Malware Analysis Report

2024-10-19 13:22

Sample ID 240611-c32lca1djc
Target bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572
SHA256 bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572

Threat Level: Known bad

The file bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 02:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 02:36

Reported

2024-06-11 02:39

Platform

win7-20240215-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px1120.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{772ACAD1-279B-11EF-9DE9-520ACD40185F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424235282" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2944 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2944 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2944 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2944 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2944 wrote to memory of 2900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 2900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 2900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 2900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2976 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2976 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2976 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2764 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2764 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2764 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2764 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2060 wrote to memory of 2596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 224

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Windows\SysWOW64\rundll32Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2976-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2976-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/2944-5-0x0000000000180000-0x00000000001AE000-memory.dmp

memory/2944-2-0x0000000010000000-0x00000000100BA000-memory.dmp

memory/2764-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2764-18-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2764-21-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2764-20-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2731.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab284D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2862.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e61627c596b59f1bdc5d24ed986fda6a
SHA1 63364475832f3ab860bfd9d354153213e1f841c9
SHA256 3aeedd8f6fffbc6345a7eb874f80dbf50473edb93a14622190c66cb99e309e46
SHA512 1e30bd71269056b4c01148821c1c26a011334db67223fd7bfa7905eef36ad2981676b1e1db7f955e628f780c6ea2d91c3e9b0335f750b29ba876e908abb12519

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e4a45f218c5111d9dfdf30fed53b680
SHA1 574fec972f26ddf74aaf3152672750e0e80792ef
SHA256 d8149113482b8079d482d92f5f37c5452a2e68cb25a2ad22d1ca918b55e445ff
SHA512 3039075667ecb5384d2f7f5593911749ccd1253bfcc59943530c20d2df8dd8b7545e6f008546c307add0d90925d8f084a10869effea4cd20195a2c126b76020c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c0076de027b68ea43e9542fdc933fd4
SHA1 56dd4410ba4e7bc43e206a96268174fb6a06b144
SHA256 52962c260f75f33e9976a0ac39959e754f9d2899fc412cfd5188104c98203a31
SHA512 d422e98f01f816248588e52b03e62d69c311e469bd47b9e59ef63a90acb10fb2865c73ec923aa29539e5c6eb4beeecb45bf9af40d310ac5e9b580fd4665a0d8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a614fe96d74d96a046e92566faa5114d
SHA1 061e1fa534b5f2a9922e1f8de7b7a282dcc3261f
SHA256 23624bf7a4eca9d7035579b09263c0c38207308b8543f51927ac0c200885ec0c
SHA512 e78c801b31b83451d2ca44714fa492874dd2bf00af5c978c33be17759d25d0884b7876e17dc6f78c94015a7df6ab737cdf177febfd3fcd522c1af3ddfbfb2b42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5244227403a6ea79d4f264fd00716e88
SHA1 71007aa81b28671817f00cf80b231e983b6d8d3e
SHA256 ff38cab6d37aa2ae7f07d7ef6b9cfd1de59a395acd80d66278590ed09dda1e02
SHA512 ac85385d1df329424bc2262a834793015882e9f6c6ac5b3e1d738f41c90602bdc859cc22806a5ca82cc0a29529d7744543fd34f5e345878d6b63533f4d6517a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a76c18c892e639e097ed6f677ec5e4d6
SHA1 6544e22774477b622362f371f04dbef541b9fc6f
SHA256 3d365032f4fbc2d15f47c28755394d7710326c8243ef96be00d738e1cdd49137
SHA512 ebfd0e9c156ca5c3f21d62bad1aabc993dcea02ef962fa64daf986026a1fce0e3e8b9dca0aa15b0b91df7942ed377d817bdd783c7e4f07b27194c9568727a9dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7ce3ae7fac2c0e9901527db8b4668ad
SHA1 3557790ccfbc6469b1532098952e45e36d72b44f
SHA256 763845705ae1655e7de38098dbec713093224b0dc5d315518727698f82934b34
SHA512 706c5da6883cd2958de3549bac78061516170152da7e13144d32b9612dcc38c327fb055fd637363c7a2c01e52b2e7cba988d4ea584cb49cedf73084fa5f82d6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 960729805ccb12582a7cfe44d2079bec
SHA1 38d614347add873dd8949d5096a49fce79d71f91
SHA256 e7c80cb17f9d765d196477648eb80482360b8de21baae63418642442b40111c2
SHA512 9d6f543617a84a467293681bb93038e94e307994ddccf5ef635c546b0e53a5cf04ce3d540e096919a7f45a41f2a0effbd07e51085899422f9d96e59d1b494bbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82ac3d2aa73e506f829c5098d79dde72
SHA1 46823545ad9004edc0bc6cd2576c8ab0b0de9a4a
SHA256 d3c3538b622ed036fda7e82f49c32cd07c22d403bad606c2ca383459f9c557e5
SHA512 fa5812ee8aaf1cac3c270bed787942dba63c8b758616b21f68945af72c09d938cb670a36ab609225f0b086a9c67b10baf4be08a6ad4237f67ef7012fa2ece97c

memory/2944-496-0x0000000010000000-0x00000000100BA000-memory.dmp

memory/2944-497-0x0000000000180000-0x00000000001AE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1460445d25488a58373f4659bd25b86
SHA1 713169b3defb76b4fa17a823d676780df0cf6057
SHA256 bb20e07d29ac59fccea78e572687857d40300f867e26529d6c42d0179a0140b0
SHA512 0d3cb56e58bb06c6e6f52812a040fa9c3f2032b3085a8c28b493cf06314e913de9acfe71e1c863a3a70f0c2e6d3e5c28bb6c4950104e9d9cc2aa7d131f5f5d0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90459610548be304d3acb8a552de377e
SHA1 3e5f64fa0e5205c1830035e5ccc3d8ca1cbdd8a5
SHA256 9d0eb46e48ff04c51db1ba96fb6156723546cf1b5685f1d99c2db0b45ca61dda
SHA512 10c55b1a3d79e3d6cda4b6456d7b46cde3329b212291c730aea7c0df4fa73824777fa901a714f9cc0c8ec05ebeac069c52e397fbf25e442111a6710748a39770

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c316695b4efb8975ae4c0b5a15d3e5e8
SHA1 67bcc0640e634614c72c54a7a2ff4d94bf0ae618
SHA256 b3873a57d1fae840fb571721660a5b14d6b70fa726caf2b7cacddabd15222180
SHA512 fa869ee3a09d8bcd980eb640755f3b8ffad17f717b689d4d787c7456f3efd77b0186e3d01c3c506520ce354f5f27d94a12ef06aa64f25253dc015124ddc05c02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9e822b4cca7a29fde782208e55a2791
SHA1 fe73ff7dca02e941273b5f58f38abf82661f55e8
SHA256 8f7915d8980b5670170837c1c5b4800f06d8ebeda66f9f0f7c972461dbbc8f6c
SHA512 c2461f8af63804016ac00ec8641c204e27b3d45961d1048f39f64e7f5f06ebaf234969f3f0149b0752ae6d8f4031eea2c580b39e7469ebef6818ed4257c82de7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 508d8bc7d77e08920c83b74794d2ebb1
SHA1 cae5f5fc4ed34483e12b4693c5302c3f3b334205
SHA256 e17d86e19f4de81c2c9fd0f8e8d1ebec0467218f231c1cc441336768652fae7d
SHA512 5014d86bd7dd9abf45762e9dfeba840ac4661725876a0cadfacd2045921146de0593fef539d0d74ce35105dacc6b2999da27ab8080e3563a8f732df77904c30e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3286c80aecfc361c8df4cfd2d00f097
SHA1 bb295344a549881f187c96a548fa0f9b3bd3f5bc
SHA256 aa5805105e9ee54f8296db3f6a6f2dd821c2e833684327ea38296970e0bba0e5
SHA512 744c00ee3c1aa8c1ad66d6593314841abf143e693d5afce468e02594a6b5e40da90fcbf3b238aacf192fd329bbc3524f91aa866f0ee5f167f5ff22ff1c0ee513

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c95187bc4c32f0f455bde7696a815e6
SHA1 04d28dada552f7cadcbcda9f96852d2858b33a3d
SHA256 89cdebffc8a612f090b076ec31c91f52c729eceb8cc3c1b8bcb68a8f0613b944
SHA512 ec696c6d021727495b70caff711c12f9ea79044677abe42bcd9f762a52fec615d63964b960459155893d4ebec39dd06ba184c57f667b910731bfd3344af1fd45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d5b9bac6a1774db3a56648ea93587ea
SHA1 5c56a366c0d2023686513785a348f27d81d8871e
SHA256 6f5337645cf76462a448181cb14af1cabd8b5ce72b852a20d45f1c0bba9881f4
SHA512 bacf5b839aa406f9a662f621d66312408211a6a7831e529f14ae7c810ae9960120ca36d8bfb7513223acbc35dfc408164f4a5cc2303fe06f0059ba2868f7933e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 600abb2051c571c378988692118f9857
SHA1 458dfe43a1d35adde6bd30741455cdb7efd61768
SHA256 665f18f56e63de5b363df23d8ac827aa7f8b06ebb3bb88a1bb469cac3ed1f10c
SHA512 94f73015f04983edfaa07b7d9c23372ff4740768c9a7066fa2b43a9dcf26805ac906058231bf640a5e40cfa24e79cb2766c909650a4781cf7a472fa184aab27d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 02:36

Reported

2024-06-11 02:39

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px421A.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112104" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1280418506" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1283543380" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{77D2A226-279B-11EF-9A94-5EF7A92F669A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112104" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112104" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1280418506" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424838390" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 3760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4724 wrote to memory of 3760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4724 wrote to memory of 3760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3760 wrote to memory of 3200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3760 wrote to memory of 3200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3760 wrote to memory of 3200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3200 wrote to memory of 4120 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3200 wrote to memory of 4120 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3200 wrote to memory of 4120 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4120 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4120 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 1688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2824 wrote to memory of 1688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2824 wrote to memory of 1688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc8f1f867b2e6c7d90ee8db77ce5e6e7bb14fabbe9cf4b53092b8915c59eb572.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3760 -ip 3760

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 608

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp

Files

C:\Windows\SysWOW64\rundll32Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/3760-2-0x0000000010000000-0x00000000100BA000-memory.dmp

memory/3200-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3200-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3200-6-0x00000000004C0000-0x00000000004CF000-memory.dmp

memory/4120-13-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4120-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4120-14-0x0000000000490000-0x0000000000491000-memory.dmp

memory/3760-17-0x0000000010000000-0x00000000100BA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 ba5c07e84aaf8703c7f383a82d696ce7
SHA1 f51fbe8032555f84974ed041a09cc6211d8ee0af
SHA256 088079d3c0c9b9117e2427529a2e6ddd19bd694d1180dabf72cb80dfad1fbad3
SHA512 987db2bb8c1a95f754c724f5921152a3e1f6a4ca7b7c79f7b927eca93e9251e73eb91d8a972c094061a8dbfb6ad82e5133ed64ffb7d9c9de946b705f4081d31f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 5dfaa62da176a6a869d77122cf106e5f
SHA1 37c73985b318d9f74ec30d03acb3cf143cac67f1
SHA256 22a060752fcd40a892ca514f92d08682d2500e35ffda05ee9f84d78af0c2cf42
SHA512 611b18c3cb99c803d006406eaf9f5c3049daf7d37d2e49835a4d8cfb6ece220ad9438806e8f9c9cbcaa56fa14bd1ca2ef26546a11cd527a26f37b6bceaa81f7a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TF1TYUIH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee