ramnit | 4ee7ce2fdad1a287ac5299129c80dfc3fedb2a5eb31a1af706d1fc466cb2839a

General

Target

bc.vbs
Size

169KB
MD5

c8d448840522a0d83b0a8a32cfa50352
SHA1

98f1145de8f3cc1764451ff65fa1c7051280c455
SHA256

4ee7ce2fdad1a287ac5299129c80dfc3fedb2a5eb31a1af706d1fc466cb2839a
SHA512

0ff8e8b9cd33ec9973fc14e55acf1648a3e6f7ce215157fb41aa737441f0b727934ab6a4cbae8ec7eff02872690bd72f2ae63cee1490b79cbd952b53e937bebd

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

620 svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	upx
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SVCHOST.EXE	upx
behavioral1/memory/620-62-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px19A8.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

620 svchost.exe

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

svchost.exe

pid	process
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe
620	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 620 svchost.exe

description	pid	process
Token: SeDebugPrivilege	620	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exesvchost.exe

description	pid	process	target process
PID 288 wrote to memory of 620	288	WScript.exe	svchost.exe
PID 288 wrote to memory of 620	288	WScript.exe	svchost.exe
PID 288 wrote to memory of 620	288	WScript.exe	svchost.exe
PID 288 wrote to memory of 620	288	WScript.exe	svchost.exe
PID 620 wrote to memory of 368	620	svchost.exe	wininit.exe
PID 620 wrote to memory of 368	620	svchost.exe	wininit.exe
PID 620 wrote to memory of 368	620	svchost.exe	wininit.exe
PID 620 wrote to memory of 368	620	svchost.exe	wininit.exe
PID 620 wrote to memory of 368	620	svchost.exe	wininit.exe
PID 620 wrote to memory of 368	620	svchost.exe	wininit.exe
PID 620 wrote to memory of 368	620	svchost.exe	wininit.exe
PID 620 wrote to memory of 380	620	svchost.exe	csrss.exe
PID 620 wrote to memory of 380	620	svchost.exe	csrss.exe
PID 620 wrote to memory of 380	620	svchost.exe	csrss.exe
PID 620 wrote to memory of 380	620	svchost.exe	csrss.exe
PID 620 wrote to memory of 380	620	svchost.exe	csrss.exe
PID 620 wrote to memory of 380	620	svchost.exe	csrss.exe
PID 620 wrote to memory of 380	620	svchost.exe	csrss.exe
PID 620 wrote to memory of 416	620	svchost.exe	winlogon.exe
PID 620 wrote to memory of 416	620	svchost.exe	winlogon.exe
PID 620 wrote to memory of 416	620	svchost.exe	winlogon.exe
PID 620 wrote to memory of 416	620	svchost.exe	winlogon.exe
PID 620 wrote to memory of 416	620	svchost.exe	winlogon.exe
PID 620 wrote to memory of 416	620	svchost.exe	winlogon.exe
PID 620 wrote to memory of 416	620	svchost.exe	winlogon.exe
PID 620 wrote to memory of 460	620	svchost.exe	services.exe
PID 620 wrote to memory of 460	620	svchost.exe	services.exe
PID 620 wrote to memory of 460	620	svchost.exe	services.exe
PID 620 wrote to memory of 460	620	svchost.exe	services.exe
PID 620 wrote to memory of 460	620	svchost.exe	services.exe
PID 620 wrote to memory of 460	620	svchost.exe	services.exe
PID 620 wrote to memory of 460	620	svchost.exe	services.exe
PID 620 wrote to memory of 476	620	svchost.exe	lsass.exe
PID 620 wrote to memory of 476	620	svchost.exe	lsass.exe
PID 620 wrote to memory of 476	620	svchost.exe	lsass.exe
PID 620 wrote to memory of 476	620	svchost.exe	lsass.exe
PID 620 wrote to memory of 476	620	svchost.exe	lsass.exe
PID 620 wrote to memory of 476	620	svchost.exe	lsass.exe
PID 620 wrote to memory of 476	620	svchost.exe	lsass.exe
PID 620 wrote to memory of 484	620	svchost.exe	lsm.exe
PID 620 wrote to memory of 484	620	svchost.exe	lsm.exe
PID 620 wrote to memory of 484	620	svchost.exe	lsm.exe
PID 620 wrote to memory of 484	620	svchost.exe	lsm.exe
PID 620 wrote to memory of 484	620	svchost.exe	lsm.exe
PID 620 wrote to memory of 484	620	svchost.exe	lsm.exe
PID 620 wrote to memory of 484	620	svchost.exe	lsm.exe
PID 620 wrote to memory of 584	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 584	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 584	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 584	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 584	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 584	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 584	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 660	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 660	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 660	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 660	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 660	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 660	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 660	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 740	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 740	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 740	620	svchost.exe	svchost.exe
PID 620 wrote to memory of 740	620	svchost.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1972

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1992

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1252

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:660

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1372

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SVCHOST.EXE
MD5
df455f0fa8fb3fa4e6699ad57ef54db6

SHA1
51a06248c251d614d3a81ac9d842ba807204d17c

SHA256
15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1

SHA512
f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
df455f0fa8fb3fa4e6699ad57ef54db6

SHA1
51a06248c251d614d3a81ac9d842ba807204d17c

SHA256
15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1

SHA512
f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

Download Submit
memory/288-55-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/620-57-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/620-60-0x0000000077C80000-0x0000000077C81000-memory.dmp

Filesize
4KB

Download
memory/620-61-0x0000000000290000-0x000000000029F000-memory.dmp

Filesize
60KB

Download
memory/620-59-0x0000000077C7F000-0x0000000077C80000-memory.dmp

Filesize
4KB

Download
memory/620-62-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads