ramnit | 1215b3ff9a131f20d61a10153d89a86b98935ded2f0a32efdc948dc6b530fc98

General

Target

1215b3ff9a131f20d61a10153d89a86b98935ded2f0a32efdc948dc6b530fc98.dll
Size

298KB
MD5

c290492d7a50c57952e53fb9933bd979
SHA1

6d1cd31beedd962f966b4fbbbd8f595d1cf91aef
SHA256

1215b3ff9a131f20d61a10153d89a86b98935ded2f0a32efdc948dc6b530fc98
SHA512

6c640bae331a3e6f4b4b87bc9ad89974b830967a4567d24bf90663fab6abc4e48d6bb04c307adf8d8a25938de44702bd81137a18f3929b6a94986783c879f6ca
SSDEEP

6144:WxGMku94XCzTurXzURlbDC9K69u2m+SqOWcsQQKiY4leDDGoggH/VREG6j4Gm01b:WxGCOXzURlbDC9K69u2m+SqOWcsQQKiD

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

1348 rundll32mgr.exe

pid	process
1348	rundll32mgr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1348-60-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1348-61-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1348-63-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1348-66-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1348-67-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1348-68-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1392 rundll32.exe
1392 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

872 1392 WerFault.exe rundll32.exe

pid	process
1392	rundll32.exe
1392	rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
872	1392	WerFault.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48920381-6F57-11ED-8B07-42F1C931D1AB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376430607"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32mgr.exe

pid process

1348 rundll32mgr.exe
1348 rundll32mgr.exe
1348 rundll32mgr.exe
1348 rundll32mgr.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32mgr.exe

description pid process

Token: SeDebugPrivilege 1348 rundll32mgr.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

668 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

668 iexplore.exe
668 iexplore.exe
1028 IEXPLORE.EXE
1028 IEXPLORE.EXE
1028 IEXPLORE.EXE
1028 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

rundll32mgr.exe

pid process

1348 rundll32mgr.exe

pid	process
1348	rundll32mgr.exe
1348	rundll32mgr.exe
1348	rundll32mgr.exe
1348	rundll32mgr.exe

description	pid	process
Token: SeDebugPrivilege	1348	rundll32mgr.exe

pid	process
668	iexplore.exe

pid	process
668	iexplore.exe
668	iexplore.exe
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE

pid	process
1348	rundll32mgr.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exeiexplore.exe

description	pid	process	target process
PID 624 wrote to memory of 1392	624	rundll32.exe	rundll32.exe
PID 624 wrote to memory of 1392	624	rundll32.exe	rundll32.exe
PID 624 wrote to memory of 1392	624	rundll32.exe	rundll32.exe
PID 624 wrote to memory of 1392	624	rundll32.exe	rundll32.exe
PID 624 wrote to memory of 1392	624	rundll32.exe	rundll32.exe
PID 624 wrote to memory of 1392	624	rundll32.exe	rundll32.exe
PID 624 wrote to memory of 1392	624	rundll32.exe	rundll32.exe
PID 1392 wrote to memory of 1348	1392	rundll32.exe	rundll32mgr.exe
PID 1392 wrote to memory of 1348	1392	rundll32.exe	rundll32mgr.exe
PID 1392 wrote to memory of 1348	1392	rundll32.exe	rundll32mgr.exe
PID 1392 wrote to memory of 1348	1392	rundll32.exe	rundll32mgr.exe
PID 1392 wrote to memory of 872	1392	rundll32.exe	WerFault.exe
PID 1392 wrote to memory of 872	1392	rundll32.exe	WerFault.exe
PID 1392 wrote to memory of 872	1392	rundll32.exe	WerFault.exe
PID 1392 wrote to memory of 872	1392	rundll32.exe	WerFault.exe
PID 1348 wrote to memory of 668	1348	rundll32mgr.exe	iexplore.exe
PID 1348 wrote to memory of 668	1348	rundll32mgr.exe	iexplore.exe
PID 1348 wrote to memory of 668	1348	rundll32mgr.exe	iexplore.exe
PID 1348 wrote to memory of 668	1348	rundll32mgr.exe	iexplore.exe
PID 668 wrote to memory of 1028	668	iexplore.exe	IEXPLORE.EXE
PID 668 wrote to memory of 1028	668	iexplore.exe	IEXPLORE.EXE
PID 668 wrote to memory of 1028	668	iexplore.exe	IEXPLORE.EXE
PID 668 wrote to memory of 1028	668	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1215b3ff9a131f20d61a10153d89a86b98935ded2f0a32efdc948dc6b530fc98.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1215b3ff9a131f20d61a10153d89a86b98935ded2f0a32efdc948dc6b530fc98.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:668 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 232
3⤵
- Program crash
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\556NVQHB.txt
Filesize
601B

MD5
e4478e7ca9b5485e0fa020ad4d686500

SHA1
94e480f877326774decec5a084dfafa4b70d5d7e

SHA256
3a4fe30114edbb7982800e68c91ef73aff306f82d1706545be15bd07d80c3678

SHA512
b53e73dbd165195f2f5ecf54186bfae6d4a3119e5dc6b4319e461cef48407f93c6b62103d26ff44c02005a4873fd26cfac7b6546d6b490b79d1bb984ac0c1e20

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
85KB

MD5
b4e5d5a3e41418d74e32471ee3200155

SHA1
fb0f3af51e7d079c58ea4774096e659b7b188b9c

SHA256
084d25d03f99b468eb590ae972af19944625512cdbddc03fd999685b1fdb959d

SHA512
b773b2da0c695bc592b3870ddb4d3d0c42c00aaae73dd4a668819fcd8968d87394bc4e6e4b4bb990f3303539a310722beb9fcf7e86d08019ea4c63c9c4d22165

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
85KB

MD5
b4e5d5a3e41418d74e32471ee3200155

SHA1
fb0f3af51e7d079c58ea4774096e659b7b188b9c

SHA256
084d25d03f99b468eb590ae972af19944625512cdbddc03fd999685b1fdb959d

SHA512
b773b2da0c695bc592b3870ddb4d3d0c42c00aaae73dd4a668819fcd8968d87394bc4e6e4b4bb990f3303539a310722beb9fcf7e86d08019ea4c63c9c4d22165

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
85KB

MD5
b4e5d5a3e41418d74e32471ee3200155

SHA1
fb0f3af51e7d079c58ea4774096e659b7b188b9c

SHA256
084d25d03f99b468eb590ae972af19944625512cdbddc03fd999685b1fdb959d

SHA512
b773b2da0c695bc592b3870ddb4d3d0c42c00aaae73dd4a668819fcd8968d87394bc4e6e4b4bb990f3303539a310722beb9fcf7e86d08019ea4c63c9c4d22165

Download Submit
memory/872-64-0x0000000000000000-mapping.dmp

Download
memory/1348-58-0x0000000000000000-mapping.dmp

Download
memory/1348-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1348-61-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1348-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1348-66-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1348-67-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1348-68-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1392-54-0x0000000000000000-mapping.dmp

Download
memory/1392-65-0x0000000000180000-0x0000000000199000-memory.dmp

Filesize
100KB

Download
memory/1392-62-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1392-55-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1392-70-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads