ramnit | 963a20ad367d555485f89c182adac93960901b52730cac85e6e3f711b473dde4

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4f863630ce06522ca1fe75b415c2d4b_JaffaCakes118.html
Size

155KB
MD5

e4f863630ce06522ca1fe75b415c2d4b
SHA1

63a06c9dba5d1f4c299d7bb5c81a1df98f3380a9
SHA256

963a20ad367d555485f89c182adac93960901b52730cac85e6e3f711b473dde4
SHA512

812416d7d690830bcd88a54c100879f7fba2c9de9cae55dc21073ea3ccd21a698610c411d1b622219484a2f6771f2adf6152592a4f4121179206bd715db3f310
SSDEEP

1536:i9RTYGbcg8byLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBw:ibqVbyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2360	svchost.exe
592	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	IEXPLORE.EXE
2360	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002b000000019240-433.dat	upx
behavioral1/memory/2360-437-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2360-434-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/592-448-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/592-450-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/592-446-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/592-444-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB165.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{191D6501-B897-11EF-AA6E-5A85C185DB3E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440176325"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
592	DesktopLayer.exe
592	DesktopLayer.exe
592	DesktopLayer.exe
592	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
320	iexplore.exe
320	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
320	iexplore.exe
320	iexplore.exe
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE
320	iexplore.exe
320	iexplore.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2404	320	iexplore.exe	31
PID 320 wrote to memory of 2404	320	iexplore.exe	31
PID 320 wrote to memory of 2404	320	iexplore.exe	31
PID 320 wrote to memory of 2404	320	iexplore.exe	31
PID 2404 wrote to memory of 2360	2404	IEXPLORE.EXE	35
PID 2404 wrote to memory of 2360	2404	IEXPLORE.EXE	35
PID 2404 wrote to memory of 2360	2404	IEXPLORE.EXE	35
PID 2404 wrote to memory of 2360	2404	IEXPLORE.EXE	35
PID 2360 wrote to memory of 592	2360	svchost.exe	36
PID 2360 wrote to memory of 592	2360	svchost.exe	36
PID 2360 wrote to memory of 592	2360	svchost.exe	36
PID 2360 wrote to memory of 592	2360	svchost.exe	36
PID 592 wrote to memory of 900	592	DesktopLayer.exe	37
PID 592 wrote to memory of 900	592	DesktopLayer.exe	37
PID 592 wrote to memory of 900	592	DesktopLayer.exe	37
PID 592 wrote to memory of 900	592	DesktopLayer.exe	37
PID 320 wrote to memory of 2100	320	iexplore.exe	38
PID 320 wrote to memory of 2100	320	iexplore.exe	38
PID 320 wrote to memory of 2100	320	iexplore.exe	38
PID 320 wrote to memory of 2100	320	iexplore.exe	38

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\e4f863630ce06522ca1fe75b415c2d4b_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:472081 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f821ff9e08a2b10d582ef6c7b833103

SHA1
2d654bd1980f8dede6d2830a3d96b7741c14885d

SHA256
28ffc4c1f2ed02e5dc98b10e9e5f3283aa990f6779e050ad6639855142608ee8

SHA512
3f90bb5283c82902b36824bea86452a55d3a4ca88e9e6e361479c26d6888bce0e48e9d73b24325383acf9beb4bad96d093f5399920e0db22558ff03f72687038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d59e967e9573924b8f352c46d81aa62

SHA1
333cb6ed502d1a51d23174099adc6a01f29f1848

SHA256
ff924518f1b343cb778d9835821bf5196d89ce5bf7c33ea68b4d88c988e0019d

SHA512
43d779145d90d17e6f4ce66993a4d67a1917ade1952f84a363a68ef9854d3acb70c09e80b2119d78f68dd19f7fec1f49e66fc6180ba768ff0102aeba6072194b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
433f3913daa81bbe4d8a00e49a180c1b

SHA1
f3f1b31f1eff8f5bf07d4121a19748a03d753c66

SHA256
caf5f1a3ef7edfb86da6aef0afdb471eb5aa1fdbdc26a4c0948f5f3874fbaece

SHA512
a9a49bf9c4666fa7c1ab30f1865e3c1f193f204b9fb53b5b089f5f39be7f426b93c6ede1153d3a721f63d98cfc97c722ff979c2087127791259e6a479b88dc88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47b05b045e553cf8f75640e0ab4ab1df

SHA1
507bcc28246742662d5cb26db68d284c0ba8a45b

SHA256
6b0c57b28dddaf249eb484b501da23f32a14a233374be8b8e4c6348c95ba3743

SHA512
24eb100c01c9789af073ac1838899396cd719ae8194ac0191e8d3e3673852e67bbfa9b74c245b2d29704ef3670440b1dde8b444fd1bc152edcf9782372e27708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24df0c524001e12886e39dba6fe4e2ca

SHA1
6ed8ef1fe0d4a9bb1e2b3eb1af88023c63ab606c

SHA256
a5d75a0c4bdac935c3afbc79921995d40f95f48118d97167e44f051c2ae39922

SHA512
d439f3d862636d2b1b5c451e82874c904c682b88e9c27988176ef386c64477a860a4aa1fd7d8576248602f2020713fa3b0688699702f3cc419a6af417a848166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5478fa76fc89bb45dc557537db446cca

SHA1
786c318c321ec4ef05d5d02d4fea49c0bafae804

SHA256
296688ad2c6767e3c282352ac97a4cf624a99b872d8f9ec0ab5e1a6dae22a5c1

SHA512
2f6cb6b361edd816e9679086d489479d5dfd6abf33c25c23516b8599e8e02d9db003d030a3b0f137c8578c280ac07d01c4218e5a988e534d63a2a46e5b479b8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
099acbca3db446e67b76b1d8bfe874e7

SHA1
edb5d33ba4eb23203a5b4820f96b1aafd3b1ff9a

SHA256
0915d79533e2907f6245345bdb18e5c5b7eef8a439cbf6c51f2d1c41b39cb041

SHA512
a9e5629a32331542b69bcd6295ff4b53cf204a7d3b0546cf66aa714d0ca204f4d4fc722f6387aef1ee5b61b50a85e26ac4906aec10d5b7025e7f9f5d1dd67a02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fecb7ad1a646d55853b2a4d7cf65c41e

SHA1
4dc1edd135aa476bb04ca803472ef9adaf9d254f

SHA256
f22d4f6aacc4d27f0dbe3674e346854384215481c84885508209b730694c6bd2

SHA512
31d7560f23a1c60cec9cf1237f6f4823361a834f9052b1c74ee1df32a6335ddeb496639dc3c739e0caf9050545f17b14694200d64c1af0f2797a557a5b7e6b89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f757fe048ec79d6e707fadfda8c2c55

SHA1
3dc8b14d86e7e7668c3050a0f34b36b44cd6e907

SHA256
94368e9dfe71ddf148618e00397bcea31540c31efbad33fc74abce6104047bce

SHA512
70924e468b333f0dc4e0374743595354f475acaf5e976c524fc3f006f1cf93cbe1cab2fbce29dc442d6bac78b262cbc91f66f19fac2e35dc3f6288f21485893c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
257b7cf55ed7b0274a678aed9dc01678

SHA1
45bc0bd9a8f7e6fbace2a34a43be0b8a8d181b1c

SHA256
0aecb54f8c6508e94c93315d5d13dd144b14b2f92d940da1fb1933ede25a5d32

SHA512
88672c889f4613d253675db35fab580335b7495b09d0c0ee5da319c5d5b2e844533d2858fa43620c5fa63a0e7025c89565a5899e07d99cda2efa2e151b46f857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd5de09e602c8100c14f22920e3c1ede

SHA1
826de5511cd666342f8295a72ae6c1017e3c8c20

SHA256
8824306ee43fd0056e3d06e65b631dfdcae2964dd3a6041abee2e2abfe8e09c4

SHA512
a4d3d56c111756df534ec81a125cfbf7ea7a74b6487852ffbcc68170ffaaf1fc641ec8ac4af6b79fc1faf036ba7e931888d1248ecc046d56edce0e0f3f2efb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC919.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC9CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/592-450-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/592-448-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/592-447-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/592-446-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/592-444-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2360-434-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2360-436-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2360-437-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download