ramnit | 93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712

Analysis

max time kernel
104s
max time network
143s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe
Size

101KB
MD5

72eeccd6de75f018b53a1be72055c5d0
SHA1

1e64b79fc0432f7953f05c2b600a60287339db5b
SHA256

93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712
SHA512

b854dc9a6e6e98c120ab46bdc56d351b4a06a7bec703006bf7b435e290201f64fe80209d4c79ce170574d4f54828b0c2930517c5b82c9b1671469406f357f54d
SSDEEP

1536:jmI0pGA9QFZOwv61HW1LItmK/+WLPPyKN7MWpqX4a7prh2ZVJUELyoERrKKlr:KIs9QBv2HWBImgyKN/4FAVJlz0rpl

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-56-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1292-57-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F9360131-72B0-11ED-9201-42465D836E7B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376798975"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F936C481-72B0-11ED-9201-42465D836E7B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe
1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe
1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe
1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe
1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe
1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe
1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe
1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1080	iexplore.exe
2012	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1080	iexplore.exe
2012	iexplore.exe
1080	iexplore.exe
2012	iexplore.exe
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2012	1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe	27
PID 1292 wrote to memory of 2012	1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe	27
PID 1292 wrote to memory of 2012	1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe	27
PID 1292 wrote to memory of 2012	1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe	27
PID 1292 wrote to memory of 1080	1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe	28
PID 1292 wrote to memory of 1080	1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe	28
PID 1292 wrote to memory of 1080	1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe	28
PID 1292 wrote to memory of 1080	1292	93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe	28
PID 1080 wrote to memory of 584	1080	iexplore.exe	31
PID 1080 wrote to memory of 584	1080	iexplore.exe	31
PID 1080 wrote to memory of 584	1080	iexplore.exe	31
PID 1080 wrote to memory of 584	1080	iexplore.exe	31
PID 2012 wrote to memory of 1564	2012	iexplore.exe	30
PID 2012 wrote to memory of 1564	2012	iexplore.exe	30
PID 2012 wrote to memory of 1564	2012	iexplore.exe	30
PID 2012 wrote to memory of 1564	2012	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe
"C:\Users\Admin\AppData\Local\Temp\93b7ae765cc5089b7e807fcd773ce948721096e3e24e86198064157846e3e712.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1564
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F9360131-72B0-11ED-9201-42465D836E7B}.dat

Filesize
3KB

MD5
d042329b4ee21144e96359ea1c355adc

SHA1
63c787459a11e782c07a09d8bbfb00818a1c106e

SHA256
a7ece5c0e75aad3fe58925fca04d9543562bb2032cdbb0f059ac6eb42b799743

SHA512
05af68833188876ca64e598e0dcc0692f3ef9f2cbb03cb57e66310eac434a11281589a86457c9f5b2240c6907a5e7712b92223704fb76743e9826d80819d13d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F936C481-72B0-11ED-9201-42465D836E7B}.dat

Filesize
5KB

MD5
a0b7bc6d607a13910d3d5f893a41bd76

SHA1
7950e77e63f415f7fc07496d8e5d3237086ff895

SHA256
d83a256f2c1dbdc9e61cbf0dbf2bc69a9bec9aaf2d83b2e56472d1de18d1f332

SHA512
362373c71f3bb0a8f12bed084b92b61bb3c8649f04a23468f0c2985501b3628b370b3a2df75521b724e3e0237adf5a260bedb86faeb3c8e01a92fedea206f979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WMN1YJMW.txt

Filesize
539B

MD5
1c053d8343707a9eb4903f8caaaf3a29

SHA1
73b43ed458ecb17f9fb86b86358b3732f6fd11d1

SHA256
39d3ddb11b60f6e9424e0023374410f58f42d3f405fdcfa15112208a212778de

SHA512
04ca14bc5157889d4bfc7e0eb3a1169e705bd6e0c1ef8cdb370777497bc88cb5b505450731109fc9ffd8f7bf72fc1d4810fc7255c9d3e1b2f2bdf220c1cb8915

Download Submit
memory/1292-56-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1292-57-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download