ramnit | 8b2a5f463664453462be23a6690303971e68f88cf6a652329c9bb8d1bf1cb716

Analysis

max time kernel
133s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b32a3d48f9682bad28cf4a1f4574ad1_JaffaCakes118.html
Size

155KB
MD5

6b32a3d48f9682bad28cf4a1f4574ad1
SHA1

64305f83d68348535f5a0aacb4ba98814eafde15
SHA256

8b2a5f463664453462be23a6690303971e68f88cf6a652329c9bb8d1bf1cb716
SHA512

c8f4611d4235076957da0b81b9d33fb16d65906b9ae8146c07f6a83d41f2385dc1b8b460235fbab47cf3569df5db3792a88beb130607869e886ddfc266dde572
SSDEEP

1536:iyRTwWdZw9mYmCyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrk:iAK7mCyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exeDesktopLayer.exe

pid process

2100 svchost.exe
2036 DesktopLayer.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2488 IEXPLORE.EXE
2100 svchost.exe

pid	process
2100	svchost.exe
2036	DesktopLayer.exe

pid	process
2488	IEXPLORE.EXE
2100	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2100-480-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2100-483-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2036-494-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2036-493-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px6AB5.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A012841-190E-11EF-9960-CAFA5A0A62FD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422635389"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

2036 DesktopLayer.exe
2036 DesktopLayer.exe
2036 DesktopLayer.exe
2036 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2936 iexplore.exe
2936 iexplore.exe

pid	process
2036	DesktopLayer.exe
2036	DesktopLayer.exe
2036	DesktopLayer.exe
2036	DesktopLayer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2936	iexplore.exe
2936	iexplore.exe
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2936	iexplore.exe
2936	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2936 wrote to memory of 2488	2936	iexplore.exe	IEXPLORE.EXE
PID 2936 wrote to memory of 2488	2936	iexplore.exe	IEXPLORE.EXE
PID 2936 wrote to memory of 2488	2936	iexplore.exe	IEXPLORE.EXE
PID 2936 wrote to memory of 2488	2936	iexplore.exe	IEXPLORE.EXE
PID 2488 wrote to memory of 2100	2488	IEXPLORE.EXE	svchost.exe
PID 2488 wrote to memory of 2100	2488	IEXPLORE.EXE	svchost.exe
PID 2488 wrote to memory of 2100	2488	IEXPLORE.EXE	svchost.exe
PID 2488 wrote to memory of 2100	2488	IEXPLORE.EXE	svchost.exe
PID 2100 wrote to memory of 2036	2100	svchost.exe	DesktopLayer.exe
PID 2100 wrote to memory of 2036	2100	svchost.exe	DesktopLayer.exe
PID 2100 wrote to memory of 2036	2100	svchost.exe	DesktopLayer.exe
PID 2100 wrote to memory of 2036	2100	svchost.exe	DesktopLayer.exe
PID 2036 wrote to memory of 876	2036	DesktopLayer.exe	iexplore.exe
PID 2036 wrote to memory of 876	2036	DesktopLayer.exe	iexplore.exe
PID 2036 wrote to memory of 876	2036	DesktopLayer.exe	iexplore.exe
PID 2036 wrote to memory of 876	2036	DesktopLayer.exe	iexplore.exe
PID 2936 wrote to memory of 1584	2936	iexplore.exe	IEXPLORE.EXE
PID 2936 wrote to memory of 1584	2936	iexplore.exe	IEXPLORE.EXE
PID 2936 wrote to memory of 1584	2936	iexplore.exe	IEXPLORE.EXE
PID 2936 wrote to memory of 1584	2936	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\6b32a3d48f9682bad28cf4a1f4574ad1_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2100

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:876

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:603146 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cc4a56952f392689c905cca67a7b7b7f

SHA1
7ed30d4a47eafd03a9b269d2122aa4d1ee685936

SHA256
5dde8a6c495fc4bc8b929004a6a341bc13974f584bdfef2176ff4e8b630269e3

SHA512
a8d32573543fd5ec2fdf933606ad6ec8fec3c0441a1a4cd3e99a6b815a6eb68d78de23430d5657abd241b5a1d1a5f85ad7019343a1190e88af09624d6b1ade11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b8808c5a64a3fa30e4a2c2549a91f757

SHA1
4fb5bb0fd197444f077f1c3095fb0ad26050ecd7

SHA256
6d0342416f37d43d239e13a0b8635eff56ac01839796831e1d8232a0fee4873e

SHA512
852e9137f6b7d58a3d963c22ff2e26d840b83732074124ac6778af222214c04b631bd742092514eec89ce6e766e69a8945f9b3bef511a5daf90b830abec15ccf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
030f04334bfa26e221166ba311ca4c90

SHA1
abd9fefa6c74b3dae5873926c2b3848d0c3b8dbd

SHA256
f77c6425f37c65bbecdee605b74595788774e650b28a30bb8f6c732ddb88fc62

SHA512
c3550d08614a6f33725fac069bd30563ac733f80f7998deadb00bda67f54932829ed55363ce63ed167ad96d399d60f555629ddcf901c7cc197634c94ebc671a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
63708a01cb18464248d56ac7459b1109

SHA1
48b15cb3536d16c452ba3300c3fd4065c93a9e59

SHA256
296fb7333df700e1ceda88f93423de853e4e7ef0d3cdd5a52c515076b9846d00

SHA512
a6b3266ec765fbe23d99ba69c25b8b26208cdc6d5ab2a3a86e883f132e723da53302fdeb895e574a278f29b6d3e3c8b5b3df48adec4d709c06ac3c360c6072c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b8d7a83159f429ec5c1aeb291904be5c

SHA1
b8ee5fd097bc749f7843c6a894d3811377e4ea88

SHA256
a720bf501fdd65c915eb83701d142451b9e01a74ca2f1be04e34aa44861147da

SHA512
1c235ef8d2a173f0886e7c182d19df14e7e65c919b66390119d7f0c6448b3bcaf5da7bfd12852d70385f133ad37be1dae9b5ce239676724deac8010ac5467470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d3c4e87f077c4b752394fca6f29951d4

SHA1
d2a8141a803add9b62db4e2038d31789fb504623

SHA256
d249b9a73d6cc3f6d7d165532c50748705d9985d4ab646b3c1a56dce6a2d71cb

SHA512
75c3d3007e3249f86802468a9a344736d98b65cda25e6f39f1910362852a337921cbcbe340f74bd6d0412e286ab21d1fbc20164b2a7c064378f644215e763da5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
24857dc1339355af97bb407c8f2c4c03

SHA1
a82449d6321c8452a59544865787bf4de1ec4bd8

SHA256
dd5f8e400de23a40db5eb72e2daa69b730c217c75817521deb41a977351ff086

SHA512
785069207b0debc069489796e03e2398f1ad4d74f08425b2b167d5aac262a703deae2e5e0b68a166528417a7e33dbc8970b57bfcab10fd151d25a2721d364f8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
de8d1b84f4df9656cb80bb856fb19c7f

SHA1
f3f9b9e521dedc43d80cfdfaf51abefe89bcd069

SHA256
12b48bbee56d674a4edd4dfd8a1a60d4d2c3a83a32e9b208cec3376b6aa8df8c

SHA512
c648a6bd42aaa32a9f250ac1b1a11ba94e63c7f8956b28920e1f31d53b987c519df6cce0379d8596c124e21a293134ec66819b00f05d7df8fc26f759aea9fce6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
606e51b69317c4201fd2a588cfd1c4f0

SHA1
73985e29cf180a117bc4b45a5486719fbe6d64e4

SHA256
3e1377159264edc4cdaefb2c4e7c359273a88bfe3e1967aa7eff75970a1f6e05

SHA512
6cc9acbb2286c7d926efb493e5d6a639420b3bb32878ffdabeacf345685b23444af2d30eace159037b33fc186429df0abb4d600ea0b15a449fdc8531505865cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aadbd8a4ed0aeb6b407c9dea929d0d92

SHA1
ec44860759e9ed3f69f0c6c9facfb90db9f07922

SHA256
c1f748c07c61c23a2bd8f226f9ac6b8e5b2163d0618934f25faab57908c6062a

SHA512
181029c05d7aa390d8d3ca93c7e6146cd7967c0aee23a9612096dc61e32b8f490e5d3f9b7eecce490ad7a528a57931a5fc55558616f148e0f1c80c82d0aec9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8529.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar86A6.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2036-492-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2036-493-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2036-494-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2100-490-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/2100-483-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2100-482-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2100-480-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download