Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-03-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
ramnitdouble-original.vbs
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
ramnitdouble-original.vbs
Resource
win10v2004-en-20220113
General
-
Target
ramnitdouble-original.vbs
-
Size
331KB
-
MD5
8e1cc1e4ccefee63008ff49219345a44
-
SHA1
73f71bdf3c986caab0482a503700b24150d84b20
-
SHA256
b41d64df33eff5fe041782eb6b1d54121b35985aaf57ef852dbdf08f4a7abc2e
-
SHA512
6e8b9cbf03b6df893e9323e7ae70937d7223dc4f217b5b093f0cc831f3b6c58bdc422dd7e27be79037339268949005b0b395f585d50c40acca5869ee1bf6d9d7
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 2032 created 1340 2032 WerFault.exe svchost.exe PID 2136 created 1132 2136 WerFault.exe svchost.exe PID 2020 created 1224 2020 WerFault.exe svchost.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 1132 svchost.exe 1224 svchost.exe 1340 svchost.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe upx C:\Users\Admin\AppData\Local\Temp\svchost.exe upx C:\Users\Admin\AppData\Local\Temp\svchost.exe upx C:\Users\Admin\AppData\Local\Temp\svchost.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2548 1132 WerFault.exe svchost.exe 2504 1340 WerFault.exe svchost.exe 4460 1224 WerFault.exe svchost.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid process 2548 WerFault.exe 2548 WerFault.exe 4460 WerFault.exe 4460 WerFault.exe 2504 WerFault.exe 2504 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2504 WerFault.exe Token: SeBackupPrivilege 2504 WerFault.exe Token: SeRestorePrivilege 2548 WerFault.exe Token: SeBackupPrivilege 2548 WerFault.exe Token: SeBackupPrivilege 2548 WerFault.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 608 wrote to memory of 1132 608 WScript.exe svchost.exe PID 608 wrote to memory of 1132 608 WScript.exe svchost.exe PID 608 wrote to memory of 1132 608 WScript.exe svchost.exe PID 608 wrote to memory of 1224 608 WScript.exe svchost.exe PID 608 wrote to memory of 1224 608 WScript.exe svchost.exe PID 608 wrote to memory of 1224 608 WScript.exe svchost.exe PID 608 wrote to memory of 1340 608 WScript.exe svchost.exe PID 608 wrote to memory of 1340 608 WScript.exe svchost.exe PID 608 wrote to memory of 1340 608 WScript.exe svchost.exe PID 2032 wrote to memory of 1340 2032 WerFault.exe svchost.exe PID 2032 wrote to memory of 1340 2032 WerFault.exe svchost.exe PID 2136 wrote to memory of 1132 2136 WerFault.exe svchost.exe PID 2136 wrote to memory of 1132 2136 WerFault.exe svchost.exe PID 2020 wrote to memory of 1224 2020 WerFault.exe svchost.exe PID 2020 wrote to memory of 1224 2020 WerFault.exe svchost.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ramnitdouble-original.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 2843⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1224 -ip 12241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1340 -ip 13401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1132 -ip 11321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2136
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a