ramnit | 950da158619b3a37e4c0f0be34c39482afdce6d8aa92703ea9cf5ddd487049e9

General

Target

GdtBpFKY.exe
Size

140KB
MD5

bfac768f9ad7d29ec91a0288f4b5f479
SHA1

ff3240c04aa6778dfc4fa2c2eec505c0fb52acac
SHA256

950da158619b3a37e4c0f0be34c39482afdce6d8aa92703ea9cf5ddd487049e9
SHA512

6fa181b5aa88216d49e24576cff35cd5ce4f1ed11d3ec3d6539125d699c421f79dc755b4383e6d6ccf1657d21ee4aa9364f6785ef870e2863b93fa3885f07289

Score

10^/10

ramnit banker evasion spyware stealer suricata trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

GdtBpFKY.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	GdtBpFKY.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	GdtBpFKY.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	GdtBpFKY.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GdtBpFKY.exe:*:enabled:@shell32.dll,-1"	GdtBpFKY.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1996-136-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

GdtBpFKY.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px4524.tmp	GdtBpFKY.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	GdtBpFKY.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	GdtBpFKY.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2984 1996 WerFault.exe GdtBpFKY.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

GdtBpFKY.exe

pid process

1996 GdtBpFKY.exe
1996 GdtBpFKY.exe

pid	pid_target	process	target process
2984	1996	WerFault.exe	GdtBpFKY.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

GdtBpFKY.exe

pid	process
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe
1996	GdtBpFKY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GdtBpFKY.exe

description pid process

Token: SeDebugPrivilege 1996 GdtBpFKY.exe

description	pid	process
Token: SeDebugPrivilege	1996	GdtBpFKY.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GdtBpFKY.exe

description	pid	process	target process
PID 1996 wrote to memory of 616	1996	GdtBpFKY.exe	winlogon.exe
PID 1996 wrote to memory of 616	1996	GdtBpFKY.exe	winlogon.exe
PID 1996 wrote to memory of 616	1996	GdtBpFKY.exe	winlogon.exe
PID 1996 wrote to memory of 616	1996	GdtBpFKY.exe	winlogon.exe
PID 1996 wrote to memory of 616	1996	GdtBpFKY.exe	winlogon.exe
PID 1996 wrote to memory of 616	1996	GdtBpFKY.exe	winlogon.exe
PID 1996 wrote to memory of 676	1996	GdtBpFKY.exe	lsass.exe
PID 1996 wrote to memory of 676	1996	GdtBpFKY.exe	lsass.exe
PID 1996 wrote to memory of 676	1996	GdtBpFKY.exe	lsass.exe
PID 1996 wrote to memory of 676	1996	GdtBpFKY.exe	lsass.exe
PID 1996 wrote to memory of 676	1996	GdtBpFKY.exe	lsass.exe
PID 1996 wrote to memory of 676	1996	GdtBpFKY.exe	lsass.exe
PID 1996 wrote to memory of 764	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 764	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 764	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 764	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 764	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 764	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 772	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 772	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 772	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 772	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 772	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 772	1996	GdtBpFKY.exe	fontdrvhost.exe
PID 1996 wrote to memory of 788	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 788	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 788	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 788	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 788	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 788	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 904	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 904	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 904	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 904	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 904	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 904	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 948	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 948	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 948	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 948	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 948	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 948	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 1020	1996	GdtBpFKY.exe	dwm.exe
PID 1996 wrote to memory of 1020	1996	GdtBpFKY.exe	dwm.exe
PID 1996 wrote to memory of 1020	1996	GdtBpFKY.exe	dwm.exe
PID 1996 wrote to memory of 1020	1996	GdtBpFKY.exe	dwm.exe
PID 1996 wrote to memory of 1020	1996	GdtBpFKY.exe	dwm.exe
PID 1996 wrote to memory of 1020	1996	GdtBpFKY.exe	dwm.exe
PID 1996 wrote to memory of 444	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 444	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 444	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 444	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 444	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 444	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 732	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 732	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 732	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 732	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 732	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 732	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 656	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 656	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 656	1996	GdtBpFKY.exe	svchost.exe
PID 1996 wrote to memory of 656	1996	GdtBpFKY.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:772

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3308

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4136

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:3420

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:2376

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:656

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1144

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
2⤵
PID:452

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2700

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe
"C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe"
2⤵
- Modifies firewall policy service
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 572
3⤵
- Program crash
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2652

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2288

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2220

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1996 -ip 1996
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1996-130-0x0000000077A30000-0x0000000077BD3000-memory.dmp

Filesize
1.6MB

Download
memory/1996-131-0x0000000077A30000-0x0000000077BD3000-memory.dmp

Filesize
1.6MB

Download
memory/1996-132-0x0000000077A30000-0x0000000077BD3000-memory.dmp

Filesize
1.6MB

Download
memory/1996-133-0x0000000077A30000-0x0000000077BD3000-memory.dmp

Filesize
1.6MB

Download
memory/1996-134-0x0000000077A30000-0x0000000077BD3000-memory.dmp

Filesize
1.6MB

Download
memory/1996-135-0x00000000004A0000-0x00000000004AF000-memory.dmp

Filesize
60KB

Download
memory/1996-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads