ramnit | 950da158619b3a37e4c0f0be34c39482afdce6d8aa92703ea9cf5ddd487049e9

General

Target

GdtBpFKY.exe
Size

140KB
MD5

bfac768f9ad7d29ec91a0288f4b5f479
SHA1

ff3240c04aa6778dfc4fa2c2eec505c0fb52acac
SHA256

950da158619b3a37e4c0f0be34c39482afdce6d8aa92703ea9cf5ddd487049e9
SHA512

6fa181b5aa88216d49e24576cff35cd5ce4f1ed11d3ec3d6539125d699c421f79dc755b4383e6d6ccf1657d21ee4aa9364f6785ef870e2863b93fa3885f07289

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1192-58-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

GdtBpFKY.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	GdtBpFKY.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	GdtBpFKY.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC948.tmp	GdtBpFKY.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

GdtBpFKY.exe

pid process

1192 GdtBpFKY.exe

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

GdtBpFKY.exe

pid	process
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe
1192	GdtBpFKY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GdtBpFKY.exe

description pid process

Token: SeDebugPrivilege 1192 GdtBpFKY.exe

description	pid	process
Token: SeDebugPrivilege	1192	GdtBpFKY.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GdtBpFKY.exe

description	pid	process	target process
PID 1192 wrote to memory of 368	1192	GdtBpFKY.exe	wininit.exe
PID 1192 wrote to memory of 368	1192	GdtBpFKY.exe	wininit.exe
PID 1192 wrote to memory of 368	1192	GdtBpFKY.exe	wininit.exe
PID 1192 wrote to memory of 368	1192	GdtBpFKY.exe	wininit.exe
PID 1192 wrote to memory of 368	1192	GdtBpFKY.exe	wininit.exe
PID 1192 wrote to memory of 368	1192	GdtBpFKY.exe	wininit.exe
PID 1192 wrote to memory of 368	1192	GdtBpFKY.exe	wininit.exe
PID 1192 wrote to memory of 376	1192	GdtBpFKY.exe	csrss.exe
PID 1192 wrote to memory of 376	1192	GdtBpFKY.exe	csrss.exe
PID 1192 wrote to memory of 376	1192	GdtBpFKY.exe	csrss.exe
PID 1192 wrote to memory of 376	1192	GdtBpFKY.exe	csrss.exe
PID 1192 wrote to memory of 376	1192	GdtBpFKY.exe	csrss.exe
PID 1192 wrote to memory of 376	1192	GdtBpFKY.exe	csrss.exe
PID 1192 wrote to memory of 376	1192	GdtBpFKY.exe	csrss.exe
PID 1192 wrote to memory of 416	1192	GdtBpFKY.exe	winlogon.exe
PID 1192 wrote to memory of 416	1192	GdtBpFKY.exe	winlogon.exe
PID 1192 wrote to memory of 416	1192	GdtBpFKY.exe	winlogon.exe
PID 1192 wrote to memory of 416	1192	GdtBpFKY.exe	winlogon.exe
PID 1192 wrote to memory of 416	1192	GdtBpFKY.exe	winlogon.exe
PID 1192 wrote to memory of 416	1192	GdtBpFKY.exe	winlogon.exe
PID 1192 wrote to memory of 416	1192	GdtBpFKY.exe	winlogon.exe
PID 1192 wrote to memory of 460	1192	GdtBpFKY.exe	services.exe
PID 1192 wrote to memory of 460	1192	GdtBpFKY.exe	services.exe
PID 1192 wrote to memory of 460	1192	GdtBpFKY.exe	services.exe
PID 1192 wrote to memory of 460	1192	GdtBpFKY.exe	services.exe
PID 1192 wrote to memory of 460	1192	GdtBpFKY.exe	services.exe
PID 1192 wrote to memory of 460	1192	GdtBpFKY.exe	services.exe
PID 1192 wrote to memory of 460	1192	GdtBpFKY.exe	services.exe
PID 1192 wrote to memory of 476	1192	GdtBpFKY.exe	lsass.exe
PID 1192 wrote to memory of 476	1192	GdtBpFKY.exe	lsass.exe
PID 1192 wrote to memory of 476	1192	GdtBpFKY.exe	lsass.exe
PID 1192 wrote to memory of 476	1192	GdtBpFKY.exe	lsass.exe
PID 1192 wrote to memory of 476	1192	GdtBpFKY.exe	lsass.exe
PID 1192 wrote to memory of 476	1192	GdtBpFKY.exe	lsass.exe
PID 1192 wrote to memory of 476	1192	GdtBpFKY.exe	lsass.exe
PID 1192 wrote to memory of 484	1192	GdtBpFKY.exe	lsm.exe
PID 1192 wrote to memory of 484	1192	GdtBpFKY.exe	lsm.exe
PID 1192 wrote to memory of 484	1192	GdtBpFKY.exe	lsm.exe
PID 1192 wrote to memory of 484	1192	GdtBpFKY.exe	lsm.exe
PID 1192 wrote to memory of 484	1192	GdtBpFKY.exe	lsm.exe
PID 1192 wrote to memory of 484	1192	GdtBpFKY.exe	lsm.exe
PID 1192 wrote to memory of 484	1192	GdtBpFKY.exe	lsm.exe
PID 1192 wrote to memory of 596	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 596	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 596	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 596	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 596	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 596	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 596	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 676	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 676	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 676	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 676	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 676	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 676	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 676	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 756	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 756	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 756	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 756	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 756	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 756	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 756	1192	GdtBpFKY.exe	svchost.exe
PID 1192 wrote to memory of 820	1192	GdtBpFKY.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:2000

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:2040

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:324

C:\Windows\system32\wininit.exe
wininit.exe
3⤵
PID:368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:676

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1372

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe
"C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe"
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1192-56-0x0000000077530000-0x00000000776B0000-memory.dmp

Filesize
1.5MB

Download
memory/1192-57-0x0000000000210000-0x000000000021F000-memory.dmp

Filesize
60KB

Download
memory/1192-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads