ramnit | 3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55

Analysis

max time kernel
141s
max time network
190s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 10:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe
Size

122KB
MD5

017e4216b890b648f4984a7819c518b9
SHA1

a0a31c124db239299f37ff7a8f4e968ceaa874c2
SHA256

3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55
SHA512

63fa4183f194ec49df3918f70f2aa861e42f92696613caddcdf46cb6a13612ef5a245448828363e535ee73287e3f15cad3e8cf7d5eac7600ff613df5b9531a09
SSDEEP

1536:+OC0FvV4OguHxjhpA4Bm7uW0vSUsghQevBFkutIbgTuFqKRr0aF5frleGhd9TfBo:+wV4OgSzBmh04eZFkz3Rr0gwGj9Tf8Hj

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1312-56-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1312-57-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AA309C1-769C-11ED-9F20-E233F62F3A57} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AA1F851-769C-11ED-9F20-E233F62F3A57} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377229904"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe
1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe
1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe
1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe
1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe
1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe
1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe
1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1480	iexplore.exe
856	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
856	iexplore.exe
856	iexplore.exe
1480	iexplore.exe
1480	iexplore.exe
584	IEXPLORE.EXE
584	IEXPLORE.EXE
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1480	1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe	28
PID 1312 wrote to memory of 1480	1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe	28
PID 1312 wrote to memory of 1480	1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe	28
PID 1312 wrote to memory of 1480	1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe	28
PID 1312 wrote to memory of 856	1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe	29
PID 1312 wrote to memory of 856	1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe	29
PID 1312 wrote to memory of 856	1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe	29
PID 1312 wrote to memory of 856	1312	3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe	29
PID 856 wrote to memory of 1468	856	iexplore.exe	31
PID 856 wrote to memory of 1468	856	iexplore.exe	31
PID 856 wrote to memory of 1468	856	iexplore.exe	31
PID 856 wrote to memory of 1468	856	iexplore.exe	31
PID 1480 wrote to memory of 584	1480	iexplore.exe	32
PID 1480 wrote to memory of 584	1480	iexplore.exe	32
PID 1480 wrote to memory of 584	1480	iexplore.exe	32
PID 1480 wrote to memory of 584	1480	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe
"C:\Users\Admin\AppData\Local\Temp\3a66175e7c5fcdbfe784be92f96fbca16063f1c53c70df5bfa2e3165393fdf55.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:584
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40e440ff40deaa7b93b34f61a5d40ff3

SHA1
ad693e499c1bfa946586da8ee6bac9337d636651

SHA256
f61acac654c6cbc5291e88fa42b9ea603519df3fbbdc95e682c794fbc01a7907

SHA512
828fe585c769ee828660a182840500c45a3aaf2873c7a3f66657a98297627fa162af9acc00cd947380ef9b910bb3afab76e77584d241f192829bc6a3a6eea2b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AA1F851-769C-11ED-9F20-E233F62F3A57}.dat

Filesize
4KB

MD5
44aa11b5d1513d4fac3db7e6a2075e63

SHA1
9585cb4fc88ad00ba22b7de8f5a0cfe8773d8c1d

SHA256
09044273a017256210e17b5c94ad4805cc1ec943e5541aa6fb5f458767c4e92a

SHA512
7ec1c08ea828ffdc61f233a887ea410534c2c7ad762ec3c15e92eba16e6c780a777d44258e50f5cb3e1a673f699e6f8224ed5060f0abe155b1777ec9ab263d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AA309C1-769C-11ED-9F20-E233F62F3A57}.dat

Filesize
5KB

MD5
42eb6c6c739ed874b5f33e3a71b6f6fa

SHA1
ce681abd65797caf5ccb1197fd22d892260025d5

SHA256
5ca7cb55dd876e26d81e37eca76d7281b6aa77ba722a3e5e40627059da64dab3

SHA512
d467f03f03728fb6c980a7ff7eb89a5ba4780e7d0c4941d0581dcaeb37f370a730ab5cad2c4ca104e22759a8ea30b8530d94e867f79069281b41faa612c75812

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S7YIYVBW.txt

Filesize
601B

MD5
13c1ff04287f3a51304898a036cef55e

SHA1
5c5b364eca4accd7437bf6b3410d06a1a79df1dd

SHA256
9e78ddebef3b510c873b744ef71b6f9f05390ec5fb8e9ececba9537be6b39f43

SHA512
22fa7ba31671005b5c786449822ea5f72688170e467b447fa403d0b34006077f7cdd0446320b95608b5e9a3e58ebdeab9571a4d30accc8ac786729b5d59154b1

Download Submit
memory/1312-56-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1312-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download