ramnit | 1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da

Analysis

max time kernel
119s
max time network
189s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 13:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da.dll
Size

712KB
MD5

b0598f603501f4c19c6b5e12bbad0140
SHA1

58abbab28c4290b4acf8c06b211cd0a495a5cad7
SHA256

1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da
SHA512

5ea1551674e23d26899cc2763cf34c071dedc9b804d944b9738c850fa553ea1059fef8432cf3e026c182ea5d0748bf8b0511ec76a3b01fd16362e95cbebf5876
SSDEEP

12288:KehnaNPpSVZmNxRCwnwm3W3OHIIf5Gs/Yklv44iNAzQxBJ:Keh0PpS6NxNnwYeOHXwKYwtiN3l

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
940	rundll32mgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/memory/940-60-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/940-63-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1732	rundll32.exe
1732	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C47B491-7806-11ED-9551-6E705F4A26E5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377385387"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C465501-7806-11ED-9551-6E705F4A26E5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
940	rundll32mgr.exe
940	rundll32mgr.exe
940	rundll32mgr.exe
940	rundll32mgr.exe
940	rundll32mgr.exe
940	rundll32mgr.exe
940	rundll32mgr.exe
940	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	rundll32mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1728	iexplore.exe
1340	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1340	iexplore.exe
1340	iexplore.exe
1728	iexplore.exe
1728	iexplore.exe
384	IEXPLORE.EXE
1540	IEXPLORE.EXE
384	IEXPLORE.EXE
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1732	240	rundll32.exe	28
PID 240 wrote to memory of 1732	240	rundll32.exe	28
PID 240 wrote to memory of 1732	240	rundll32.exe	28
PID 240 wrote to memory of 1732	240	rundll32.exe	28
PID 240 wrote to memory of 1732	240	rundll32.exe	28
PID 240 wrote to memory of 1732	240	rundll32.exe	28
PID 240 wrote to memory of 1732	240	rundll32.exe	28
PID 1732 wrote to memory of 940	1732	rundll32.exe	29
PID 1732 wrote to memory of 940	1732	rundll32.exe	29
PID 1732 wrote to memory of 940	1732	rundll32.exe	29
PID 1732 wrote to memory of 940	1732	rundll32.exe	29
PID 940 wrote to memory of 1340	940	rundll32mgr.exe	30
PID 940 wrote to memory of 1340	940	rundll32mgr.exe	30
PID 940 wrote to memory of 1340	940	rundll32mgr.exe	30
PID 940 wrote to memory of 1340	940	rundll32mgr.exe	30
PID 940 wrote to memory of 1728	940	rundll32mgr.exe	31
PID 940 wrote to memory of 1728	940	rundll32mgr.exe	31
PID 940 wrote to memory of 1728	940	rundll32mgr.exe	31
PID 940 wrote to memory of 1728	940	rundll32mgr.exe	31
PID 1340 wrote to memory of 384	1340	iexplore.exe	34
PID 1728 wrote to memory of 1540	1728	iexplore.exe	33
PID 1728 wrote to memory of 1540	1728	iexplore.exe	33
PID 1728 wrote to memory of 1540	1728	iexplore.exe	33
PID 1728 wrote to memory of 1540	1728	iexplore.exe	33
PID 1340 wrote to memory of 384	1340	iexplore.exe	34
PID 1340 wrote to memory of 384	1340	iexplore.exe	34
PID 1340 wrote to memory of 384	1340	iexplore.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:240
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e061d17ed2f09115446a86883259be650c0dc6f11e6db3631882194760e94da.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:384
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4C465501-7806-11ED-9551-6E705F4A26E5}.dat

Filesize
5KB

MD5
ac305da3697933e990a6bca20f65b158

SHA1
4d0cf53e5bf994b6606c9ef9354d586ccb33a137

SHA256
3ada8e69735b5206fd4edafc13fc99b7d8051a2616c431d34c33cdd35c2e612a

SHA512
ee17c1c304027096087f70ffbfbb22db413d3cfca473e4ef2ce47b384386188e30cd1521ab57d8083b8740396b0ade25fc3863871103d5aad76bf7a8d4194095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4C47B491-7806-11ED-9551-6E705F4A26E5}.dat

Filesize
3KB

MD5
1023dee2ed8d382c0a5f5fe3542b8443

SHA1
131716d9283dad2f8e3f642f1674e98cfde1ed07

SHA256
c600708c2f3adbe338a81db032f985ebec4511d37f0a1c52fb41239928307757

SHA512
e9a9642ff3b3bb83993c7da13fc36f14c38940b2c47f2eedc137eda532c799cf182797a4cc7a39c10ce6e655489b01f693973e42ea24ae29cb2bc6b1a1cc1d08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YZHLRVXM.txt

Filesize
608B

MD5
d879d3687ccf5a1819f7dfbed732fd28

SHA1
6607a2e755ff7759f7512fa1e894e0aea068bd60

SHA256
15b9283915c69b568be4f0bd189e5ce6277b3cf962621b3d75cc3d76e04a82c8

SHA512
e0ac26cb6d526a6551eedef2ee5ba19e2e54a271c74922b0cabff566eda2d487d2e02fd93b8ae2ff71670d596d0bb731240e2334757af6350dc3d1f8222611f8

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
329KB

MD5
b9fafc0d8b37b03f15cb13306f83876c

SHA1
9ff757465fd46ef2d9d56c5e57a202f57cd06217

SHA256
b3016e8e6380563a2359bb84dc97cb81cc4638d9a52b48d49e576a8d777f65d1

SHA512
68a99095a0d24278cfa2f5700c16ee3459813cd31d10f5d8d38cac2c4dedfcdb3b05eb197b061f473965f000d869420fe279c6096a695414fec7de5c40a346eb

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
329KB

MD5
b9fafc0d8b37b03f15cb13306f83876c

SHA1
9ff757465fd46ef2d9d56c5e57a202f57cd06217

SHA256
b3016e8e6380563a2359bb84dc97cb81cc4638d9a52b48d49e576a8d777f65d1

SHA512
68a99095a0d24278cfa2f5700c16ee3459813cd31d10f5d8d38cac2c4dedfcdb3b05eb197b061f473965f000d869420fe279c6096a695414fec7de5c40a346eb

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
329KB

MD5
b9fafc0d8b37b03f15cb13306f83876c

SHA1
9ff757465fd46ef2d9d56c5e57a202f57cd06217

SHA256
b3016e8e6380563a2359bb84dc97cb81cc4638d9a52b48d49e576a8d777f65d1

SHA512
68a99095a0d24278cfa2f5700c16ee3459813cd31d10f5d8d38cac2c4dedfcdb3b05eb197b061f473965f000d869420fe279c6096a695414fec7de5c40a346eb

Download Submit
memory/940-60-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/940-63-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1732-55-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download