ramnit | 4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e

Analysis

max time kernel
130s
max time network
137s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e.dll
Size

440KB
MD5

c50fd275bcad485892e77bba221364a0
SHA1

0f8f4f0e65f87e075c4a19ec1bb861b031281655
SHA256

4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e
SHA512

0816a58f9ff4dba5db4170beda99fa8e9eaaeb9b0000fe8f54169c948bccfb5678de9ce0dba8e60013efbbd278b4fb1dc53bbc6f641829330b48de52e3d734b6
SSDEEP

6144:DhwcskkkkknffCp5CrRKlua3Bo3EWSUxiQibG69VillCE:1wqqPo3NSJbG69VICE

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2040	rundll32mgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/memory/2040-64-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2040-65-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1176	rundll32.exe
1176	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377186045"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2181A711-7636-11ED-A6C3-FE72C9E2D9C9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21850271-7636-11ED-A6C3-FE72C9E2D9C9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2040	rundll32mgr.exe
2040	rundll32mgr.exe
2040	rundll32mgr.exe
2040	rundll32mgr.exe
2040	rundll32mgr.exe
2040	rundll32mgr.exe
2040	rundll32mgr.exe
2040	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	rundll32mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1732	iexplore.exe
1032	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1732	iexplore.exe
1732	iexplore.exe
1032	iexplore.exe
1032	iexplore.exe
576	IEXPLORE.EXE
576	IEXPLORE.EXE
680	IEXPLORE.EXE
680	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1336 wrote to memory of 1176	1336	rundll32.exe	27
PID 1176 wrote to memory of 2040	1176	rundll32.exe	28
PID 1176 wrote to memory of 2040	1176	rundll32.exe	28
PID 1176 wrote to memory of 2040	1176	rundll32.exe	28
PID 1176 wrote to memory of 2040	1176	rundll32.exe	28
PID 2040 wrote to memory of 1732	2040	rundll32mgr.exe	29
PID 2040 wrote to memory of 1732	2040	rundll32mgr.exe	29
PID 2040 wrote to memory of 1732	2040	rundll32mgr.exe	29
PID 2040 wrote to memory of 1732	2040	rundll32mgr.exe	29
PID 2040 wrote to memory of 1032	2040	rundll32mgr.exe	30
PID 2040 wrote to memory of 1032	2040	rundll32mgr.exe	30
PID 2040 wrote to memory of 1032	2040	rundll32mgr.exe	30
PID 2040 wrote to memory of 1032	2040	rundll32mgr.exe	30
PID 1732 wrote to memory of 680	1732	iexplore.exe	33
PID 1732 wrote to memory of 680	1732	iexplore.exe	33
PID 1732 wrote to memory of 680	1732	iexplore.exe	33
PID 1732 wrote to memory of 680	1732	iexplore.exe	33
PID 1032 wrote to memory of 576	1032	iexplore.exe	32
PID 1032 wrote to memory of 576	1032	iexplore.exe	32
PID 1032 wrote to memory of 576	1032	iexplore.exe	32
PID 1032 wrote to memory of 576	1032	iexplore.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:680
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2181A711-7636-11ED-A6C3-FE72C9E2D9C9}.dat

Filesize
5KB

MD5
cc9db46038673568a28a8e28bdd76eca

SHA1
f316593eb936f24393f860e4ae2abdab107e4f15

SHA256
323dbe95e1b3e2d86d683d7582f468fb6dc1eb2bb661f9fee0ba85777404815f

SHA512
56b6b9146c86c3575289e74bfdd72ff38eb06cc89f0ead5a18c9596688cadc7cda7a4d666c1cd0001c3fe2e4a2e2807b04dc4b08d00c101353cb4329721226d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{21850271-7636-11ED-A6C3-FE72C9E2D9C9}.dat

Filesize
3KB

MD5
a52a9ceecc7fd9573d23a0719734f8ae

SHA1
d19902afcdb48a99565a2e35e2042f320f044f59

SHA256
0b2d1e364b09d8717a62098c9753609981e02d782bf5310a3fb904e1cae66125

SHA512
793f5e4deb5e13cc54e617bcc905e2625e7a0f3232d304e6d434ea73355633384d55df9ed53724e5eb5a791d8c92bc3c136fb72d8afcdf42d4862fb3a86a6218

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CBKERS4V.txt

Filesize
603B

MD5
8a6d85e7aaa46acbc6c3b0ead112ceb4

SHA1
8c4fbd436ba591dee0bcfea0b441cec391ffbf67

SHA256
7436fe58089c1b855672929de8c733d33281cfbb62478956c26b0497c9c0c518

SHA512
e5363f8d8aa561935363f1da75cf771cac5c07c2276cce21d1f44c305a6b373ac5071873be1490a14dc32bb25ec06e05d24eea360427b00a03e0e4b97754a5d6

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
memory/1176-62-0x0000000010000000-0x000000001006F000-memory.dmp

Filesize
444KB

Download
memory/1176-63-0x00000000002A0000-0x0000000000302000-memory.dmp

Filesize
392KB

Download
memory/1176-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/2040-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2040-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download