ramnit | 7a7a75e47403e3744df374a583559c425a7ce2fe6260fae994b3546a322109c6

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Size

315KB
MD5

1300dd3d984b5b8292b91f9071c89330
SHA1

a8b5ed155d8d8b5cd4833d0243b3dc760a86a7aa
SHA256

24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb
SHA512

296c4a6fb660c888edf4260973989ccbfed22695a4efb61d5654d24f87a4a825e271bd6e5d996e241292d875cf3cbf62a4654c84f8013a74ed37352e5925bcd4
SSDEEP

3072:bZx8gJscuAnU+JYoutueXlL0NL6UkUkc/z58LfPEDod/2WggPqQX/mGV/vl:t2AsnAnUJoSqL6UHR/zu7OkzPr+WV

Score

10^/10

ramnit banker discovery evasion persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 7 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\445:TCP = "445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\137:UDP = "137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\138:UDP = "138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"	MusaLLaT.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	MusaLLaT.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	MusaLLaT.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\139:TCP = "139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"	MusaLLaT.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	MusaLLaT.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "2"	MusaLLaT.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusaLLaT.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	MusaLLaT.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	MusaLLaT.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\system32\drivers\etc\hosts	MusaLLaT.exe
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	MusaLLaT.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Sr\ImagePath = "\\SystemRoot\\system32\\DRIVERS\\sr.sys"	MusaLLaT.exe

Executes dropped EXE 3 IoCs

pid	Process
788	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
3572	MusaLLaT.exe
4156	MusaLLaTmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
788	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
4156	MusaLLaTmgr.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	MusaLLaT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusaLLaT = "C:\\Users\\Admin\\AppData\\Roaming\\MusaLLaT.exe"	MusaLLaT.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusaLLaT.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral12/memory/3164-0-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral12/memory/788-7-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral12/files/0x000b000000023b84-15.dat	upx
behavioral12/memory/3164-27-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral12/memory/3572-35-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4852	788	WerFault.exe	83
2852	4156	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MusaLLaT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MusaLLaTmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3572	MusaLLaT.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3164	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Token: SeBackupPrivilege	3572	MusaLLaT.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3164	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
3572	MusaLLaT.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 788	3164	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	83
PID 3164 wrote to memory of 788	3164	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	83
PID 3164 wrote to memory of 788	3164	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	83
PID 3164 wrote to memory of 3572	3164	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	86
PID 3164 wrote to memory of 3572	3164	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	86
PID 3164 wrote to memory of 3572	3164	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe	86
PID 3572 wrote to memory of 4156	3572	MusaLLaT.exe	87
PID 3572 wrote to memory of 4156	3572	MusaLLaT.exe	87
PID 3572 wrote to memory of 4156	3572	MusaLLaT.exe	87

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusaLLaT.exe

C:\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe
"C:\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3164
- C:\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
  C:\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 552
    3⤵
    - Program crash
    PID:4852
- C:\Users\Admin\AppData\Roaming\MusaLLaT.exe
  C:\Users\Admin\AppData\Roaming\MusaLLaT.exe
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3572
- - C:\Users\Admin\AppData\Roaming\MusaLLaTmgr.exe
    C:\Users\Admin\AppData\Roaming\MusaLLaTmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 216
      4⤵
      Program crash
      PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 788 -ip 788
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4156 -ip 4156
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fbmgr.exe

Filesize
184KB

MD5
1d92c741bc5b2d34dcd0a0265ab54275

SHA1
a160982825420567c15f6c11f777cb4ccbe69bb8

SHA256
3aab3cf37efd4c034da13a0d7ba8725f49a21d227e05f3bba91d8d36350f4a67

SHA512
1da728dba6383e0e9fc51370f8fb782a15e724b57b952d952e4c719f81d517a56035b1e9496da3d7f9bf79af0a4bd5caa8a351ca60f40d637da3648224944b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM7733.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Roaming\MusaLLaT.exe

Filesize
315KB

MD5
1300dd3d984b5b8292b91f9071c89330

SHA1
a8b5ed155d8d8b5cd4833d0243b3dc760a86a7aa

SHA256
24754063ad81e8ab4be77eac0a61cdf74054083d04947327adf4a062c6ef84fb

SHA512
296c4a6fb660c888edf4260973989ccbfed22695a4efb61d5654d24f87a4a825e271bd6e5d996e241292d875cf3cbf62a4654c84f8013a74ed37352e5925bcd4

Download Submit
memory/788-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3164-0-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3164-27-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3572-35-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads