Malware Analysis Report

2025-08-10 23:56

Sample ID 240313-215mnabf8v
Target c711a7b74c62cbdcd059ec9421ecdc3e
SHA256 27ea524cc2f12cc4b9e70878667bcb8901e7d1548d0b1341b36b7722c056213b
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27ea524cc2f12cc4b9e70878667bcb8901e7d1548d0b1341b36b7722c056213b

Threat Level: Known bad

The file c711a7b74c62cbdcd059ec9421ecdc3e was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 23:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 23:03

Reported

2024-03-13 23:06

Platform

win7-20240221-en

Max time kernel

120s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c711a7b74c62cbdcd059ec9421ecdc3e.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px50EE.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8F56C41-E18D-11EE-8AD9-56D57A935C49} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416532910" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 1772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1772 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 1772 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 1772 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 1772 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2484 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2484 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2484 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2484 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2544 wrote to memory of 2556 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2556 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2556 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2556 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2556 wrote to memory of 2612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 2612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 2612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 2612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c711a7b74c62cbdcd059ec9421ecdc3e.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c711a7b74c62cbdcd059ec9421ecdc3e.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1772-1-0x0000000010000000-0x0000000010018000-memory.dmp

\Windows\SysWOW64\rundll32Srv.exe

MD5 17efb7e40d4cadaf3a4369435a8772ec
SHA1 eb9302063ac2ab599ae93aaa1e45b88bbeacbca2
SHA256 f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386
SHA512 522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

memory/1772-3-0x0000000000190000-0x00000000001A3000-memory.dmp

memory/2484-14-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2484-12-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1772-10-0x0000000000190000-0x00000000001A3000-memory.dmp

memory/2484-15-0x0000000000230000-0x0000000000232000-memory.dmp

memory/2544-27-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2544-28-0x000000007705F000-0x0000000077060000-memory.dmp

memory/2544-29-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6BC1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar6D1F.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b078fbfaa4423089b8e48001cd41b449
SHA1 7238ee01ab2377e8e79263c2864fe2301d823d15
SHA256 c173b559323eeacb152eff82a2806f70408478e9e61907d7b5fcab4d7bd17ac0
SHA512 a58cda33c78595ab850a4335423e6a7becc25e6be486a2847614c9b032b489b7a101ecb0b7c5da56dd4059940c721363c29150e6b43deb67ef3f94bf7fdd2e29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2ade7cdcb69aafada988322b1da6674
SHA1 81e1311624711edafd5f08573fd00b66557c35a0
SHA256 eeb906e45300960887f9e84364b91752530887be1b3763c90041c802a97b1546
SHA512 8afe365e02b47aff387918e43c97e5efffcaf7b147ed700b2d4c87a266ee56b23bbf498e2904bacbbf87630724eafc83e44d72c2236113a12cbc7dc1131f4409

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ea77a4320a15ebd0eb2bcb86b166a2c
SHA1 d13effbb7abf651d318f219ce673d75de1aee4a2
SHA256 d4c1ec658779ade99a1ed121596d39b58428e9a2cee0b797d4bef649513c08ec
SHA512 a5cd00dcaa81d1a986f968f6e8318fef04554cc9e9304674e01a1ccb9beec2ba60b8291d9bbef05ef253f6dbf7dd8df44e9a8cfbdb6fbce0dd413d1127b354f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 337aa3b4f8eeefa43c13db0d3d92345e
SHA1 4415c687bf0a59f48f0b9e9ba2f052e4393649a5
SHA256 2eaab6936b830c3c4d37dee472e305233947521dd7f4e0f0e57279d097ffb48b
SHA512 3d7bb7459627853c12baab515617c4f4912a74a1fb6af87495e010b802338fa882c5c4679424525c252648e5fc4232b6d5f3ae15867601ca38820565cf5f07a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62979155aa01bd9f83295158f6277e26
SHA1 26209d6d672c5224e33d31f705e7308c6c2d6421
SHA256 19eb3fb2eb256aaba82ac51f9d65c7fff47dd0bce110e0b6b51c5bb51f1a6832
SHA512 78834ba30d37420b16ea9adb2435f2c412b3569085c23d6cb686722a37112fc8412b748c1a15ef641277078ad2ec5b9e5e99286306af6762557248a29fd79b5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fa85f2f19d6bbf09370fc1e02628aa0
SHA1 153e63545338d029b4fb253c8d4dc8fc88680e38
SHA256 a6734e0f16905fcd72db8d96b30efe29b5a17094735e9144e98f10137010358b
SHA512 820e370eb2791e9b54b636f9f8489a22ab8e3cfece4d9f3cab0fb8e4ebd6d275122efb2a31ed84f4988704e621ee01f7b2221f3935cbca4460c69be9e957440a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76685556e605a181998bbbfbab9174d4
SHA1 43a407a348dad38bd3c0afc0b4db11e9a041caaa
SHA256 37091cc2b1ad0260d7b5540b4d8cf935f91dc63226e832adaaa0e0ce0fb60af8
SHA512 32b9af9b9dce76f4f6f91f6da694102cc7359248e3efe3b9196f860755df2873f1345655050d8d5c1ff1aba2d245addb5e4ca2738e597b0e2765da6caa11fb1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d03165201c5f9168194c772e8eaafd5
SHA1 784b7f784305e9e91ff4e2a02375d3c49c9cca93
SHA256 c613679f5827c7d4d0713dce25c08c5abe36f52115429c1b6e84f13b073f409e
SHA512 c25554db4b70448db1a98b0f9b54f394083d71ede9135d60ce3e69a53726da5c48ee86685b2793a412318bf3f6a0d1c006f704197e00d9277d6f535e46e531f1

memory/1772-473-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1772-505-0x0000000000190000-0x00000000001A3000-memory.dmp

memory/1772-506-0x0000000000190000-0x0000000000192000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d2d55506653dc34d74171fba0bdc330
SHA1 f5a319f4864fef9614ca8df3305c537761527fd4
SHA256 a8ca520e5a5505a7ee490cdc565eebc919c43cff2b0d0f1672edccb1f912e5e6
SHA512 5c8d4fab4b19ab0e3654aeebfa6f3597f32a162c11459b5fc37c173bc68b766c70723b147c724dd06736f49308c1fb8e384ead31b25107a4e04f941b9ba7853c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4858b0ccc928ae0502e90ca04761acc
SHA1 7980e59ed79d8c6905921d24a182c2d97eeb7520
SHA256 c77dadb379fd8c53c4f0ecc420fbda8ae24e144fd907393d7256574d4e16fd92
SHA512 fc78d0feeeb0856a1289e9329ff5c610b21b754ec797e6f93b5ba41074e3f6b5680aa24205714272fb966e9b7beb5e3d717f22d0cb4e3e7726e4d3446b2b5061

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57b9580b5eb6df201c65e49feb02d6f1
SHA1 973fdd5b0661a73525538da318d2fa12b1ecf024
SHA256 1d7fbebd60272019c110c8bc114cb3b67f566f63b7d19254f83d505870945311
SHA512 ab6aef16bdfea5649e2a90c289bd5e01e5ec4fa99e60c5586f15d58b3b954d6510193917e6fecfe073741bcad14e7ae784f262088b2649eff7b34b927cb6519e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4997f25027384527a24c880c6009067
SHA1 24bd550c6b4f6e9689928eab277a6af980dabaa7
SHA256 4ac048658be69d3d0a21d67108168cf512b26a62d91bf221ae159cde36bd961e
SHA512 ea3c0a56e7285e45147a01a5743ac81f02c77d575b22811bfea8424e90246a362d7351df070f7ec0ef041ca04d0f0510bcaad5a28be90b57c7c17272a76f58d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb561401f5411d83f5be7f688ed4f06b
SHA1 19e2dd17483e5e2ab51b4b922ea1d46d8f884e62
SHA256 b5dc57d023887950b8fafeac9978b62ee3be3f5fa9fe8a3b5abe69e27b496b90
SHA512 22baf1bb9f05e23b99c104e1dac8d4d227b10ec116524f0966dcebb36c70e9a2fe361b5a1b0f7f3450b050161ba1f9ae2caa9924a4c8ec71558a4d797fc462cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ff03c6b10d97265f39627b53c532ecf
SHA1 42f30a0df83d0f786905b5faa399501627f38678
SHA256 0c4bfbe68590a84c13190130af51c2553cd37437226a366ecd7a49addc15e057
SHA512 c40ace7ef832dcbc6e63b6133530da43929a0da34b2b23dbd6a7d9401f5b321926b4d4edfb6294b26cd21877195c198898d709d4d947524b7aa7d9ce7f02cb89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9591d4e3ddaf848fe8af4118ea6a4e3b
SHA1 ce67e87d0d504097c851719eae832d13e59dbb60
SHA256 e1973dd304d75e424ce393be5fbb78a482cd1d64473c044d71f64964cf8e74fa
SHA512 d32292df786776c176bbfe359a6d07997044e408399fd78838bf72985ef9c35531d1d07bc2a8f2b008e477427381a5ee0f2f66a3b547c6b164a93e0e101a5a9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3295c14f638d4f522e7c8d6501a06155
SHA1 f6e0fa037096343cb36e8c9b6bfddfa21a7a710b
SHA256 09426974aa100b48cb7f2d0306009b799ec5411688c689de996c1dedd3036d62
SHA512 4f54387c2c6e27bbda0b72f9be7cd5646fd0256fa28e0938d5f55d341f56733eb0ccfc1d8bb9319c0d1f9df7bff3e72f89525dc51542d3d1a333bb8025b506e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a469ee1c10bea36df5d786a102430fc
SHA1 d2df1330fe553e9c9b4ea9b5e5d3e0ec7d657273
SHA256 fd2a71f5452ce0fc8a1cbb65a6c3f12b75432bb0d9c144b789c0ca6bb79253b5
SHA512 21c1dc95d0a63cda303822d94665fd79bc135dffb453541ebd7aefee44bc6445b52972b55429d5fc2b037c88c543cc524c7c00b2330672a57de710b30dfdf17c

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 23:03

Reported

2024-03-13 23:06

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c711a7b74c62cbdcd059ec9421ecdc3e.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px34FA.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094170" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417136010" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3427283627" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3423534160" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31094170" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3423534160" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094170" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F7AA33E5-E18D-11EE-9216-E63A1A6527EC} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 3244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4020 wrote to memory of 3244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4020 wrote to memory of 3244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3244 wrote to memory of 4692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3244 wrote to memory of 4692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3244 wrote to memory of 4692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 4692 wrote to memory of 1764 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4692 wrote to memory of 1764 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4692 wrote to memory of 1764 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1764 wrote to memory of 4568 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1764 wrote to memory of 4568 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4568 wrote to memory of 3196 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4568 wrote to memory of 3196 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4568 wrote to memory of 3196 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c711a7b74c62cbdcd059ec9421ecdc3e.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c711a7b74c62cbdcd059ec9421ecdc3e.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4568 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.31.169.57:443 tcp
US 8.8.8.8:53 udp
GB 96.17.179.55:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.55:80 tcp
US 8.8.8.8:53 udp
GB 104.91.71.134:80 tcp
GB 104.91.71.134:80 tcp
GB 104.91.71.134:80 tcp
GB 104.91.71.134:80 tcp
US 8.8.8.8:53 udp
PL 93.184.221.240:80 tcp
GB 88.221.135.90:80 tcp
GB 104.91.71.134:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
GB 96.16.110.114:80 tcp

Files

memory/3244-1-0x0000000010000000-0x0000000010018000-memory.dmp

memory/4692-5-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Windows\SysWOW64\rundll32Srv.exe

MD5 17efb7e40d4cadaf3a4369435a8772ec
SHA1 eb9302063ac2ab599ae93aaa1e45b88bbeacbca2
SHA256 f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386
SHA512 522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

memory/4692-6-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4692-7-0x0000000000460000-0x0000000000462000-memory.dmp

memory/4692-10-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1764-15-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

memory/1764-16-0x00000000779D2000-0x00000000779D3000-memory.dmp

memory/1764-17-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1764-19-0x00000000779D2000-0x00000000779D3000-memory.dmp

memory/3244-20-0x0000000010000000-0x0000000010018000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee