| Engine | GTI File Reputation | Gateway Anti-Malware | Anti-Malware | Custom Yara | Sandbox | Final |
| Threat Name | TYPE_TROJAN | Heuristic.BehavesLike.Win32.Suspicious-BAY.G | W32/Ramnit.dr | --- | Malware.Dynamic | |
| Severity | 5 | 5 | 5 | None | 5 | 5 |
Sample is considered malicious based on static code analysis matching on known malware families: final severity level 5
| Family Name: Trojan.Win32.Ramnit.A | Similarity Factor: 99.46 |
File Submitted on: 2015-04-24 13:47:11 Total Time Taken: 46 second(s) Sandbox processing: 1 second(s) Baitexe activated but not infected |
|
| Name | Reason | Level |
|---|---|---|
| svchost.exe | loaded by MATD Analyzer | |
| iexplore.exe | executed by svchost.exe | |
| MD5 | Name |
|---|---|
| 96667d07eebe91b40a1f3725a3a7f1a3 | ~TM4.tmp |
| c0558c3b47029e3f97a1992457eb07a5 | ~TM3.tmp |
The attachment file(s) shown above was extracted from the sample file and stored in the dropfiles.zip file
| Persistence, Installation Boot Survival: | |
| Hiding, Camouflage, Stealthiness, Detection and Removal Protection: | |
| Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection: | |
| Spreading: | |
| Exploiting, Shellcode: | |
| Networking: | |
| Data spying, Sniffing, Keylogging, Ebanking Fraud: |  |
Legend: Sev.0- Sev.1-
Sev.2-
Sev.3- Sev.4- Sev.5-
 | Hid executable file by changing its attributes | | Hid Windows StartUp folder by changing its attributes |
| Altered the memory space of the Windows API's hook procedure | | Injected into a different process memory and changes the access protection of the committed pages |
| Created new Internet Explorer process | | Set new application under Userinit key that will run logon scripts for starting up Windows |
 | Created new content in Windows startup directory | | Wrote (injected) data to an area of a foreign process memory |
| Created auto start entry | | Allocated a region of memory within the virtual address space of a foreign process |
| Hid files/folders under Windows Start directory |  | Allowed the process to perform system-level actions that were not enabled previously |
| Altered registry's Windows logon settings | | Created named mutex object |
 | General activities from kernel level, see http://en.wikipedia.org/wiki/Ring_(computer_security) | | Changed the protection attribute of the process |
| Contained long sleep | | Obtained user's logon name |
Run-Time Dlls| kernel32.dll |
| advapi32.dll |
| user32.dll |
File Operations| File Name | Access Mode | File Attributes | MD5 |
|---|---|---|---|
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM3.tmp | Read | Normal | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM4.tmp | Read | Normal |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM3.tmp |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM4.tmp |
| Source File | Destination File | |
|---|---|---|
| C:\WINDOWS\system32\ntdll.dll | C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM3.tmp | |
| C:\WINDOWS\system32\kernel32.dll | C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM4.tmp |
| Created a file that can be used for memory mapping |
| Retrieved the path of the directory designated for temporary files | |||
| Created a name for a temporary file | |||
| Obtained the path of the Windows system directory | |||
| Searched a directory for the name: C:\Program Files\Internet Explorer\IEXPLORE.EXE | |||
| Retrieved the full path for the module |
Registry Operations| HKCR\http\shell\open\command |
| HKCR\http\shell\open\command |
Process Operations| Process Name | Module | |
|---|---|---|
| c:\program files\internet explorer\iexplore.exe |
| Ended itself and all of its threads |
| 428190 |
| Obtained information about a process |
| Read data from an area of memory in a specified process |
| Allocated memory in foreign(or local) processes |
| Copied an address range from the current process into the address range of another process |
| Obtained the contents of the specified variable from the environment block of the calling process |
| Enabled an application to supersede the top-level exception handler |
| Changed the protection attribute of process address: 0xffffffff, new attribute: MemRelease & MemFree |
| Changed the protection attribute of process address: 0xffffffff, new attribute: MemFree |
| Changed the protection attribute of process address: 0xffffffff, new attribute: MemCommit |
| Changed the protection attribute of process address: 0x400000, new attribute: ReadWrite |
| Changed the protection attribute of process address: 0x400000, new attribute: Execute_ReadWrite |
| Changed the protection attribute of process address: 0xffffffff, new attribute: WriteCombine |
| Opened the access token associated with a process |
| Changed the protection attribute of process address: 0x705248f5, new attribute: Execute_ReadWrite |
| Changed the protection attribute of process address: 0x3e0000, new attribute: Execute_ReadWrite |
| Changed the protection attribute of process address: 0x20010000, new attribute: ReadOnly |
| Changed the protection attribute of process address: 0x760, new attribute: ReadWrite & WriteCopy |
Other Operations| Initialized a critical section object and set the spin count for the critical section |
| Retrieved the locally unique identifier (LUID) |
| Enabled/disabled privileges in an access token |
Run-Time Dlls| imagehlp.dll |
File Operations| File Name | Access Mode | File Attributes | MD5 |
|---|---|---|---|
| C:\Program Files\Internet Explorer\dmlconf.dat | Write | Normal | |
| C:\Program Files\ymuqqkka\px5.tmp | Read & Write | Normal |
| File Name | Access Mode | File Attributes | MD5 |
|---|---|---|---|
| C:\Program Files\Internet Explorer\complete.dat | Read | Normal | |
| C:\Program Files\Internet Explorer\dmlconf.dat | Read | Normal | |
| C:\Program Files\ymuqqkka\hsmdbktq.exe | Write | Hidden | |
| C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\hsmdbktq.exe | Read | Normal | |
| C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\hsmdbktq.exe | Write | Hidden |
| C:\Program Files\ymuqqkka\px5.tmp |
| Source File | Destination File/Write | Written |
|---|---|---|
| C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\hsmdbktq.exe, attribute: Normal | ||
| C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\hsmdbktq.exe, attribute: System | ||
| C:\Program Files\Internet Explorer\dmlconf.dat | 16 | 16 |
| Obtained information about the file system and volume associated with the specified root directory |
| C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\hsmdbktq.exe |
| Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive |
| Source File | Destination File | |
|---|---|---|
| ...\svchost.exe | C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\hsmdbktq.exe | |
| C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\hsmdbktq.exe | C:\Program Files\ymuqqkka\hsmdbktq.exe |
| New Directory | Template Directory |
|---|---|
| C:\Program Files\ymuqqkka | |
| C: | |
| C:\Program Files |
| Retrieved the full path for the module | |||
| Retrieved the path of the Windows directory | |||
| Created a name for a temporary file | |||
| Obtained the path of the Windows system directory | |||
| Searched a directory for the name: C:\*.* |
Registry Operations| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
| HKLM\HARDWARE\DESCRIPTION\System |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion |
| HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon |
| HKLM\Software\WASAntidot |
| Key | NewValue | Type |
|---|---|---|
| HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | C:\WINDOWS\system32\userinit.exe,,C:\Program Files\ymuqqkka\hsmdbktq.exe | REG_SZ |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | Startup |
| HKLM\HARDWARE\DESCRIPTION\System | SystemBiosVersion |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductId |
| HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit |
Process Operations| 2001c63a | ||
| 2001c003 | ||
| 2001c1fc | ||
| 2001c3c3 | ||
| 2001b0ab | ||
| 2001b0c5 |
| Deactivated the activation context corresponding to the specified cookie | |
| Obtained the contents of the specified variable from the environment block of the calling process |
Network Operations| Initiated WS2_32 socket DLL |
| Retrieved the name of the local computer: root-adb74886ae |
Other Operations| Mutex-Object Name |
|---|
| {0bc23016-8fb5-f7a9-4bae-5bdfd5986187} |
| Initialized a critical section object and set the spin count for the critical section |
| Allocated and initialized a security identifier (SID) |
| Determined whether a specified security identifier (SID) is enabled in an access token |
| Obtained the current system date and time in in Coordinated Universal Time (UTC) format |
| Changed virtual memory protection in the user mode address range from the kernel level |
| Retrieved the user's logon name |
| Expanded environment-variable strings and replace them with the values defined for the current use |