ramnit | 3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961

Analysis

max time kernel
129s
max time network
176s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961.dll
Size

252KB
MD5

af6a70fb5d24feb8c64b057af6ea7330
SHA1

2883fc3538bf3444b2e80892f92b2957e193b49b
SHA256

3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961
SHA512

d2835590b9e5d7d0ba7c9b3a0de988631e6213222973b7da594c6ec9cfe27f8c7cb1f3d3e99006688122ce635873d3152f71c71b1ca0a6b0531114750239b941
SSDEEP

3072:+2UxPvVKNiNz1a2JRC+Tq/Kbo/ykbE+tsxGWpsdYSyaYQrVSyW8/AaTCtaXHpXp:lGvQ4Nx9RHTVbedbEknSh0xn/AaTWaXH

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
964	rundll32mgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012302-56.dat	upx
behavioral1/files/0x000b000000012302-57.dat	upx
behavioral1/files/0x000b000000012302-59.dat	upx
behavioral1/memory/964-60-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/964-63-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1736	rundll32.exe
1736	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{88D01F11-7630-11ED-A70D-7AAB9C3024C2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377183625"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{88D04621-7630-11ED-A70D-7AAB9C3024C2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
964	rundll32mgr.exe
964	rundll32mgr.exe
964	rundll32mgr.exe
964	rundll32mgr.exe
964	rundll32mgr.exe
964	rundll32mgr.exe
964	rundll32mgr.exe
964	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	rundll32mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1184	iexplore.exe
692	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1184	iexplore.exe
1184	iexplore.exe
692	iexplore.exe
692	iexplore.exe
748	IEXPLORE.EXE
488	IEXPLORE.EXE
748	IEXPLORE.EXE
488	IEXPLORE.EXE
748	IEXPLORE.EXE
748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1736	1632	rundll32.exe	28
PID 1632 wrote to memory of 1736	1632	rundll32.exe	28
PID 1632 wrote to memory of 1736	1632	rundll32.exe	28
PID 1632 wrote to memory of 1736	1632	rundll32.exe	28
PID 1632 wrote to memory of 1736	1632	rundll32.exe	28
PID 1632 wrote to memory of 1736	1632	rundll32.exe	28
PID 1632 wrote to memory of 1736	1632	rundll32.exe	28
PID 1736 wrote to memory of 964	1736	rundll32.exe	29
PID 1736 wrote to memory of 964	1736	rundll32.exe	29
PID 1736 wrote to memory of 964	1736	rundll32.exe	29
PID 1736 wrote to memory of 964	1736	rundll32.exe	29
PID 964 wrote to memory of 1184	964	rundll32mgr.exe	30
PID 964 wrote to memory of 1184	964	rundll32mgr.exe	30
PID 964 wrote to memory of 1184	964	rundll32mgr.exe	30
PID 964 wrote to memory of 1184	964	rundll32mgr.exe	30
PID 964 wrote to memory of 692	964	rundll32mgr.exe	31
PID 964 wrote to memory of 692	964	rundll32mgr.exe	31
PID 964 wrote to memory of 692	964	rundll32mgr.exe	31
PID 964 wrote to memory of 692	964	rundll32mgr.exe	31
PID 692 wrote to memory of 488	692	iexplore.exe	34
PID 692 wrote to memory of 488	692	iexplore.exe	34
PID 692 wrote to memory of 488	692	iexplore.exe	34
PID 692 wrote to memory of 488	692	iexplore.exe	34
PID 1184 wrote to memory of 748	1184	iexplore.exe	33
PID 1184 wrote to memory of 748	1184	iexplore.exe	33
PID 1184 wrote to memory of 748	1184	iexplore.exe	33
PID 1184 wrote to memory of 748	1184	iexplore.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c126c4594bbdda9f2b0f3b0d8bac09b09b2ec298830229dac8f6509e6cb5961.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:748
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:692 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{88D01F11-7630-11ED-A70D-7AAB9C3024C2}.dat

Filesize
3KB

MD5
986ca3fc8b5459ce9d3b101a22604ea2

SHA1
b52c26e847ec5e3bc9544ccf5851cee179ebc24a

SHA256
763092ed2d883a10f8813fe56b38402e723a2a4c2c562ef626c41b688082f2c5

SHA512
c344b2a5d0c1a066f38ddbc76bf402d9ba838aa983b48c0879d957386f47ea928ad49e3e3d9d4bb5da57b169be9bca785d15cae562145aecabe2cc14d132803a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{88D04621-7630-11ED-A70D-7AAB9C3024C2}.dat

Filesize
5KB

MD5
db853aeb0eebe86faaedd83ab1a25863

SHA1
3560a62477ee41dad8af89eaad59daafb4f5596e

SHA256
825772d2d1f09f24d043cd7b2402ac78d64a43e7007aba7306763178e4de0182

SHA512
693e92034d95b5be8c6bab90c1ad196788db3d7c47ce1a273cb793d70032287d6dac7e09a4238ee17b6148f3fe729f56535639a7ffe900176e1d019718ad0c54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1Q2OCO31.txt

Filesize
608B

MD5
e3ddadfd1a1db02a845a46b601409df5

SHA1
e91c62467b10764ce05d0a650aadb66674d46315

SHA256
9fa066c5c9f1a2c78aaecf9ecc5b72c6afcefb11779512dcdab0107cb9c6f96c

SHA512
ac77e397038a0c1a6c957428e3e239712bf014946d379b37400a418883776087764eeb6a4b5264c9fe94aa6f5680311476820799e4cc0ad9073fa7130c02eddb

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
153KB

MD5
6c6400ba9cf5a1d34fbbb3e2fe57ce3f

SHA1
a6f8636c626b47354407aae3ec592ba8a6ad57ef

SHA256
c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

SHA512
9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

Download Submit
memory/964-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/964-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1736-55-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download