ramnit | 950da158619b3a37e4c0f0be34c39482afdce6d8aa92703ea9cf5ddd487049e9

General

Target

GdtBpFKY.exe
Size

140KB
MD5

bfac768f9ad7d29ec91a0288f4b5f479
SHA1

ff3240c04aa6778dfc4fa2c2eec505c0fb52acac
SHA256

950da158619b3a37e4c0f0be34c39482afdce6d8aa92703ea9cf5ddd487049e9
SHA512

6fa181b5aa88216d49e24576cff35cd5ce4f1ed11d3ec3d6539125d699c421f79dc755b4383e6d6ccf1657d21ee4aa9364f6785ef870e2863b93fa3885f07289

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1776-56-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

GdtBpFKY.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px2AD8.tmp	GdtBpFKY.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	GdtBpFKY.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	GdtBpFKY.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

GdtBpFKY.exe

pid process

1776 GdtBpFKY.exe

Suspicious behavior: MapViewOfSection 21 IoCs

Processes:

GdtBpFKY.exe

pid	process
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe
1776	GdtBpFKY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GdtBpFKY.exe

description pid process

Token: SeDebugPrivilege 1776 GdtBpFKY.exe

description	pid	process
Token: SeDebugPrivilege	1776	GdtBpFKY.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GdtBpFKY.exe

description	pid	process	target process
PID 1776 wrote to memory of 368	1776	GdtBpFKY.exe	wininit.exe
PID 1776 wrote to memory of 368	1776	GdtBpFKY.exe	wininit.exe
PID 1776 wrote to memory of 368	1776	GdtBpFKY.exe	wininit.exe
PID 1776 wrote to memory of 368	1776	GdtBpFKY.exe	wininit.exe
PID 1776 wrote to memory of 368	1776	GdtBpFKY.exe	wininit.exe
PID 1776 wrote to memory of 368	1776	GdtBpFKY.exe	wininit.exe
PID 1776 wrote to memory of 368	1776	GdtBpFKY.exe	wininit.exe
PID 1776 wrote to memory of 384	1776	GdtBpFKY.exe	csrss.exe
PID 1776 wrote to memory of 384	1776	GdtBpFKY.exe	csrss.exe
PID 1776 wrote to memory of 384	1776	GdtBpFKY.exe	csrss.exe
PID 1776 wrote to memory of 384	1776	GdtBpFKY.exe	csrss.exe
PID 1776 wrote to memory of 384	1776	GdtBpFKY.exe	csrss.exe
PID 1776 wrote to memory of 384	1776	GdtBpFKY.exe	csrss.exe
PID 1776 wrote to memory of 384	1776	GdtBpFKY.exe	csrss.exe
PID 1776 wrote to memory of 420	1776	GdtBpFKY.exe	winlogon.exe
PID 1776 wrote to memory of 420	1776	GdtBpFKY.exe	winlogon.exe
PID 1776 wrote to memory of 420	1776	GdtBpFKY.exe	winlogon.exe
PID 1776 wrote to memory of 420	1776	GdtBpFKY.exe	winlogon.exe
PID 1776 wrote to memory of 420	1776	GdtBpFKY.exe	winlogon.exe
PID 1776 wrote to memory of 420	1776	GdtBpFKY.exe	winlogon.exe
PID 1776 wrote to memory of 420	1776	GdtBpFKY.exe	winlogon.exe
PID 1776 wrote to memory of 464	1776	GdtBpFKY.exe	services.exe
PID 1776 wrote to memory of 464	1776	GdtBpFKY.exe	services.exe
PID 1776 wrote to memory of 464	1776	GdtBpFKY.exe	services.exe
PID 1776 wrote to memory of 464	1776	GdtBpFKY.exe	services.exe
PID 1776 wrote to memory of 464	1776	GdtBpFKY.exe	services.exe
PID 1776 wrote to memory of 464	1776	GdtBpFKY.exe	services.exe
PID 1776 wrote to memory of 464	1776	GdtBpFKY.exe	services.exe
PID 1776 wrote to memory of 480	1776	GdtBpFKY.exe	lsass.exe
PID 1776 wrote to memory of 480	1776	GdtBpFKY.exe	lsass.exe
PID 1776 wrote to memory of 480	1776	GdtBpFKY.exe	lsass.exe
PID 1776 wrote to memory of 480	1776	GdtBpFKY.exe	lsass.exe
PID 1776 wrote to memory of 480	1776	GdtBpFKY.exe	lsass.exe
PID 1776 wrote to memory of 480	1776	GdtBpFKY.exe	lsass.exe
PID 1776 wrote to memory of 480	1776	GdtBpFKY.exe	lsass.exe
PID 1776 wrote to memory of 488	1776	GdtBpFKY.exe	lsm.exe
PID 1776 wrote to memory of 488	1776	GdtBpFKY.exe	lsm.exe
PID 1776 wrote to memory of 488	1776	GdtBpFKY.exe	lsm.exe
PID 1776 wrote to memory of 488	1776	GdtBpFKY.exe	lsm.exe
PID 1776 wrote to memory of 488	1776	GdtBpFKY.exe	lsm.exe
PID 1776 wrote to memory of 488	1776	GdtBpFKY.exe	lsm.exe
PID 1776 wrote to memory of 488	1776	GdtBpFKY.exe	lsm.exe
PID 1776 wrote to memory of 580	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 580	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 580	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 580	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 580	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 580	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 580	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 656	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 656	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 656	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 656	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 656	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 656	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 656	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 736	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 736	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 736	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 736	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 736	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 736	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 736	1776	GdtBpFKY.exe	svchost.exe
PID 1776 wrote to memory of 800	1776	GdtBpFKY.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1468

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1916

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1252

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe
"C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe"
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1776-54-0x0000000074E31000-0x0000000074E33000-memory.dmp

Filesize
8KB

Download
memory/1776-55-0x00000000771D0000-0x0000000077350000-memory.dmp

Filesize
1.5MB

Download
memory/1776-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads