ramnit | e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
Size

319KB
MD5

09792127dbc60545639e024d1e2195e5
SHA1

58fe06a353b2a4d6ab3d4fdc10a7c305f7563335
SHA256

e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799
SHA512

0ea9ea7e7508192ea49db5b4d3da0baa8ae25612e044048c2313e356e2fcb70bfee68b5525305ed626d1186919cea598caf2bcf8ca026a6884e5f43e67b87589
SSDEEP

3072:XVqoCl/YgjxEufVU0TbTyDDalBVnnAQVG/LytaKItS/fiLKS+f5Aq7iu:XsLqdufVUNDa5OTeHI8HiL7+f5b

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
UPX dump on OEP (original entry point) 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4740-9-0x0000000000400000-0x000000000042A000-memory.dmp UPX
Executes dropped EXE 6 IoCs

Processes:

e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

4740 e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
4368 icsys.icn.exe
1500 explorer.exe
4764 spoolsv.exe
2912 svchost.exe
4916 spoolsv.exe
Loads dropped DLL 1 IoCs

Processes:

e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe

pid process

4740 e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral2/memory/4740-9-0x0000000000400000-0x000000000042A000-memory.dmp upx

resource	yara_rule
behavioral2/memory/4740-9-0x0000000000400000-0x000000000042A000-memory.dmp	UPX

pid	process
4740	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
4368	icsys.icn.exe
1500	explorer.exe
4764	spoolsv.exe
2912	svchost.exe
4916	spoolsv.exe

pid	process
4740	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe

resource	yara_rule
behavioral2/memory/4740-9-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe
File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exee2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4812 4740 WerFault.exe e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe

pid	pid_target	process	target process
4812	4740	WerFault.exe	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exeicsys.icn.exe

pid	process
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
4368	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exeexplorer.exe

pid process

2912 svchost.exe
1500 explorer.exe

pid	process
2912	svchost.exe
1500	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
4368	icsys.icn.exe
4368	icsys.icn.exe
1500	explorer.exe
1500	explorer.exe
4764	spoolsv.exe
4764	spoolsv.exe
2912	svchost.exe
2912	svchost.exe
4916	spoolsv.exe
4916	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2376 wrote to memory of 4740	2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
PID 2376 wrote to memory of 4740	2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
PID 2376 wrote to memory of 4740	2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
PID 2376 wrote to memory of 4368	2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe	icsys.icn.exe
PID 2376 wrote to memory of 4368	2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe	icsys.icn.exe
PID 2376 wrote to memory of 4368	2376	e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe	icsys.icn.exe
PID 4368 wrote to memory of 1500	4368	icsys.icn.exe	explorer.exe
PID 4368 wrote to memory of 1500	4368	icsys.icn.exe	explorer.exe
PID 4368 wrote to memory of 1500	4368	icsys.icn.exe	explorer.exe
PID 1500 wrote to memory of 4764	1500	explorer.exe	spoolsv.exe
PID 1500 wrote to memory of 4764	1500	explorer.exe	spoolsv.exe
PID 1500 wrote to memory of 4764	1500	explorer.exe	spoolsv.exe
PID 4764 wrote to memory of 2912	4764	spoolsv.exe	svchost.exe
PID 4764 wrote to memory of 2912	4764	spoolsv.exe	svchost.exe
PID 4764 wrote to memory of 2912	4764	spoolsv.exe	svchost.exe
PID 2912 wrote to memory of 4916	2912	svchost.exe	spoolsv.exe
PID 2912 wrote to memory of 4916	2912	svchost.exe	spoolsv.exe
PID 2912 wrote to memory of 4916	2912	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
"C:\Users\Admin\AppData\Local\Temp\e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376

\??\c:\users\admin\appdata\local\temp\e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
c:\users\admin\appdata\local\temp\e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 528
3⤵
- Program crash
PID:4812

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4740 -ip 4740
1⤵
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~TM37C9.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
f38d3ca16ef521e831930c94de4f75eb

SHA1
fd4992e72f1fcde0a1437035eaadbaf6e65a6ed4

SHA256
3377ee14b6049e9b011bc22ecb4df894a3ba923b98e6fe7fdb75b4ad1cb33e77

SHA512
180ee7ed10416639bd7c2d965fbc904dcf391db834b1f574cec53f368b578c78476780e09a4c7fadbdcc2a965978663dc11a2c0fa8543970f690fc40b5fa4638

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
3b61297a768586856d5b7a157cfc856f

SHA1
b2469454e1f9f6b3a2d2673464334330ef3644b0

SHA256
a18e2f3103f4086b37706681b66bc12d8c96df97978cd7f55e1e382d9b486568

SHA512
1a07c6a8569c1fe94bcc4153bec7f64dfe9be91440a3531ee74b71dd23ef3f9598ffd272d420a971a7f56a9b173f25092ce80fbd0bf8ed0472437e6cbec3af0b

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
648f5243f58330d570e86ad8640336aa

SHA1
95d855f046999f2fcf6b75830a1181753d7cfc7e

SHA256
d34839fc8977f5101fb2483fd23d91420b3a2d245fadb242d4b9db97370a1da9

SHA512
302ab9b033e8e15c5803b298e52db95df3d693d338d4bfb331259fd7fb108d6a2ee01c4bde3bb4caa716080adcd8a79ff266261fa2e95555cc3bb26cd1a79bd9

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
3f00977b8e83814478eb279c3f51f7d9

SHA1
70791c4e0c3add47193c3e5279ba8149014799e9

SHA256
cf9b1c41b1d18c34e0e00babca1b1eee6bc3136e3b9535c5dbba597802e3b29a

SHA512
1068f9dcfe8a64f86177f77447a26fcbd83a43377ce5ae8abcaf96a467d784eb167e7d767b5a154b3cc931d8b12e667051f243166206df09e7361030b919916f

Download Submit
\??\c:\users\admin\appdata\local\temp\e2e3adca74a101c2ccc9449b7c75aff059d08864ba87698fdc6212e96390c799.exe
Filesize
184KB

MD5
1d92c741bc5b2d34dcd0a0265ab54275

SHA1
a160982825420567c15f6c11f777cb4ccbe69bb8

SHA256
3aab3cf37efd4c034da13a0d7ba8725f49a21d227e05f3bba91d8d36350f4a67

SHA512
1da728dba6383e0e9fc51370f8fb782a15e724b57b952d952e4c719f81d517a56035b1e9496da3d7f9bf79af0a4bd5caa8a351ca60f40d637da3648224944b94

Download Submit
memory/1500-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4368-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4368-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4740-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4764-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4916-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download