ramnit | 66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09

General

Target

66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09.dll
Size

156KB
MD5

a7715ab03671b7ad07badcafb52bc5a3
SHA1

4fbf6b905ba591e66782daf1a05e8004f462203b
SHA256

66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09
SHA512

1107fa4382f08bdcaddc392c0dfe38031ce7faedb926843c6e6bfc749ec3ac580ae62eaf9f5ca7934db42d0a8becd04364f74560496426ab5b7d7f1a59fc9494
SSDEEP

3072:4xrFrIhR08c8cNDgvuZrXFmBGVDjIO6o3o5WIf:ErFchR+8cNcvErXF+PNo3yJ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

856 rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/856-138-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/856-139-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/856-140-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2352 2276 WerFault.exe rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
2352	2276	WerFault.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999401"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375829982"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999401"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3961437748"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3961437748"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{05DA723C-6F5D-11ED-919F-D668443210E4} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32mgr.exe

pid	process
856	rundll32mgr.exe
856	rundll32mgr.exe
856	rundll32mgr.exe
856	rundll32mgr.exe
856	rundll32mgr.exe
856	rundll32mgr.exe
856	rundll32mgr.exe
856	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32mgr.exe

description pid process

Token: SeDebugPrivilege 856 rundll32mgr.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4704 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4704 iexplore.exe
4704 iexplore.exe
2572 IEXPLORE.EXE
2572 IEXPLORE.EXE
2572 IEXPLORE.EXE
2572 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

rundll32mgr.exe

pid process

856 rundll32mgr.exe

description	pid	process
Token: SeDebugPrivilege	856	rundll32mgr.exe

pid	process
4704	iexplore.exe

pid	process
4704	iexplore.exe
4704	iexplore.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exeiexplore.exe

description	pid	process	target process
PID 2688 wrote to memory of 2276	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2276	2688	rundll32.exe	rundll32.exe
PID 2688 wrote to memory of 2276	2688	rundll32.exe	rundll32.exe
PID 2276 wrote to memory of 856	2276	rundll32.exe	rundll32mgr.exe
PID 2276 wrote to memory of 856	2276	rundll32.exe	rundll32mgr.exe
PID 2276 wrote to memory of 856	2276	rundll32.exe	rundll32mgr.exe
PID 856 wrote to memory of 4704	856	rundll32mgr.exe	iexplore.exe
PID 856 wrote to memory of 4704	856	rundll32mgr.exe	iexplore.exe
PID 4704 wrote to memory of 2572	4704	iexplore.exe	IEXPLORE.EXE
PID 4704 wrote to memory of 2572	4704	iexplore.exe	IEXPLORE.EXE
PID 4704 wrote to memory of 2572	4704	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 668
3⤵
- Program crash
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2276 -ip 2276
1⤵
PID:4348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
129KB

MD5
136ec6fc6d20477735fc35c3d9c817d2

SHA1
a29426a337b4be6bb0641463f13a6f2c3102bcf1

SHA256
3ae76ee416ef817656fd489d69649f1bfa5f5f242d3a6caa82f9212f40f76c32

SHA512
431b1bb7cd27daa55fd83167f25cebcf1028b1e1ab8e4537ec237cfb1fb44ebecd3dd2c64e8b5a8822916acf6ff3fd2efd44621d2f50f45db9a448e97e6025bd

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
129KB

MD5
136ec6fc6d20477735fc35c3d9c817d2

SHA1
a29426a337b4be6bb0641463f13a6f2c3102bcf1

SHA256
3ae76ee416ef817656fd489d69649f1bfa5f5f242d3a6caa82f9212f40f76c32

SHA512
431b1bb7cd27daa55fd83167f25cebcf1028b1e1ab8e4537ec237cfb1fb44ebecd3dd2c64e8b5a8822916acf6ff3fd2efd44621d2f50f45db9a448e97e6025bd

Download Submit
memory/856-133-0x0000000000000000-mapping.dmp

Download
memory/856-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/856-139-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/856-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2276-132-0x0000000000000000-mapping.dmp

Download
memory/2276-141-0x0000000004800000-0x0000000004827000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads