ramnit | a3ae4570ea79edca6be2b632e73f6377d254205fc88dc0d0d0251a13dcfd7749

General

Target

a3ae4570ea79edca6be2b632e73f6377d254205fc88dc0d0d0251a13dcfd7749.dll
Size

142KB
MD5

372a395d15556063fe723a7d25b5d2e8
SHA1

67b55d03ca5f3db23fa6521afdf34a9022c33af1
SHA256

a3ae4570ea79edca6be2b632e73f6377d254205fc88dc0d0d0251a13dcfd7749
SHA512

df89847f4a95857048eaec373a6d632eb472bdc7306467977ac84fc1ee4d17b38dced1bf7e1b34ebdd80f6b7537441f73751f13399f620fc89f7e107a3896a7d
SSDEEP

3072:9cwO/iTOdgWtJwrudmurEaMWgcVQPqJWhMAXNEzpDKQsojV2XI:9DTOdgWtOrudmux2yU/9ExJjgY

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point) 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2356-1-0x0000000010000000-0x0000000010026000-memory.dmp	UPX
\Windows\SysWOW64\rundll32mgr.exe	UPX
behavioral1/memory/2356-3-0x00000000001E0000-0x000000000023B000-memory.dmp	UPX
behavioral1/memory/3064-20-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral1/memory/3064-15-0x0000000000400000-0x000000000045B000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

3064 rundll32mgr.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2356 rundll32.exe
2356 rundll32.exe

pid	process
3064	rundll32mgr.exe

pid	process
2356	rundll32.exe
2356	rundll32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\rundll32mgr.exe	upx
behavioral1/memory/2356-3-0x00000000001E0000-0x000000000023B000-memory.dmp	upx
behavioral1/memory/3064-20-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/3064-15-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422589008"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D965501-18A2-11EF-9D76-F65846C0010F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32mgr.exe

pid process

3064 rundll32mgr.exe
3064 rundll32mgr.exe
3064 rundll32mgr.exe
3064 rundll32mgr.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exerundll32mgr.exe

description pid process

Token: SeDebugPrivilege 2356 rundll32.exe
Token: SeDebugPrivilege 3064 rundll32mgr.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2632 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2632 iexplore.exe
2632 iexplore.exe
2092 IEXPLORE.EXE
2092 IEXPLORE.EXE
2092 IEXPLORE.EXE
2092 IEXPLORE.EXE

pid	process
3064	rundll32mgr.exe
3064	rundll32mgr.exe
3064	rundll32mgr.exe
3064	rundll32mgr.exe

description	pid	process
Token: SeDebugPrivilege	2356	rundll32.exe
Token: SeDebugPrivilege	3064	rundll32mgr.exe

pid	process
2632	iexplore.exe

pid	process
2632	iexplore.exe
2632	iexplore.exe
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exeiexplore.exe

description	pid	process	target process
PID 2352 wrote to memory of 2356	2352	rundll32.exe	rundll32.exe
PID 2352 wrote to memory of 2356	2352	rundll32.exe	rundll32.exe
PID 2352 wrote to memory of 2356	2352	rundll32.exe	rundll32.exe
PID 2352 wrote to memory of 2356	2352	rundll32.exe	rundll32.exe
PID 2352 wrote to memory of 2356	2352	rundll32.exe	rundll32.exe
PID 2352 wrote to memory of 2356	2352	rundll32.exe	rundll32.exe
PID 2352 wrote to memory of 2356	2352	rundll32.exe	rundll32.exe
PID 2356 wrote to memory of 3064	2356	rundll32.exe	rundll32mgr.exe
PID 2356 wrote to memory of 3064	2356	rundll32.exe	rundll32mgr.exe
PID 2356 wrote to memory of 3064	2356	rundll32.exe	rundll32mgr.exe
PID 2356 wrote to memory of 3064	2356	rundll32.exe	rundll32mgr.exe
PID 3064 wrote to memory of 2632	3064	rundll32mgr.exe	iexplore.exe
PID 3064 wrote to memory of 2632	3064	rundll32mgr.exe	iexplore.exe
PID 3064 wrote to memory of 2632	3064	rundll32mgr.exe	iexplore.exe
PID 3064 wrote to memory of 2632	3064	rundll32mgr.exe	iexplore.exe
PID 2632 wrote to memory of 2092	2632	iexplore.exe	IEXPLORE.EXE
PID 2632 wrote to memory of 2092	2632	iexplore.exe	IEXPLORE.EXE
PID 2632 wrote to memory of 2092	2632	iexplore.exe	IEXPLORE.EXE
PID 2632 wrote to memory of 2092	2632	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3ae4570ea79edca6be2b632e73f6377d254205fc88dc0d0d0251a13dcfd7749.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3ae4570ea79edca6be2b632e73f6377d254205fc88dc0d0d0251a13dcfd7749.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ed678434670b4ac8a2ee18ba5d32e82d

SHA1
a0afbf55dadf115611eb13934673d09179e506eb

SHA256
6a1648ee5992318c71acc4a0b66764e2f35db1d9a98c4587f64d7eb1a267832e

SHA512
e5a15138b9cfa84114ee400f72b6250922a7a06ee7039db4a3d8aeb02bfee7b4540ad3da9123c6cb9a1a3d2682ac12448631f338f70c83fbfce900e535190811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ec6167072dfda231a318e0ef76889d0e

SHA1
923d0bceb51738ff059c9b858cabca2ab997430f

SHA256
be6479b8497cb939b3e2a6b8aed23d3d80c2ff486b5f988625a93cfbeec0ed7d

SHA512
f407637b7cafc31a160eff37b7c019f31b5a0aafda64f4624c896fb211620529d5ccaa5761a409478ef25cff3bdb9081fbe047bd57efc5c4ca43a3e820ac82ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3537.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar36C4.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
105KB

MD5
dfb5daabb95dcfad1a5faf9ab1437076

SHA1
4a199569a9b52911bee7fb19ab80570cc5ff9ed1

SHA256
54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

SHA512
5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

Download Submit
memory/2356-10-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2356-11-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2356-12-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2356-3-0x00000000001E0000-0x000000000023B000-memory.dmp

Filesize
364KB

Download
memory/2356-17-0x0000000077A6F000-0x0000000077A70000-memory.dmp

Filesize
4KB

Download
memory/2356-16-0x0000000077A70000-0x0000000077A71000-memory.dmp

Filesize
4KB

Download
memory/3064-19-0x0000000077A6F000-0x0000000077A70000-memory.dmp

Filesize
4KB

Download
memory/3064-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3064-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3064-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3064-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads