Malware Analysis Report

2024-12-07 02:17

Sample ID 241117-jtyawsvgpl
Target a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849
SHA256 a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849

Threat Level: Known bad

The file a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Ramnit family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 07:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 07:58

Reported

2024-11-17 08:00

Platform

win7-20241010-en

Max time kernel

70s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px32D3.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5E5E431-A4B9-11EF-A7E1-668826FBEB66} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437992169" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 1516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2380 wrote to memory of 1516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2380 wrote to memory of 1516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2380 wrote to memory of 1516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 1516 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1516 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1516 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1516 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2448 wrote to memory of 2932 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 2932 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 2932 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2448 wrote to memory of 2932 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2932 wrote to memory of 2572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2932 wrote to memory of 2572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2932 wrote to memory of 2572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2932 wrote to memory of 2572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2380-1-0x0000000010000000-0x00000000100F7000-memory.dmp

memory/2380-2-0x0000000010000000-0x00000000100F7000-memory.dmp

\Windows\SysWOW64\rundll32Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1516-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2380-6-0x0000000000150000-0x000000000017E000-memory.dmp

memory/1516-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1516-9-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1516-16-0x0000000000240000-0x000000000026E000-memory.dmp

memory/2448-21-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2448-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2448-23-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2448-22-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2448-25-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4C01.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4CEE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baa289a518c44fbd63d29709dfd977df
SHA1 aa31791ac13f659eb9f6b96a9617428deda5052b
SHA256 97ef252decf3544acc9d957fe02ef977f1ddcb27645f64951047c638fd180567
SHA512 224a8d3e2bbbe4de29b0ea850c47994cd5df99332f4365a657a3f6fed6e28eeb78a79acf66629afea06ff1d5fb2d82e3a07718d606c7dc1729132540d4a0fbea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9405306e1d096dbefcf176168aaade47
SHA1 1ac1d01f913a1119d34f6e393d8d99088633a50d
SHA256 788c4d6dd0979e6022a349cd250433613d8e313aa5503fe524465d871327cfef
SHA512 4d7571f5a7907dcf898fccd531a91f254ab7b6df95dd5640f437cd4a1bb5c3646bd248f08c5d551727d2ab6d644fecdb8b0ff956ef7f0ffb7cd8946fd2e8e800

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 397bba7f35dfb705e57557d6fbda7f9d
SHA1 a2fdd13c6a14db85a60c1493bfa0782212f1c087
SHA256 b393d25ec0385af17638ae25b0b3e6463c867c3be019f3a3f5e5e3c02e09061f
SHA512 17787fd687973213c05fa413a6d64d92a9ff08aa358891898a09abc147a18f7e1b29bec1db86b5495adf72b0e5ae201bf4caef350051876bcc94f4496b4df8c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78ca6b38dfd16dce31dfa086f37349af
SHA1 e67ce21b4a1bf60ba00fde431b2a2b1affb80a00
SHA256 fb2988086895734ee4026ce013ce696ee1014a27a1dac08c897b9102fb84c38c
SHA512 d621d5696e50d48c411680b69e082bda7a95d6e354686a6286e9b677f90076c8328b37aa135b542301246e754c958d84efefd8004f5da9dcbd43e4db7460483a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0be66c5dd0cc0a5b96928f08955ee6d2
SHA1 6acb4aec9b442a7df3f6a1ecc839dc92d4305ec6
SHA256 a89ce094527bf7fc44fef12578d86f61faf0ea89a0cbcf43bc80ffbc8a75866d
SHA512 e79a3a423fec3ee05bf7e02f377bbd912aa69b9aa53a6022fd5dd40228d331420c139315f9a7d19ab222ae448d7c09c95ca76e067a2fd6e8e45267e61e61d5e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4285c988675846409fa68f5b4fbf1f41
SHA1 8d32c36a0a1d9b33ee1c3b8b0fb560fa1e803a0b
SHA256 8bee240e1adf0dc5cd1e72f184ebb70c36086f1f13aae992a3378f934ef36a2e
SHA512 23ca4319785130e88f69317d9ba65ca24fa75742ccae70087e394edd0ae5bd638c8994202f6a0149a56fe5705472bc601ba128ebf9d6f4f2a0b24329ab51021e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6afa3ee5d46d7c8038726ae269a61a84
SHA1 caa7051598af62a7b6ff5f25397b039ee9f11f61
SHA256 ef31e076cae47947b3716772ae143c159c58b1033765efee895c6cee998356f2
SHA512 f77be6910b33ab291fa7e7f62b5b776946257a34c99f6c665fc7d2b60a2cce551c853e3b9dbf25e8bad3220722885329d6c5b9ae7b2673b7e7244134e601c0e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e97c1183bb1851e0e74006681bad29f8
SHA1 f1324cd7124b00c0ae69ab017bf7e8484d5f67f1
SHA256 db0223ee11ac2495ff217744f09fad2faf545f1c404fcd34ef3935f1d5233913
SHA512 e7287e8847bfbe4f89bf1082a0ab2743c33469a67bd06f2d27d155ae873b3e3c2f8fa697655b411338feefb92105f3b9e33f04f27381e7a2cadd9c3a07b22558

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0295621126b0d3315cf8cb45826768d8
SHA1 242df8ea2c6bb8f98dd8a21ca3408db2f48ab186
SHA256 3733464f089184985411b2eb2f96aae4679283bc5888ba0ba10086b22812d42c
SHA512 92570475e74fd510a2d076832ec9e0c5e2bea3bb4e451f72221aba76657ba3e17efb377a48798c4cb3f16502659199f1adb3833dfdf6f4cc6505c4f5f34e3879

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a58664eea6b7bbf327205f0e5c8a3c92
SHA1 0945912a8a1960b052db117d3d5a43c933167b84
SHA256 88a4489d2c5334beac891655612f86cb6ad2d32fd119f09f3758d796738df091
SHA512 6d3aecfe81f61e4e7d6848ffc3db13f8ddf79ed3e998ff1d2d1a7432c39dbfe3109c32e25dcffb5aa2003428632db66bb8777363de3a1bb673a5ab64ebb650db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1334abc3750422c96f1e99dac674bc5
SHA1 ab0956fc1f512863368838c58bf957d8bc464969
SHA256 2a7cc7abf005729b7010872c2324e3260ca1c3197bec50cedabbbb7ff2e83c16
SHA512 44f85b4125920ef75b6f923da6c4353766ad7948a609735681fe5f907b41a3cc12d566c6ea7df1b9aab45ce99e67a9d2bd546f99afb399c63fa3f8a2db0a16c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0ace424c971a89a324d06939768edc1
SHA1 92fba3ac71fd2d39b9e307580741094a888de574
SHA256 4dae1c6e1461e3668b49a463705e021df6b0576d970fe2770378b654dd134b4c
SHA512 ab3c8c21c12aab18dfaa075953229ad49d2413a198805aa2eb24aa981f34c9b41283cd04175b366db81c68b607d661ed96caf985b0d5e5709d630bdf6151a6e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a9f992a5485d53dc1217fa7dd614134
SHA1 03d09715437b7d8e5cd1bb5e99e618ee0bbbcdb9
SHA256 e9d7b659170fd609a2c7f3a57f19ae49255015fe8b8e9ec318cbdc835b9d0445
SHA512 27a9c2b0ec4a16117566f1002fb8afa4b5e0a21bedf62e25516bcb5ff91657b8b315bf47ee53b1a078d99fee420f806eebe79d0d58535411b9f2498068062014

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3aec4cae078cc3444807fb905e008893
SHA1 10936deaef8d24d53d6b96331e63ed7d7d4e99d7
SHA256 b765bea998c9cd46801188dcd77d35f5f82233d9f650470751b3b9e0d58c1c5c
SHA512 f7241db77376cb6ca4fb029cd4ea13f58856f08a7b2f6aada9d7afe6a66d5c15e27eea74e7ef0d455e49fc649fcbbd9922c56327cfbd453b09e965ff98536906

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f462817b854009da13979228c392e088
SHA1 648e463e78f6e7c84e8aae9a34b586d2ba207edb
SHA256 966e85009b51bf2b3ac28c249d9f12bda6ad86ea6f855a6d07206d61f38e59e1
SHA512 26cbced6004832b19fccc81be6c0a4ac2f4a46f8dd0f55c7b6b7d9cec989149ff81fb25e4136308de4586039624631601c9bee3c06d452eac8658c9a5fe7aca3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab63a43e94f4516b296e7156b7b026ab
SHA1 c37e8b5741ffc36f5e52bb89bdb73dd34127233e
SHA256 b1735b8f541b2808049321241de218457670f79c815c02a8e49e304c155e8698
SHA512 5977e118ea1404d6ead17e7a2e92346324c2105b816286cb8d5493e65d08571aa27758d5ba29dd188364cb0bea54e3801212a744e025e5bd83bcaedc6ab82476

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31f7ee8722f34b3c21c765bb327d07b3
SHA1 27c26d723562a7c747b3e3d5fd86d4ea742136f7
SHA256 084d3c03e7bff6a91a055c541588bffb65eaee7d8c90494a9d44b722a901f066
SHA512 a07b9231fc1e80a793b0c39a76e0b11e78241c7320cb7172846a008ae2ab438650398427924fc2f0122b671d22ce87583ecfd81938c84150af00378d77b1f5ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4e4c8e6a1179b6fdae4b0f090c57b82
SHA1 3fed122b7bfad39787f5ee58a1860e360fb16bd3
SHA256 11725c3a871c143b775634120372e6d26c56ddb9f510519ee25cf287f62a149e
SHA512 4f4a092597d3ba8810a9690800c85851499fc7144f12c80eb2b54708fd3658053cf76c32381a48d35465a531c68a490a676213f0d8a107f3c952b5ae33116bc3

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 07:58

Reported

2024-11-17 08:00

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxF85A.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438595274" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B5CDB55E-A4B9-11EF-BDBF-622000771059} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144134" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2324814733" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2319814690" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144134" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144134" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2319814690" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 3360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4924 wrote to memory of 3360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4924 wrote to memory of 3360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3360 wrote to memory of 896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3360 wrote to memory of 896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3360 wrote to memory of 896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 896 wrote to memory of 3400 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 896 wrote to memory of 3400 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 896 wrote to memory of 3400 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3400 wrote to memory of 544 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3400 wrote to memory of 544 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 544 wrote to memory of 1660 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 544 wrote to memory of 1660 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 544 wrote to memory of 1660 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a094b87a3207cbdd7a73635ef59abc1dcb7e2dad66b007b53fa11d1b213ca849.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3360-1-0x0000000010000000-0x00000000100F7000-memory.dmp

memory/896-4-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\rundll32Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/896-6-0x00000000005C0000-0x00000000005CF000-memory.dmp

memory/896-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3400-13-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3400-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3400-14-0x00000000005A0000-0x00000000005A1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 d2c6a662e9bd0c89bf8cd03b201f89bd
SHA1 7c019c00c24825eedda6b9fd3e200a39aa47771e
SHA256 08fec4715e35e941a8bc409fdafb8fab8c4b97e8883325b9082562eecc1cdca2
SHA512 332b7cf422c2f656208ad9add4b15ee0c4ee7ee0074f67be9b7af32e9b4b59d487250bedeed06cf1763c13fe0da82cefccc4ada975dd148bf686f9cad08fbefb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 cb5ceecc454268c56933c4fffc2af934
SHA1 3a08b404d2c0d90d4a493d71f529a48dcbe769c0
SHA256 c44ee1e6e75ebf22c892d7d12898ccc7210e1b40a830523f2118a75a6873fdfc
SHA512 473a39c55a49e07995db7d360045050a7d0336c53368a5bea1be80f5968caac40c3d3406ccade101e5e4a9e6cc62cb9e11bfe2305a9ebb30fe55d67e0b341d3a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee