Malware Analysis Report

2025-08-05 19:12

Sample ID 240330-ask5hach2s
Target 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit
SHA256 d1ae2bf536d98cd937e819a098bb6eb7ba2af009dd5724563a6c03233e22885e
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1ae2bf536d98cd937e819a098bb6eb7ba2af009dd5724563a6c03233e22885e

Threat Level: Known bad

The file 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-30 00:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 00:28

Reported

2024-03-30 00:31

Platform

win7-20240221-en

Max time kernel

122s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px4B43.tmp C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417920383" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{71829111-EE2C-11EE-ACBC-CAFA5A0A62FD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe
PID 2356 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe
PID 2356 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe
PID 2356 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe
PID 2096 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2096 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2096 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2096 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3036 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3036 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3036 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3036 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Windows\SysWOW64\WerFault.exe
PID 2356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Windows\SysWOW64\WerFault.exe
PID 2356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Windows\SysWOW64\WerFault.exe
PID 2356 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2624 wrote to memory of 2656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2624 wrote to memory of 2656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2624 wrote to memory of 2656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 188

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2624 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2356-0-0x0000000001130000-0x0000000001173000-memory.dmp

\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2096-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2356-5-0x00000000000E0000-0x000000000010E000-memory.dmp

memory/3036-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2096-14-0x00000000003C0000-0x00000000003CF000-memory.dmp

memory/3036-20-0x0000000077C2F000-0x0000000077C30000-memory.dmp

memory/3036-18-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3036-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2356-16-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab61F1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab62BE.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar62D2.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6833edd309ffb29474acef998fc95064
SHA1 47ec918332e79358758ee179f5a1641d73765b58
SHA256 8db87ecf929e1f590e1d591a89214aa90ef42c1747008f43bfd45f3c9bffa097
SHA512 6744c61e26cc2239d46f538c03a4d01e3a275ede9a7edca657e776560a153757e0c17a3d6af648887ca033bf8026dd88ce5784257ebfbfc2810651bb69818635

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d202b3fcab2271cb345dff2f5da3cadd
SHA1 7239077e87ba4788cefa965286d8d6d316429414
SHA256 c6060ffd7bda3f3757523da0fddf1b5da63c40627e2d170562b27a2b095288f5
SHA512 d1c23eb3534552cde94756e05b11c76e716b59cf2c73cb058979d7207ff20294c504a04a99d9452d2dda0fdc4c9cef7ed234ec48638c7ad1f02453f95b5f560a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 772fc4f32e41f53e064bd3b80a708459
SHA1 b691c4c3b8740480c637af6002353b61cf41d812
SHA256 9895d10097357b50493f865e96468a9a6ef9626ea18d3fb872627042afcb5b31
SHA512 b768ef6da86f7c7ea77c24433f4f59b8a9a7426aef26b131622d63a419d2219facbac4c3c4447080c6c510ba1284fbe20527c02d8dfdeaa7ea56b9aead4be8ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e005ccec425d8b212ba56245548bef51
SHA1 0cfced8c4eadec314ca40dc32bf170092a5a329c
SHA256 011f5bba120b4a8168797a0a3d3a0933f13bf7e7f22fe29736d53f4754e422be
SHA512 1a3bcb24b3f937fefe30b69193b46ccf7086828be53fd0e72b35761823dccc7cdb9cf23f607e5f8c8cb09195a11cd9d0211d93fe5d9d8682a28f7084fe766474

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ecd8472c51bd65c1c130f8a388bd0a96
SHA1 77d298c0dedb8db42f1491b2be012402826df208
SHA256 7e1c3a3de82310f4466be7c329c27fe0872035e623ea9848c81b261ce060e5d5
SHA512 9dca140f54cb6a2ff056e60aa7cbf9fc95abf7f56d4b29914c0c52cc3bdee6156cedaebac403b64d7e1d12c839c48c470280476ff71e035437c9ebd0ed7dbc57

memory/2356-496-0x0000000001130000-0x0000000001173000-memory.dmp

memory/2356-497-0x00000000000E0000-0x000000000010E000-memory.dmp

memory/2096-498-0x00000000003C0000-0x00000000003CF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03f8349f0f6ef490a8e82db44d8bd7c7
SHA1 20ed3cce67b193054272e8c535e76b83ae980b9b
SHA256 9ffe0e33fb2cdbc5db5388ae2383cd492d3d772ca36aa46379e874b3d41af315
SHA512 af87c75485f4677a79d2028f432423430203cfd850169e6f1be63ec1afa3095d007fec6153009f4211c75b639469e0b552324a60f1da9b6812bc12f9952bef0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c07cb75d5bfa87dce672a34b625fcc54
SHA1 d91539a4d4470b633c18cbe73e00b84a42914870
SHA256 a66423760279110685c2db7ff57db2f37f855feefa9bc8dec7a478abf75e5179
SHA512 e4a2fbe10abd4723fbbe34c92df5d19ac143d6fadf6559db38cc1e82ccc163e6a92945814a72e131071a2a732335d5fd8fb7e2c9069a4105738dfef940c53614

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73084660c553e96f1ec36068f7dcc5c8
SHA1 2da5be67b51e2c740ec454b1a990b2906f97d454
SHA256 bb904303cbc660c4868889533e110cfa31e6f00d4d8fec5f73e41d5c5c938fa7
SHA512 54c944df134608df83b23dc96fedf932e3032db246b55a9a088c68caa0a73cdedbb976ebc6e97a8045606eb2f35ca748decc756c98308cdf642f41e597fc3729

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d7365b2bcdf41d19c26a0cc524fc101
SHA1 8b530e5b018db3412e6df799cb24d2abbab101d8
SHA256 e8c781106ad797c4de1c7f899f519ff003576dea0434ee30cc90a759e6513074
SHA512 71fa70ef59eaedfd669247645879c48923a43ffe39b907b7a4739d6f316c9f18d8a75f3bb71346998e91e3a8fc3ca1dd4d4dd59df442141a8afb251dbfa03cc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 835939648508a16f9bcdefd61bd1c33e
SHA1 a924f8927025731ab70cb094265a6876da664ce7
SHA256 adbf403f1d60249e84657b15c394a7a1eb0f067cb5d1da8cd73742dc6b9ac39b
SHA512 b80bcb8cdc5b5be6412b5d584c25aee06cb84fdea3de491737e1a85c031b90629fd9a7f6c41c891a6890868ca5dc4c4ec187af173f1862090d6dc97be98be760

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc4b99c5db0be56e15c33e42a1ebedc7
SHA1 cb5f0c082afea55a53d2f802c08bfc163bb2bc3b
SHA256 0dfaa6563b5ee42e45c0c44be6db16d491b5f32f6a5c55f15884be400cd5218a
SHA512 71eca0a6e400716bfc186d92b788e78166e668b16164b6c8304b6032310228473c355895162883fd4499924d1e6b7b21224738017cb347b88c64f537a59e8297

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aacc5a5b28684737d5d1bfbba8d045f2
SHA1 5990e64ca0bb64c3649591afb885bd05d04b564b
SHA256 10f30a08da2cdcc655a1e5baf9f88da4c313e0db6347febb97666ec7aefaa1d6
SHA512 beb42c248a577b80d51520ca899bae0e7fffb5cb8a63bec329f389d5cadde0a44ec7864c09894d850c135fa1164595615b1ef452d6e565a4835cd614de92b1b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc062a7544e0f10581dd8f00ee44696e
SHA1 ebfd945607e5fde042bd62557c38d7891619b1f4
SHA256 f57b35a01cafc42bf3ba96310e6d8a5290cf9b6ad0e23b50be235437158a313b
SHA512 8cbe4cc3deb3526a7aa6563029cc6bca389e41249c439ff8ca6433eff1765d180cf80d3144447c46813ca9a7cac1a0d69fca7745e4c58244d9924c6af8581299

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d17ff2120582ef9b44e55d67227aa20
SHA1 fe0e7a6de37b0b573c9f0597304864d8f94a375a
SHA256 f5b7ff09bbeb9dfd4027d6c60f30d7c3412463eeaa2527b647ae583237d9fdb8
SHA512 cc6712d85caae6ccfea2d9b26926e99c36a0e6558bb6f4c00136bca9baa4f4bd80131ef5d199f4d57a8c9e1e44b7c4799efa7432c412ac7068ca9795451bef7c

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 00:28

Reported

2024-03-30 00:31

Platform

win10v2004-20240226-en

Max time kernel

115s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px705D.tmp C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31097401" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1194258671" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31097401" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1277539129" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418523498" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1194258671" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{72AD8A3C-EE2C-11EE-9846-628714877227} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31097401" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4912 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe
PID 4912 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe
PID 4912 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe
PID 432 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 432 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 432 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3488 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3488 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3944 wrote to memory of 212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3944 wrote to memory of 212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3944 wrote to memory of 212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4912 -ip 4912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3944 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4372 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 35.34.16.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4912-0-0x0000000000D10000-0x0000000000D53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/432-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/432-7-0x0000000000590000-0x000000000059F000-memory.dmp

memory/432-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3488-14-0x0000000000570000-0x0000000000571000-memory.dmp

memory/3488-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3488-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3488-18-0x0000000077202000-0x0000000077203000-memory.dmp

memory/4912-12-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/4912-19-0x0000000000D10000-0x0000000000D53000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 83b49b2e7134c3062b8085920426bfb3
SHA1 b4cf85a34739004f8c250efa1c3b021c19830c85
SHA256 1cd035d5b63a191de0e8853548025d785dcd928e3049dec5642009391f5befcc
SHA512 a7d8db600b83ae679a8b03a677259b5746d883bfd131f09859447c0400835536297b3ed6419a44e961aff996dc5536b55d340399ebacca3be3ba4b8b19781d4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3c2d836f3b970ffd159449e622defacf
SHA1 d9e8ef57535a08a3d7216af00444577b997090f7
SHA256 b79407a74548fd3906d927d6b62916c0e742efe456d9c5555e86d8f4a20af829
SHA512 1613464ee51104679d0c1d6135e40efeca8c5765eda05625dada76d1b7c5b1481113ad9ef998aeab5611a3b8ff55c87fd3ffae74319acab25e468c01057a6fdf

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CCR56MZ5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee