ramnit | 7a7a75e47403e3744df374a583559c425a7ce2fe6260fae994b3546a322109c6

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Size

315KB
MD5

1300dd3d984b5b8292b91f9071c89330
SHA1

a8b5ed155d8d8b5cd4833d0243b3dc760a86a7aa
SHA256

24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb
SHA512

296c4a6fb660c888edf4260973989ccbfed22695a4efb61d5654d24f87a4a825e271bd6e5d996e241292d875cf3cbf62a4654c84f8013a74ed37352e5925bcd4
SSDEEP

3072:bZx8gJscuAnU+JYoutueXlL0NL6UkUkc/z58LfPEDod/2WggPqQX/mGV/vl:t2AsnAnUJoSqL6UHR/zu7OkzPr+WV

Score

10^/10

ramnit banker discovery evasion persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\137:UDP = "137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\138:UDP = "138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"	MusaLLaT.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\139:TCP = "139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\445:TCP = "445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"	MusaLLaT.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	MusaLLaT.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "2"	MusaLLaT.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusaLLaT.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	MusaLLaT.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	MusaLLaT.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\system32\drivers\etc\hosts	MusaLLaT.exe
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	MusaLLaT.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Sr\ImagePath = "\\SystemRoot\\system32\\DRIVERS\\sr.sys"	MusaLLaT.exe

Executes dropped EXE 3 IoCs

pid	Process
2680	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
2768	MusaLLaT.exe
2564	MusaLLaTmgr.exe

Loads dropped DLL 10 IoCs

pid	Process
2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
2680	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
2680	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
2768	MusaLLaT.exe
2768	MusaLLaT.exe
2564	MusaLLaTmgr.exe
2564	MusaLLaTmgr.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	MusaLLaT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MusaLLaT = "C:\\Users\\Admin\\AppData\\Roaming\\MusaLLaT.exe"	MusaLLaT.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusaLLaT.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral11/memory/2328-1-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral11/memory/2680-10-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral11/memory/2680-21-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral11/files/0x00050000000194e7-29.dat	upx
behavioral11/memory/2328-44-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral11/memory/2328-31-0x0000000002D00000-0x0000000002DBC000-memory.dmp	upx
behavioral11/memory/2768-39-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral11/memory/2768-57-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2672	2680	WerFault.exe	30
2556	2564	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MusaLLaT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MusaLLaTmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	MusaLLaT.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Token: SeBackupPrivilege	2768	MusaLLaT.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
2768	MusaLLaT.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2680	2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	30
PID 2328 wrote to memory of 2680	2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	30
PID 2328 wrote to memory of 2680	2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	30
PID 2328 wrote to memory of 2680	2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	30
PID 2328 wrote to memory of 2768	2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	32
PID 2328 wrote to memory of 2768	2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	32
PID 2328 wrote to memory of 2768	2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	32
PID 2328 wrote to memory of 2768	2328	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	32
PID 2768 wrote to memory of 2564	2768	MusaLLaT.exe	33
PID 2768 wrote to memory of 2564	2768	MusaLLaT.exe	33
PID 2768 wrote to memory of 2564	2768	MusaLLaT.exe	33
PID 2768 wrote to memory of 2564	2768	MusaLLaT.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusaLLaT.exe

C:\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
"C:\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe"
1⤵
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2328
- C:\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
  C:\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 180
    3⤵
    - Program crash
    PID:2672
- C:\Users\Admin\AppData\Roaming\MusaLLaT.exe
  C:\Users\Admin\AppData\Roaming\MusaLLaT.exe
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2768
- - C:\Users\Admin\AppData\Roaming\MusaLLaTmgr.exe
    C:\Users\Admin\AppData\Roaming\MusaLLaTmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 180
      4⤵
      Program crash
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MusaLLaT.exe

Filesize
315KB

MD5
1300dd3d984b5b8292b91f9071c89330

SHA1
a8b5ed155d8d8b5cd4833d0243b3dc760a86a7aa

SHA256
24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb

SHA512
296c4a6fb660c888edf4260973989ccbfed22695a4efb61d5654d24f87a4a825e271bd6e5d996e241292d875cf3cbf62a4654c84f8013a74ed37352e5925bcd4

Download Submit
\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe

Filesize
184KB

MD5
1d92c741bc5b2d34dcd0a0265ab54275

SHA1
a160982825420567c15f6c11f777cb4ccbe69bb8

SHA256
3aab3cf37efd4c034da13a0d7ba8725f49a21d227e05f3bba91d8d36350f4a67

SHA512
1da728dba6383e0e9fc51370f8fb782a15e724b57b952d952e4c719f81d517a56035b1e9496da3d7f9bf79af0a4bd5caa8a351ca60f40d637da3648224944b94

Download Submit
\Users\Admin\AppData\Local\Temp\~TM26B3.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM27CD.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/2328-1-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2328-32-0x0000000002D00000-0x0000000002DBC000-memory.dmp

Filesize
752KB

Download
memory/2328-44-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2328-31-0x0000000002D00000-0x0000000002DBC000-memory.dmp

Filesize
752KB

Download
memory/2680-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2680-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2768-39-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2768-57-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads