File name:

Server.exe

Full analysis: https://app.any.run/tasks/70331b1f-f810-43af-86d1-ebcf2cdb913b
Verdict: Malicious activity
Threats:

Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.

Malware Trends Tracker     >>>
Analysis date: June 27, 2024, 09:23:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ramnit
trojan
upx
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

00E730A33105E73C59C240343E2ADFA2

SHA1:

ED4235C12A193B7C38EFA494AB2D983E958102BA

SHA256:

1BE4AA618EFB8733ED07B08E2678AA1C235C5503FB06EF92DB7D05809410594B

SSDEEP:

24576:H+H+aysD/caXY31Bcth2T+bF5pc3UqzlDmNNMd/9Ux/Y440099Vp:H+H+ayg/caXMithc+bF5pc3UelDmNedD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Server.exe (PID: 3192)
      • ServerSrv.exe (PID: 2752)
      • Skcsk.exe (PID: 1504)

    • Signature: RAMNIT has been detected

      • Server.exe (PID: 3192)
      • ServerSrv.exe (PID: 2752)
      • DesktopLayer.exe (PID: 2108)
      • iexplore.exe (PID: 3100)
      • Skcsk.exe (PID: 1504)
      • SkcskSrv.exe (PID: 2952)
      • Skcsk.exe (PID: 2840)
      • iexplore.exe (PID: 2440)

    • Creates a writable file in the system directory

      • Server.exe (PID: 3192)
      • Skcsk.exe (PID: 1504)

    • Changes the login/logoff helper path in the registry

      • iexplore.exe (PID: 3100)
      • iexplore.exe (PID: 2440)

    • Starts CMD.EXE for self-deleting

      • Server.exe (PID: 3192)

    • Connects to the CnC server

      • iexplore.exe (PID: 2440)
      • iexplore.exe (PID: 3100)

    • RAMNIT has been detected (SURICATA)

      • iexplore.exe (PID: 2440)
      • iexplore.exe (PID: 3100)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Server.exe (PID: 3192)
      • ServerSrv.exe (PID: 2752)
      • Skcsk.exe (PID: 1504)

    • Starts itself from another location

      • ServerSrv.exe (PID: 2752)

    • Executes as Windows Service

      • Skcsk.exe (PID: 1504)

    • Application launched itself

      • Skcsk.exe (PID: 1504)

    • Hides command output

      • cmd.exe (PID: 1044)

    • Starts CMD.EXE for commands execution

      • Server.exe (PID: 3192)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 1044)

    • Contacting a server suspected of hosting an CnC

      • iexplore.exe (PID: 3100)
      • iexplore.exe (PID: 2440)

    • Connects to unusual port

      • Skcsk.exe (PID: 2840)

    • Process drops legitimate windows executable

      • iexplore.exe (PID: 3100)
      • iexplore.exe (PID: 2440)

  • INFO

    • Checks supported languages

      • Server.exe (PID: 3192)
      • ServerSrv.exe (PID: 2752)
      • DesktopLayer.exe (PID: 2108)
      • SkcskSrv.exe (PID: 2952)
      • Skcsk.exe (PID: 1504)
      • Skcsk.exe (PID: 2840)

    • Reads the computer name

      • Server.exe (PID: 3192)
      • Skcsk.exe (PID: 1504)
      • Skcsk.exe (PID: 2840)

    • Creates files in the program directory

      • ServerSrv.exe (PID: 2752)
      • iexplore.exe (PID: 3100)
      • SkcskSrv.exe (PID: 2952)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3100)
      • iexplore.exe (PID: 2440)

    • UPX packer has been detected

      • Skcsk.exe (PID: 2840)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3100)
      • iexplore.exe (PID: 2440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:13 21:45:02+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: -
InitializedDataSize: 404992
UninitializedDataSize: -
EntryPoint: 0x65000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
11
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start server.exe serversrv.exe desktoplayer.exe no specs #RAMNIT iexplore.exe skcsk.exe skcsksrv.exe no specs cmd.exe no specs #RAMNIT iexplore.exe THREAT skcsk.exe ping.exe no specs server.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1044C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\admin\Desktop\Server.exe > nulC:\Windows\System32\cmd.exeServer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1504C:\Windows\System32\Skcsk.exe -autoC:\Windows\System32\Skcsk.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\system32\skcsk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\skcsksrv.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2108"C:\Program Files\Microsoft\DesktopLayer.exe"C:\Program Files\Microsoft\DesktopLayer.exeServerSrv.exe
User:
admin
Company:
SOFTWIN S.R.L.
Integrity Level:
HIGH
Description:
BitDefender Management Console
Exit code:
0
Version:
106.42.73.61
Modules
Images
c:\program files\microsoft\desktoplayer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2440"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe
SkcskSrv.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2752C:\Users\admin\Desktop\ServerSrv.exeC:\Users\admin\Desktop\ServerSrv.exe
Server.exe
User:
admin
Company:
SOFTWIN S.R.L.
Integrity Level:
HIGH
Description:
BitDefender Management Console
Exit code:
0
Version:
106.42.73.61
Modules
Images
c:\users\admin\desktop\serversrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2840C:\Windows\System32\Skcsk.exe -acsiC:\Windows\System32\Skcsk.exe
Skcsk.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\windows\system32\skcsk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2864ping -n 2 127.0.0.1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2952C:\Windows\System32\SkcskSrv.exeC:\Windows\System32\SkcskSrv.exeSkcsk.exe
User:
SYSTEM
Company:
SOFTWIN S.R.L.
Integrity Level:
SYSTEM
Description:
BitDefender Management Console
Exit code:
0
Version:
106.42.73.61
Modules
Images
c:\windows\system32\skcsksrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3100"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe
DesktopLayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3192"C:\Users\admin\Desktop\Server.exe" C:\Users\admin\Desktop\Server.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\desktop\serversrv.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
4 565
Read events
4 562
Write events
3
Delete events
0

Modification events

(PID) Process:(3192) Server.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Select
Operation:writeName:MarkTime
Value:
2024-06-27 10:23
(PID) Process:(3100) iexplore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
(PID) Process:(2440) iexplore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe,c:\windows\system32\skcsksrv.exe
Executable files
10
Suspicious files
1
Text files
40
Unknown types
0

Dropped files

PID
Process
Filename
Type
3192Server.exeC:\Windows\System32\Skcsk.exeexecutable
MD5:00E730A33105E73C59C240343E2ADFA2
SHA256:1BE4AA618EFB8733ED07B08E2678AA1C235C5503FB06EF92DB7D05809410594B
2440iexplore.exeC:\Program Files\Common Files\microsoft shared\OFFICE14\1036\LISEZMOI.HTMhtml
MD5:F18D2BD46522DB287132341611DE198B
SHA256:048CD0AA60DC6557CB0E4D9B644AF2F6CF204E520472CCD2DEB8A182191F65ED
3100iexplore.exeC:\Program Files\Common Files\microsoft shared\OFFICE14\1033\README.HTMhtml
MD5:BCC365B40332AA4C1A0EA3432B718E09
SHA256:BE74FA8CE509F37CFB186061E5A7DB2E4874B9E153FF56BD03BBBB38CAF21F23
1504Skcsk.exeC:\Windows\System32\SkcskSrv.exeexecutable
MD5:FF5E1F27193CE51EEC318714EF038BEF
SHA256:FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
3100iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\ReadMe.htmhtml
MD5:73228CB50996251594A1D0C8AA7416ED
SHA256:94CCBE91489635345BA6CB4012C43E5D5E9337CC8CA774E6F8BB8F14D9947593
2440iexplore.exeC:\Program Files\Common Files\microsoft shared\OFFICE14\1042\README.HTMhtml
MD5:37CBE8504941D7ECBCC738D38C7E3483
SHA256:99796D729504DED87F51328CB58E0223B75FCA7FE90457081A1CD0A92258D404
3100iexplore.exeC:\Program Files\Common Files\microsoft shared\OFFICE14\1040\README.HTMhtml
MD5:60DAF33810ED0E73A07079920975385E
SHA256:5A869DED04DE1C5E60AA7C26C0344A0AACE0209EEF49B31ADD8B84E94F6F553F
3100iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.htmlhtml
MD5:A0AAB44EBA2F0AD61CA7A7B72CDA4932
SHA256:E284BF88F5AFD72C7ADFEF90607659B19F3EEEF34718D4138D83A0D15B9892B6
2440iexplore.exeC:\Program Files\Common Files\microsoft shared\Smart Tag\1031\MCABOUT.HTMhtml
MD5:8FA1FC7AE03C811BF9F71D85E984DF66
SHA256:DF63FBD838A106025A337EFAE5920E9750CFE0A911A1E399F2077401EFC50755
2440iexplore.exeC:\Program Files\Common Files\microsoft shared\OFFICE14\1041\README.HTMhtml
MD5:17C93BC718F896DA3616E380820A869E
SHA256:48A8963B249D4EFEC7CF5C84AE4FCF7825688DC5282EAA227320C222BAF08956
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
42
DNS requests
11
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11acddbe1ebd82b3
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3100
iexplore.exe
172.217.18.110:80
GOOGLE
US
whitelisted
3100
iexplore.exe
34.253.216.9:443
fget-career.com
AMAZON-02
IE
unknown
2440
iexplore.exe
34.253.216.9:443
fget-career.com
AMAZON-02
IE
unknown
2440
iexplore.exe
172.217.18.110:80
GOOGLE
US
whitelisted
2840
Skcsk.exe
49.13.77.253:2021
yk.8bao.vip
Hetzner Online GmbH
DE
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
2840
Skcsk.exe
47.76.175.95:14996
ref.tbfull.com
US
unknown

DNS requests

Domain
IP
Reputation
fget-career.com
  • 34.253.216.9
malicious
ref.tbfull.com
  • 47.76.175.95
unknown
yk.8bao.vip
  • 49.13.77.253
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 216.58.212.174
whitelisted

Threats

PID
Process
Class
Message
3100
iexplore.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Ramnit Checkin
2440
iexplore.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Ramnit Checkin
3100
iexplore.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Ramnit Checkin
2440
iexplore.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Ramnit Checkin
1 ETPRO signatures available at the full report
Process
Message
Skcsk.exe
ref.tbfull.com
Skcsk.exe
yk.8bao.vip
Skcsk.exe
yk.8bao.vip
Skcsk.exe
ref.tbfull.com
Skcsk.exe
yk.8bao.vip
Skcsk.exe
ref.tbfull.com
Skcsk.exe
yk.8bao.vip
Skcsk.exe
ref.tbfull.com
Skcsk.exe
yk.8bao.vip
Skcsk.exe
ref.tbfull.com
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Server.exe