| File name: | 2018-09-29_20-26-55.exe |
| Full analysis: | https://app.any.run/tasks/ed088f23-46f9-44f9-af9c-28703bab5e39 |
| Verdict: | Malicious activity |
| Threats: | Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud. |
| Analysis date: | June 16, 2019, 14:42:20 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | C51A0BFC921D6721E99A6D0FCAE02D73 |
| SHA1: | FD6B54E251483BB88D1CEDD4CCB065D16E990195 |
| SHA256: | AD45CFB13369D393156E9571F239AB9C58C43239067BBC74152D747D32BF3B0D |
| SSDEEP: | 6144:WWympplTPwW1jcBOHDQHg0aLBLwpWfA3Danv4:J7pzjcYIsLOpWCD |
MALICIOUS
Writes to a start menu file
- svchost.exe (PID: 2620)
Uses SVCHOST.EXE for hidden code execution
- sfseunjd.exe (PID: 3684)
Changes the autorun value in the registry
- sfseunjd.exe (PID: 3304)
- svchost.exe (PID: 2620)
Changes Security Center notification settings
- sfseunjd.exe (PID: 3304)
UAC/LUA settings modification
- sfseunjd.exe (PID: 3304)
Modifies Windows security services settings
- sfseunjd.exe (PID: 3304)
Modifies Windows Defender service settings
- sfseunjd.exe (PID: 3304)
Changes firewall settings
- sfseunjd.exe (PID: 3304)
RAMNIT was detected
- svchost.exe (PID: 2620)
Changes the login/logoff helper path in the registry
- sfseunjd.exe (PID: 3304)
Connects to CnC server
- svchost.exe (PID: 2620)
Application was injected by another process
- explorer.exe (PID: 2044)
- dwm.exe (PID: 1980)
- ctfmon.exe (PID: 3780)
- taskeng.exe (PID: 3756)
- windanr.exe (PID: 556)
- conhost.exe (PID: 392)
Ramnit was detected
- explorer.exe (PID: 2044)
- ctfmon.exe (PID: 3780)
- windanr.exe (PID: 556)
- dwm.exe (PID: 1980)
- taskeng.exe (PID: 3756)
- tracert.exe (PID: 1212)
- conhost.exe (PID: 392)
Runs injected code in another process
- svchost.exe (PID: 3900)
SUSPICIOUS
Executable content was dropped or overwritten
- 2018-09-29_20-26-55.exe (PID: 2836)
- sfseunjd.exe (PID: 3684)
Starts itself from another location
- 2018-09-29_20-26-55.exe (PID: 2836)
Creates files in the user directory
- svchost.exe (PID: 2620)
Creates files in the program directory
- svchost.exe (PID: 2620)
Creates files in the Windows directory
- sdbinst.exe (PID: 3988)
Creates a software uninstall entry
- sdbinst.exe (PID: 3988)
Starts CMD.EXE for commands execution
- iscsicli.exe (PID: 2768)
Reads the cookies of Google Chrome
- svchost.exe (PID: 3900)
Reads the cookies of Mozilla Firefox
- svchost.exe (PID: 3900)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:04:02 12:37:07+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 175616 |
| InitializedDataSize: | 37888 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1f33 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 02-Apr-2018 10:37:07 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000E0 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 5 |
| Time date stamp: | 02-Apr-2018 10:37:07 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x0002ADBC | 0x0002AE00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.72863 |
.rdata | 0x0002C000 | 0x00004ABA | 0x00004C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.13125 |
.data | 0x00031000 | 0x00003AA8 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.52774 |
.rsrc | 0x00035000 | 0x00005010 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0 |
.reloc | 0x0003B000 | 0x000016BA | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.88139 |
Imports
ADVAPI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
Total processes
55
Monitored processes
19
Malicious processes
14
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 284 | "C:\Windows\system32\sdbinst.exe" /q /u "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb" | C:\Windows\system32\sdbinst.exe | — | sfseunjd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Application Compatibility Database Installer Exit code: 3221226540 Version: 6.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 392 | \??\C:\Windows\system32\conhost.exe | C:\Windows\system32\conhost.exe | csrss.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 556 | "windanr.exe" | C:\Windows\system32\windanr.exe | qemu-ga.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1212 | "C:\Windows\system32\tracert.exe" | C:\Windows\system32\tracert.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Traceroute Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1980 | "C:\Windows\system32\Dwm.exe" | C:\Windows\System32\dwm.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2044 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2084 | "C:\Windows\system32\sdbinst.exe" /q /u "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb" | C:\Windows\system32\sdbinst.exe | sfseunjd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Application Compatibility Database Installer Exit code: 1 Version: 6.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2620 | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe | sfseunjd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2676 | cmd /c C:\Users\admin\AppData\Local\Temp\..\..\LocalLow\cmd.admin.bat | C:\Windows\system32\cmd.exe | — | iscsicli.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2768 | "C:\Windows\system32\sdbinst.exe" /q "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb" | C:\Windows\system32\sdbinst.exe | — | sfseunjd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Application Compatibility Database Installer Exit code: 3221226540 Version: 6.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 897
Read events
1 766
Write events
129
Delete events
2
Modification events
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | APPSTARTING |
Value: %SystemRoot%\cursors\clearcur.cur | |||
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | ARROW |
Value: %SystemRoot%\cursors\clearcur.cur | |||
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | CROSS |
Value: %SystemRoot%\cursors\clearcur.cur | |||
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | HAND |
Value: %SystemRoot%\cursors\clearcur.cur | |||
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | HELP |
Value: %SystemRoot%\cursors\clearcur.cur | |||
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | IBEAM |
Value: %SystemRoot%\cursors\clearcur.cur | |||
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | NO |
Value: %SystemRoot%\cursors\clearcur.cur | |||
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | SIZEALL |
Value: %SystemRoot%\cursors\clearcur.cur | |||
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | SIZENESW |
Value: %SystemRoot%\cursors\clearcur.cur | |||
| (PID) Process: | (556) windanr.exe | Key: | HKEY_CURRENT_USER\Control Panel\Cursors |
| Operation: | write | Name: | SIZENS |
Value: %SystemRoot%\cursors\clearcur.cur | |||
Executable files
2
Suspicious files
8
Text files
4
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2620 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jjbcnbda.exe | — | |
MD5:— | SHA256:— | |||
| 2620 | svchost.exe | C:\Users\admin\AppData\Local\bdjmdbtj\jjbcnbda.exe | — | |
MD5:— | SHA256:— | |||
| 3900 | svchost.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\cookies.txt | — | |
MD5:— | SHA256:— | |||
| 3900 | svchost.exe | C:\Users\admin\AppData\Local\Temp\~TMAD1C.tmp | — | |
MD5:— | SHA256:— | |||
| 2836 | 2018-09-29_20-26-55.exe | C:\Users\admin\AppData\Local\Temp\sfseunjd.exe | executable | |
MD5:— | SHA256:— | |||
| 3900 | svchost.exe | C:\Users\admin\AppData\Local\ewnpecny.log | binary | |
MD5:— | SHA256:— | |||
| 2620 | svchost.exe | C:\ProgramData\qkoagtka.log | text | |
MD5:— | SHA256:— | |||
| 3900 | svchost.exe | C:\Users\admin\AppData\Local\fwdicmqp.log | compressed | |
MD5:— | SHA256:— | |||
| 3900 | svchost.exe | C:\Users\admin\AppData\Local\kmypexkj.log | ini | |
MD5:— | SHA256:— | |||
| 3900 | svchost.exe | C:\Users\admin\AppData\Local\mfpmqwom.log | ini | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
29
Threats
31
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 172.217.21.238:80 | google.com | Google Inc. | US | whitelisted |
2620 | svchost.exe | 35.224.11.86:443 | gadqgqkdexwspxdc.com | — | US | malicious |
2620 | svchost.exe | 92.63.97.30:443 | jmwrboefbrhresaekn.com | JSC ISPsystem | RU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| malicious |
goldenfreeanhfirst.com |
| malicious |
lrjhjpmogfmrctmyqy.com |
| unknown |
gadqgqkdexwspxdc.com |
| malicious |
wpmlwkual.com |
| unknown |
uacujgnkrqpmjiwfb.com |
| unknown |
saolyfuyhuymmhd.com |
| unknown |
qhkyxycreoheacbh.com |
| malicious |
eoqtvdvtqtlsurfcot.com |
| unknown |
bjymkakljso.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2620 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2620 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Ramnit Checkin |
2620 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2620 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Ramnit Checkin |
2620 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2620 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Banker Ramnit CnC Connection |
2620 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Banker Ramnit CnC Connection |
2620 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2620 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Ramnit Checkin |
2620 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
Process | Message |
|---|---|
sfseunjd.exe | CheckBypassed ok |
svchost.exe | Started |
svchost.exe | [VNCDLL][:3900][ImgMapSection:30] A section of 0 bytes mapped to the target process at 0x01E80000
|
svchost.exe | [VNCDLL][:3900][ImgMapSection:30] A section of 0 bytes mapped to the target process at 0x003B0000
|