ramnit | 950da158619b3a37e4c0f0be34c39482afdce6d8aa92703ea9cf5ddd487049e9

General

Target

GdtBpFKY.exe
Size

140KB
MD5

bfac768f9ad7d29ec91a0288f4b5f479
SHA1

ff3240c04aa6778dfc4fa2c2eec505c0fb52acac
SHA256

950da158619b3a37e4c0f0be34c39482afdce6d8aa92703ea9cf5ddd487049e9
SHA512

6fa181b5aa88216d49e24576cff35cd5ce4f1ed11d3ec3d6539125d699c421f79dc755b4383e6d6ccf1657d21ee4aa9364f6785ef870e2863b93fa3885f07289

Score

10^/10

ramnit banker evasion spyware stealer suricata trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

GdtBpFKY.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	GdtBpFKY.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	GdtBpFKY.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	GdtBpFKY.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GdtBpFKY.exe:*:enabled:@shell32.dll,-1"	GdtBpFKY.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2896-135-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GdtBpFKY.exe

description	ioc	process
File opened (read-only)	\??\X:	GdtBpFKY.exe
File opened (read-only)	\??\Y:	GdtBpFKY.exe
File opened (read-only)	\??\F:	GdtBpFKY.exe
File opened (read-only)	\??\G:	GdtBpFKY.exe
File opened (read-only)	\??\I:	GdtBpFKY.exe
File opened (read-only)	\??\L:	GdtBpFKY.exe
File opened (read-only)	\??\V:	GdtBpFKY.exe
File opened (read-only)	\??\W:	GdtBpFKY.exe
File opened (read-only)	\??\E:	GdtBpFKY.exe
File opened (read-only)	\??\K:	GdtBpFKY.exe
File opened (read-only)	\??\O:	GdtBpFKY.exe
File opened (read-only)	\??\R:	GdtBpFKY.exe
File opened (read-only)	\??\S:	GdtBpFKY.exe
File opened (read-only)	\??\T:	GdtBpFKY.exe
File opened (read-only)	\??\H:	GdtBpFKY.exe
File opened (read-only)	\??\J:	GdtBpFKY.exe
File opened (read-only)	\??\P:	GdtBpFKY.exe
File opened (read-only)	\??\Z:	GdtBpFKY.exe
File opened (read-only)	\??\M:	GdtBpFKY.exe
File opened (read-only)	\??\N:	GdtBpFKY.exe
File opened (read-only)	\??\Q:	GdtBpFKY.exe
File opened (read-only)	\??\U:	GdtBpFKY.exe

Drops file in Program Files directory 3 IoCs

Processes:

GdtBpFKY.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	GdtBpFKY.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	GdtBpFKY.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5414.tmp	GdtBpFKY.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3808 2896 WerFault.exe GdtBpFKY.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

GdtBpFKY.exe

pid process

2896 GdtBpFKY.exe
2896 GdtBpFKY.exe

pid	pid_target	process	target process
3808	2896	WerFault.exe	GdtBpFKY.exe

Suspicious behavior: MapViewOfSection 42 IoCs

Processes:

GdtBpFKY.exe

pid	process
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe
2896	GdtBpFKY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GdtBpFKY.exe

description pid process

Token: SeDebugPrivilege 2896 GdtBpFKY.exe

description	pid	process
Token: SeDebugPrivilege	2896	GdtBpFKY.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GdtBpFKY.exe

description	pid	process	target process
PID 2896 wrote to memory of 608	2896	GdtBpFKY.exe	winlogon.exe
PID 2896 wrote to memory of 608	2896	GdtBpFKY.exe	winlogon.exe
PID 2896 wrote to memory of 608	2896	GdtBpFKY.exe	winlogon.exe
PID 2896 wrote to memory of 608	2896	GdtBpFKY.exe	winlogon.exe
PID 2896 wrote to memory of 608	2896	GdtBpFKY.exe	winlogon.exe
PID 2896 wrote to memory of 608	2896	GdtBpFKY.exe	winlogon.exe
PID 2896 wrote to memory of 668	2896	GdtBpFKY.exe	lsass.exe
PID 2896 wrote to memory of 668	2896	GdtBpFKY.exe	lsass.exe
PID 2896 wrote to memory of 668	2896	GdtBpFKY.exe	lsass.exe
PID 2896 wrote to memory of 668	2896	GdtBpFKY.exe	lsass.exe
PID 2896 wrote to memory of 668	2896	GdtBpFKY.exe	lsass.exe
PID 2896 wrote to memory of 668	2896	GdtBpFKY.exe	lsass.exe
PID 2896 wrote to memory of 776	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 776	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 776	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 776	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 776	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 776	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 780	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 780	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 780	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 780	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 780	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 780	2896	GdtBpFKY.exe	fontdrvhost.exe
PID 2896 wrote to memory of 792	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 792	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 792	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 792	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 792	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 792	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 900	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 900	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 900	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 900	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 900	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 900	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 988	2896	GdtBpFKY.exe	dwm.exe
PID 2896 wrote to memory of 988	2896	GdtBpFKY.exe	dwm.exe
PID 2896 wrote to memory of 988	2896	GdtBpFKY.exe	dwm.exe
PID 2896 wrote to memory of 988	2896	GdtBpFKY.exe	dwm.exe
PID 2896 wrote to memory of 988	2896	GdtBpFKY.exe	dwm.exe
PID 2896 wrote to memory of 988	2896	GdtBpFKY.exe	dwm.exe
PID 2896 wrote to memory of 736	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 736	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 736	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 736	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 736	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 736	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 732	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 732	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 732	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 732	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 732	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 732	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 652	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 652	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 652	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 652	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 652	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 652	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 1028	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 1028	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 1028	2896	GdtBpFKY.exe	svchost.exe
PID 2896 wrote to memory of 1028	2896	GdtBpFKY.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:976

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2544

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:3388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:2472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:832

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe
"C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe"
2⤵
- Modifies firewall policy service
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 488
3⤵
- Program crash
PID:3808

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2256

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2236

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1832

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p
1⤵
PID:736

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:772

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:3840

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2896 -ip 2896
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2896 -ip 2896
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2896-130-0x0000000077660000-0x0000000077803000-memory.dmp

Filesize
1.6MB

Download
memory/2896-131-0x00000000021A0000-0x00000000021AF000-memory.dmp

Filesize
60KB

Download
memory/2896-132-0x0000000077660000-0x0000000077803000-memory.dmp

Filesize
1.6MB

Download
memory/2896-133-0x0000000077660000-0x0000000077803000-memory.dmp

Filesize
1.6MB

Download
memory/2896-134-0x0000000077660000-0x0000000077803000-memory.dmp

Filesize
1.6MB

Download
memory/2896-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads