl

Score

10^/10

ramnit runningrat banker persistence rat spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat

RunningRat payload 1 IoCs

resource	yara_rule
behavioral2/memory/4292-132-0x0000000000400000-0x0000000000426000-memory.dmp	family_runningrat

Executes dropped EXE 3 IoCs

pid	Process
3304	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe
640	DesktopLayer.exe
872	SRDSL.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRDSL\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\240591468.dll"	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022e50-134.dat	upx
behavioral2/memory/3304-135-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x0009000000022e50-136.dat	upx
behavioral2/files/0x000d000000022e55-138.dat	upx
behavioral2/memory/3304-139-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x000d000000022e55-140.dat	upx
behavioral2/memory/640-141-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
8	svchost.exe
872	SRDSL.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SRDSL.exe	svchost.exe
File created	C:\Windows\SysWOW64\SRDSL.exe	svchost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px2172.tmp	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "721261361"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "721261361"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{50569CCC-6F11-11ED-BF5F-DE991C57DA8F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999326"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999326"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376400596"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
640	DesktopLayer.exe
640	DesktopLayer.exe
640	DesktopLayer.exe
640	DesktopLayer.exe
640	DesktopLayer.exe
640	DesktopLayer.exe
640	DesktopLayer.exe
640	DesktopLayer.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3852	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
3852	iexplore.exe
3852	iexplore.exe
4156	IEXPLORE.EXE
4156	IEXPLORE.EXE
4156	IEXPLORE.EXE
4156	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 3304	4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe	83
PID 4292 wrote to memory of 3304	4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe	83
PID 4292 wrote to memory of 3304	4292	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe	83
PID 3304 wrote to memory of 640	3304	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe	86
PID 3304 wrote to memory of 640	3304	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe	86
PID 3304 wrote to memory of 640	3304	1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe	86
PID 640 wrote to memory of 3852	640	DesktopLayer.exe	87
PID 640 wrote to memory of 3852	640	DesktopLayer.exe	87
PID 3852 wrote to memory of 4156	3852	iexplore.exe	90
PID 3852 wrote to memory of 4156	3852	iexplore.exe	90
PID 3852 wrote to memory of 4156	3852	iexplore.exe	90
PID 8 wrote to memory of 872	8	svchost.exe	91
PID 8 wrote to memory of 872	8	svchost.exe	91
PID 8 wrote to memory of 872	8	svchost.exe	91

C:\Users\Admin\AppData\Local\Temp\1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe
"C:\Users\Admin\AppData\Local\Temp\1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcb.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\AppData\Local\Temp\1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe
  C:\Users\Admin\AppData\Local\Temp\1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3852 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4156

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "SRDSL"
1⤵
PID:2184

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "SRDSL"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\SysWOW64\SRDSL.exe
  C:\Windows\system32\SRDSL.exe "c:\users\admin\appdata\local\temp\240591468.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b0c7bbbc248e87ced6d7dfcf5c6eccb836cf4231b57a9dee9d32accc7be6fcbSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\240591468.dll

Filesize
29KB

MD5
ec30eae14fe3ba864506899efc95aa7d

SHA1
84320dd2cbd192360df2f85bffe56a188fc3ebce

SHA256
5d0a9330ae79347b083c6fb0521139d6d273bad6fbca6dae5f72983f9102f078

SHA512
b1cabb7c870473bc6a72340c82b2e97e352641c11b9fc58312a64f71b8a75a26ced15f39dc571cc95a92a6d016f82d814741304ee92d94967485d0ff11a63ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\240591468.dll

Filesize
29KB

MD5
ec30eae14fe3ba864506899efc95aa7d

SHA1
84320dd2cbd192360df2f85bffe56a188fc3ebce

SHA256
5d0a9330ae79347b083c6fb0521139d6d273bad6fbca6dae5f72983f9102f078

SHA512
b1cabb7c870473bc6a72340c82b2e97e352641c11b9fc58312a64f71b8a75a26ced15f39dc571cc95a92a6d016f82d814741304ee92d94967485d0ff11a63ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\240591468.dll

Filesize
29KB

MD5
ec30eae14fe3ba864506899efc95aa7d

SHA1
84320dd2cbd192360df2f85bffe56a188fc3ebce

SHA256
5d0a9330ae79347b083c6fb0521139d6d273bad6fbca6dae5f72983f9102f078

SHA512
b1cabb7c870473bc6a72340c82b2e97e352641c11b9fc58312a64f71b8a75a26ced15f39dc571cc95a92a6d016f82d814741304ee92d94967485d0ff11a63ab6

Download Submit
C:\Windows\SysWOW64\SRDSL.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\SRDSL.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
\??\c:\users\admin\appdata\local\temp\240591468.dll

Filesize
29KB

MD5
ec30eae14fe3ba864506899efc95aa7d

SHA1
84320dd2cbd192360df2f85bffe56a188fc3ebce

SHA256
5d0a9330ae79347b083c6fb0521139d6d273bad6fbca6dae5f72983f9102f078

SHA512
b1cabb7c870473bc6a72340c82b2e97e352641c11b9fc58312a64f71b8a75a26ced15f39dc571cc95a92a6d016f82d814741304ee92d94967485d0ff11a63ab6

Download Submit
memory/640-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3304-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3304-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4292-145-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4292-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download