ramnit | c57b539ff288d6f5b11e8b745f150852afe6334b3a8157175499f5c7949245c0

Analysis

max time kernel
0s
max time network
128s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e9fe324f3158330f3665189d7ea94f6.html
Size

121KB
MD5

1e9fe324f3158330f3665189d7ea94f6
SHA1

7e5309bdce7742aecea2d7f922535a6d3d033fda
SHA256

c57b539ff288d6f5b11e8b745f150852afe6334b3a8157175499f5c7949245c0
SHA512

7234328cb0999bb5fcd1335ea32309cfd2f17d08e06ac7e0f6668288ad47384c397452612ce44551a9b0d510ac0b62920f973ed1442c6c14feb09f4516b9c8e5
SSDEEP

1536:SyEfuyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy9dGL:SlfuyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000014825-16.dat	upx
behavioral1/files/0x0008000000014825-15.dat	upx
behavioral1/memory/2664-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2552-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2552-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x00080000000146c0-2.dat	upx

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{544EF281-A3DD-11EE-BEA9-FE29290FA5F9} = "0"	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
888	iexplore.exe
888	iexplore.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 2176	888	iexplore.exe	16
PID 888 wrote to memory of 2176	888	iexplore.exe	16
PID 888 wrote to memory of 2176	888	iexplore.exe	16
PID 888 wrote to memory of 2176	888	iexplore.exe	16

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\1e9fe324f3158330f3665189d7ea94f6.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2
  2⤵
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    PID:2552
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:537608 /prefetch:2
  2⤵
  PID:2828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2576

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
2KB

MD5
05d8a68aa18bce51619a0b877201173c

SHA1
ae35646cba8e690b618534c303d3d321de4035be

SHA256
ff23eea20a1a4e081867b403deaab73ccab6fbcde536a8c8efbe1f0e5dcfbe4a

SHA512
ad7cc577c155930d22fe8dad35cfb2cd83b33b63326f8d53fb0df8f666a6ff6b21b7e59a3e197e0a513643517b4d254f23a7d3734ea62444276e707644a73c30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
33KB

MD5
aa6bab2714c48d9b81658b1f3901e0a8

SHA1
58dc5a3ff0a9dd04ecbb5981150f4b6a8e9b36c6

SHA256
03660d5264122bc7fd3491879a3ee379237fc424c0e26a5f6681bb22a5de7143

SHA512
ae887139118b5b104ed7426081650f12b102f46a27adc9734d4ef63efc9d54b7c5738223dd5869c54e828cba01f370b8014c114f71a7a66b18bd9a862d3ba6c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a38d177e46ca68353eb98c7aa66ba0f8

SHA1
db3f3af939a53c8ae03dba6db07d94dd28f5c4fd

SHA256
fd82dae0cdf85de9ae9c3ace926378cf9a4a02989b29deb634bb5569c58275ad

SHA512
0593784dc0585bacfcc6341bd904a184b05363966c2cacc756d96968594db9caef030a3cda91c012459bd711698a978d7ad24bab62c144be0c9449436934fee3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92276479178e4dbd4c75782237850f46

SHA1
f291571b1b0a1f589d3089fa37c37f08b82ae1be

SHA256
01b6ebe331f8db9806f3c156dbecc398700cf8c5d75c75a42fe31c363e80c00e

SHA512
59fa0d2c67e7971b10e6d50a9a190f5ee9479f00ddda55780646283a12c3a65bdccd56a3d72da2f64eff3334c382d34331cecbed791cdcacb5e0966c2ddf8162

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
246274d3da81cb36986daa9c86a238ae

SHA1
7fb8300b484d235199aa49c11d4114ea172fc840

SHA256
049366f090958098130f69c4ea55bd84431ba1958fa1fd118ea88e3e5c2489d6

SHA512
807c7f2beb923539836ac42b2e36f8f9e4e078593611a5b5e6765a9bcb5aa85c84b1dc4cd590a8c6be9e710b127242a5c2ce67265aa47fa917c899dc5ecaee15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c14f813d27a5d86a717bcf0ed9f8b0ac

SHA1
619d58be5931bd25e214174015e5ee4edacb2847

SHA256
c522a8445c2efcf234333591727ea07fb9bb763d654597a7d1fcdf1362bcd7f7

SHA512
5be35d8de53c2f7184275f3a079445702b014090b370ad9f6c09b73f97e74a3640f1484c1d98cc5694d8fa08f374f07793523105cca8eac951ebc7f0212134dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84df5e70da0498c6fab10cdb34887eab

SHA1
4fc661052641292e9219e1f2b9eadb14d921cffd

SHA256
e66453afa51f27dc4ef01dac16f8957deb0b6a7ff04bf730f15a36c4b356e562

SHA512
6bb3ac400893ca21c13ee3d20ac4da64cf05dcd02201d3b934fb4018d92565dca820b34fb2f5ab6a6662fad42436825394e5e983a86ae72d30c07caff9e737aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e394855b2bb2833a652dc61e9567c166

SHA1
5df09b32a849572ee128b93726a30108a9e86035

SHA256
2f83ab2affee67e1d101fa903a1a2d1d4a2f4b95f66daaecfdf21a729942921b

SHA512
44a845375b64ea2e87e704d692f17ea561cd2a6deb680c16c5a4f772cd986aa7a2f74b8ab6e06e59c6f9a25dc79c8d633585bd914b0becea290473b506a14785

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14c6af820f7301acb7e7ed4df6b852cc

SHA1
f99ac95bc54902f2f5ea0c5c666b10b87db89c79

SHA256
0b52b95ec257be0f043894689efb27f837ede207bd94802372a8f03eaa5a74b9

SHA512
1cc1f4edecd6d3a6187d57da6ae3053a0cdcfae1f54444928ec1f3c5ba2b80263c4703ae027b61ac7041f6bb6e2fa0fcdadb4386cd38a4bdba3f7ec0a682355b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
423a4d28ed87e74fdef576e64cd6fdcc

SHA1
5fde582aabdc538f86b03c9c5052cf95bbb62eb8

SHA256
595156e70e441b56d5101602de4bcc246f8a7e22d657a0439443b0dfea13f8a9

SHA512
eb3e4ce819c23aa28ef2574beaf225e7fcc479106f61ede1420bc418657e9ead02063b7f03d64e38fc9ed781b6649611094aa6629bc7ac126b4c361bf7a3b83e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0025acdd160e78088665d008ea0c0f37

SHA1
4f9ed81fa40d49ca56f5a3ed69b0ac41a732cf08

SHA256
a95dfc16408e92f253fdfd6d15821c46b68224854a3067b1489a07a403de59dc

SHA512
2f3d4da99d6868dc66f03b55347174cd13b4ea5621b338ffc57c013ab9190e4b379de692c07dc34d1cda11e79072240ecf2474ac4c4a8b819ad616eeb9e14f74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YOZQQW0U\favicon[2].ico

Filesize
1KB

MD5
7125f45e2b64561340f80f2df51ebda9

SHA1
82f3193a53474a5d83b4ba627d61ec0197cfccfa

SHA256
31054f95f3353639a6564567278cb431718fbe3c9bbf1df6a015ce5b0626c31b

SHA512
becfa9c67a6b9dee5f30aaf8b4a8699b2ff4af652e86fa80e55136f7844863bcde12249f8531ac8aca085538d568ee96d15223c8d332ad2edd9dc8902c1a6a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22D2.tmp

Filesize
17KB

MD5
dabe19e9b715e1b55216cc054247f29f

SHA1
e85dd50cec4a8b6b5a26b278634bc4d2771c5f08

SHA256
b59681c25bdd31af7b8a364ded7d83b94d1ce2ca0c625a09f72f1c2115c8a471

SHA512
4d455932cde659568b1f0c5530ae51f4c956acfdba7ee502f45e3764ad36925b451a83b16defaf1b7e503c431d070fb21eacd747553504ed24c3eb8d0299b6aa

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
54KB

MD5
2e5c0c31c29ecc86b5ba0615b7b16c3b

SHA1
696e259409965a72a8dd53eac7e0e857b65b1d3c

SHA256
75a9e50cd70c3277f511e9068b0ab30e7f7bd8377fc2386e9c3afaeb47ea74f6

SHA512
05709e5a4da1573f878d70c1d639de68040569dcc7b27cb93426e3929138649ee97d6214586c585c531a0ffb4227c4a689cb0706148a3e9deabdf549a73224c2

Download Submit
memory/2552-10-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2552-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2552-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2552-18-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2664-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2664-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download