ramnit | 1e835832f440f1a949ff14547bfe943013f5211e3d5ad80632048554861d70ee

Analysis

max time kernel
10s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 09:59 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02db6c6dd0119ae4dd092c95269ef0fa.exe
Size

104KB
MD5

02db6c6dd0119ae4dd092c95269ef0fa
SHA1

0c847bd4af6ef9eb9da384374fb70117be59150d
SHA256

1e835832f440f1a949ff14547bfe943013f5211e3d5ad80632048554861d70ee
SHA512

b83eef9cd127287da84fc6682b2cf84a1e6961d961fc6b194150ccce15fbdf5dae273a584041d39ffbabb7a55a7e922e43e1be8e67c1dce782360fb31f9d966b
SSDEEP

3072:lQ5faGko6CFrbJKARb0WQ9FSE1Fk8jwaaHw7Koj4rgdy:61afCF3IO0WmFR

Score

10^/10

ramnit banker spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Program crash 2 IoCs

pid	pid_target	Process
3276	4876	WerFault.exe
4428	3156	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe
Token: SeDebugPrivilege	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4496	IEXPLORE.EXE
4496	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4876	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	21
PID 1952 wrote to memory of 4876	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	21
PID 1952 wrote to memory of 4876	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	21
PID 1952 wrote to memory of 4876	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	21
PID 1952 wrote to memory of 4876	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	21
PID 1952 wrote to memory of 4876	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	21
PID 1952 wrote to memory of 4876	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	21
PID 1952 wrote to memory of 4876	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	21
PID 1952 wrote to memory of 4876	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	21
PID 1952 wrote to memory of 3576	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	101
PID 1952 wrote to memory of 3576	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	101
PID 1952 wrote to memory of 3576	1952	02db6c6dd0119ae4dd092c95269ef0fa.exe	101
PID 3576 wrote to memory of 4496	3576	iexplore.exe	100
PID 3576 wrote to memory of 4496	3576	iexplore.exe	100
PID 4496 wrote to memory of 668	4496	IEXPLORE.EXE	102
PID 4496 wrote to memory of 668	4496	IEXPLORE.EXE	102
PID 4496 wrote to memory of 668	4496	IEXPLORE.EXE	102

C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe
"C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4876
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3156
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\jcauhppdosanovdb.exe
  "C:\Users\Admin\AppData\Local\Temp\jcauhppdosanovdb.exe"
  2⤵
  PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4876 -ip 4876
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 208
1⤵
- Program crash
PID:3276

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17410 /prefetch:2
  2⤵
  PID:668
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17416 /prefetch:2
  2⤵
  PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 204
1⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3156 -ip 3156
1⤵
PID:1512

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:4948

Network

DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3A8DEC18E21069EA2F90F81BE3376868; domain=.bing.com; expires=Tue, 04-Feb-2025 01:59:15 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F253C96DE41A4B22A77128C3C35B1FD7 Ref B: LON04EDGE0714 Ref C: 2024-01-11T01:59:15Z
date: Thu, 11 Jan 2024 01:59:14 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A8DEC18E21069EA2F90F81BE3376868

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=-Krrj8KPtQfdkQi838fEqpfQvB-jsJOJhUtJQuKbfMU; domain=.bing.com; expires=Tue, 04-Feb-2025 01:59:15 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6CB4078784154FBA993797BACE30FD43 Ref B: LON04EDGE0714 Ref C: 2024-01-11T01:59:15Z
date: Thu, 11 Jan 2024 01:59:14 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A8DEC18E21069EA2F90F81BE3376868; MSPTC=-Krrj8KPtQfdkQi838fEqpfQvB-jsJOJhUtJQuKbfMU

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2F2EC2FA65594F23ACD28AB3315E5FBD Ref B: LON04EDGE0714 Ref C: 2024-01-11T01:59:15Z
date: Thu, 11 Jan 2024 01:59:14 GMT
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

api.bing.com

Remote address:

8.8.8.8:53

Request

api.bing.com

IN A

Response

api.bing.com

IN CNAME

api-bing-com.e-0001.e-msedge.net

api-bing-com.e-0001.e-msedge.net

IN CNAME

e-0001.e-msedge.net

e-0001.e-msedge.net

IN A

13.107.5.80
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

tls, http2

2.5kB
9.4kB
24
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

HTTP Response

204
88.221.135.217:80

8.1kB
219.5kB
129
161
20.103.156.88:443

tls

501 B
318 B
5
4
20.103.156.88:443

tls, https

165 B
1
88.221.135.217:80

52 B
52 B
1
1
20.103.156.88:443

tls, https

888 B
1
88.221.135.217:80

52 B
1.3kB
1
2
204.79.197.200:443

g.bing.com

576 B
16.8kB
12
12
88.221.135.217:80

952 B
17.7kB
15
14

8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

api.bing.com

dns

58 B
134 B
1
1

DNS Request

api.bing.com

DNS Response

13.107.5.80
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-2-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/1952-17-0x0000000077092000-0x0000000077093000-memory.dmp

Filesize
4KB

Download
memory/1952-16-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/1952-7-0x0000000077092000-0x0000000077093000-memory.dmp

Filesize
4KB

Download
memory/1952-5-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1952-4-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1952-0-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/1952-10-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/1952-1-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/1952-14-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/2916-34-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/2916-32-0x0000000002060000-0x0000000002062000-memory.dmp

Filesize
8KB

Download
memory/2916-30-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/4876-9-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/4876-8-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.