ramnit | b3448671b078cd6223384850e680451ab257f7a2bb1ffbfba4a760d79e868af6

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/12/2024, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3448671b078cd6223384850e680451ab257f7a2bb1ffbfba4a760d79e868af6.dll
Size

308KB
MD5

e4577c711455ccfd4ec4c0a02d23340f
SHA1

b0f4b0c36ec324246d3b815ee94f5e2e9f8102f4
SHA256

b3448671b078cd6223384850e680451ab257f7a2bb1ffbfba4a760d79e868af6
SHA512

8266f05cd3f261554a5fd70e5434279ed690454e4dd473ab7f8a02f058450f753cf6366db35bced2e263e2d5054fd820f7aff672add862d688b9ef0dd19cf5d3
SSDEEP

6144:e6QlFKuIXrznO2I0Xrp55ttpbYa06T/60nGAkPj2sK+C2pcZ70b/9p91H1nsm7Po:eVTAHvVe9P1od

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2772	regsvr32Srv.exe
2704	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1232	regsvr32.exe
2772	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012271-2.dat	upx
behavioral1/memory/1232-3-0x00000000001E0000-0x000000000020E000-memory.dmp	upx
behavioral1/memory/2772-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2704-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2704-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2704-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2704-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2704-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxEB68.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8DC9CB51-C3C3-11EF-931E-C28ADB222BBA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441404884"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C95CA51-C282-4540-B4D4-5C6A897DDC32}\TypeLib\ = "{7D17B345-5D43-49d9-8827-67C36DA882C3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C95CA51-C282-4540-B4D4-5C6A897DDC32}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C95CA51-C282-4540-B4D4-5C6A897DDC32}\ = "PictureViz_II Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C95CA51-C282-4540-B4D4-5C6A897DDC32}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C95CA51-C282-4540-B4D4-5C6A897DDC32}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b3448671b078cd6223384850e680451ab257f7a2bb1ffbfba4a760d79e868af6.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C95CA51-C282-4540-B4D4-5C6A897DDC32}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C95CA51-C282-4540-B4D4-5C6A897DDC32}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	DesktopLayer.exe
2704	DesktopLayer.exe
2704	DesktopLayer.exe
2704	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2888	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2888	iexplore.exe
2888	iexplore.exe
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1232	2396	regsvr32.exe	31
PID 2396 wrote to memory of 1232	2396	regsvr32.exe	31
PID 2396 wrote to memory of 1232	2396	regsvr32.exe	31
PID 2396 wrote to memory of 1232	2396	regsvr32.exe	31
PID 2396 wrote to memory of 1232	2396	regsvr32.exe	31
PID 2396 wrote to memory of 1232	2396	regsvr32.exe	31
PID 2396 wrote to memory of 1232	2396	regsvr32.exe	31
PID 1232 wrote to memory of 2772	1232	regsvr32.exe	32
PID 1232 wrote to memory of 2772	1232	regsvr32.exe	32
PID 1232 wrote to memory of 2772	1232	regsvr32.exe	32
PID 1232 wrote to memory of 2772	1232	regsvr32.exe	32
PID 2772 wrote to memory of 2704	2772	regsvr32Srv.exe	33
PID 2772 wrote to memory of 2704	2772	regsvr32Srv.exe	33
PID 2772 wrote to memory of 2704	2772	regsvr32Srv.exe	33
PID 2772 wrote to memory of 2704	2772	regsvr32Srv.exe	33
PID 2704 wrote to memory of 2888	2704	DesktopLayer.exe	34
PID 2704 wrote to memory of 2888	2704	DesktopLayer.exe	34
PID 2704 wrote to memory of 2888	2704	DesktopLayer.exe	34
PID 2704 wrote to memory of 2888	2704	DesktopLayer.exe	34
PID 2888 wrote to memory of 2788	2888	iexplore.exe	35
PID 2888 wrote to memory of 2788	2888	iexplore.exe	35
PID 2888 wrote to memory of 2788	2888	iexplore.exe	35
PID 2888 wrote to memory of 2788	2888	iexplore.exe	35

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b3448671b078cd6223384850e680451ab257f7a2bb1ffbfba4a760d79e868af6.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b3448671b078cd6223384850e680451ab257f7a2bb1ffbfba4a760d79e868af6.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f06a15afe54502cd60b594cfd3709edd

SHA1
f71ded653fd927fd51160d5d232d5108c3922b86

SHA256
1ad591fcf09b02bd782c762f599c4aa3ed4cfbec71c2db6798bc47104eca6bd3

SHA512
0f80ce2747813342ae17b7e9d63801557a4b1af2a447345f6319098557df7c92da22fca2b4d0c039fe6987c0cb26323ca357ed81a876d6a9f52c5d04b9156d7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5994399b8ad3cd6831734f4504bf399

SHA1
910cd2741a390d7c7cc7420ba67f738dc05efdb3

SHA256
57b30e02be28d6296cb69f580922a56c8f894cf4c155f265c5f1cead735efde6

SHA512
22a3657a3c8374f9fd906b9eb80c4054315d65530c92733053a3278066232ab14d4f4dcb3a76753cc142f9ba223a785f7e3c341c251885029baed29ca9ac8e0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d69cdbc6ad48391e38f11d40b482a8dd

SHA1
da97e7605e4dd39970a71c1e0b1ae27c15f0b094

SHA256
e259826017b3ed6aa363560034daac59a8aecdad6c3002c8eab640e3e7286e9d

SHA512
0630417e77b3e5d039cc437f0d4beccd96c0662b51850cc99e0bc3ccb3ea9b6584207b8cd7d9ef09d0ed8079b22e901e95f88904a54d15b4517c2270ed69b2a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbacf17798edcaeb818ead059b57f8e0

SHA1
76d17d408c97e1f363d0649ee04dc17ab7e43bd8

SHA256
2be90aab3dbb7b4c5fbb5a425c419f0c34c55daf6bcf982972fc52b277a66838

SHA512
a3a3622370e75d0384803048746252f774ca0b8276b37095cf3183e94d90312e797d3a807aa67e85b31c3af9e2aa2d7e486c372a72d2b218b288fe42e2fa5d1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
075a0f14f28033cb425c7db5b118dcf5

SHA1
fc85a364994a862a0b6620d0666f32284f93058d

SHA256
f6e895119b326535e2d615f82e40e95a215ac023eb2b5e82dbc0591dde7275c1

SHA512
136fa15ae22df8c2184d3658ffa19c9d73d3c3d99a392838e44fecce10ce2c6045bc3bce8ed8bddb8982aebdb5eb15cf9add42134cfc965991573c2638843d52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56c90c4b0df73b455bb46d478cd447f5

SHA1
3b3230e91b94fe96e8f950cd490d7ee4318cea48

SHA256
6b73b76e14103e01640397a60b9483a2ce1808496dce19550235cb90c0f731ee

SHA512
f7a837f3b5130c772a51ec7e2e1be8bd6c64da70708458afe141d0b595e302f16690d8263b05320dcea67ee95f2d38649cd439b553b6209fa0dc937f12095430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e60d4602e53a4cdaace781be6cf39d7

SHA1
759302b1a9b7609d148a8ed36aee8cc8a608636d

SHA256
0b83134faf7a8c1706023f37b742392469c60b7019b9c8030fcd7e7bfaa6c5de

SHA512
94e00c6eddd9c2b0636ada96e46661f38198b85e7d2ea063c63d5448590fb47921a5007202542f79ce7ab813a510645d672e0c381a6f328efbad3cb588205de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab14B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11D2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\regsvr32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1232-3-0x00000000001E0000-0x000000000020E000-memory.dmp

Filesize
184KB

Download
memory/1232-0-0x0000000010000000-0x000000001004E000-memory.dmp

Filesize
312KB

Download
memory/2704-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2704-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2704-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2704-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2704-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2704-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2772-12-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2772-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download