ramnit | 2a5fcd571c34b11c0c630c8cf1f50a91a136e931e0057f7f8e3ca36ecd73d993

General

Target

RAMN.vbs
Size

169KB
MD5

e5e7f440ae47fe295bb93034b1edf3c1
SHA1

bff968fb18c296edabf8ad52953e7c36ae0bcdea
SHA256

2a5fcd571c34b11c0c630c8cf1f50a91a136e931e0057f7f8e3ca36ecd73d993
SHA512

a45c68efa11bf061c5ed5fd09e2c616acb2333b67cb1f86382eac88ac1f2fb1120ad2517381e2125eb5a98a5d69d602918cc1ac1277cee1f5a976d8e1a3eb92b

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1664 svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	upx
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SVCHOST.EXE	upx
behavioral1/memory/1664-60-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxDF19.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

1664 svchost.exe

Suspicious behavior: MapViewOfSection 21 IoCs

Processes:

svchost.exe

pid	process
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1664 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1664	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exesvchost.exe

description	pid	process	target process
PID 1704 wrote to memory of 1664	1704	WScript.exe	svchost.exe
PID 1704 wrote to memory of 1664	1704	WScript.exe	svchost.exe
PID 1704 wrote to memory of 1664	1704	WScript.exe	svchost.exe
PID 1704 wrote to memory of 1664	1704	WScript.exe	svchost.exe
PID 1664 wrote to memory of 372	1664	svchost.exe	wininit.exe
PID 1664 wrote to memory of 372	1664	svchost.exe	wininit.exe
PID 1664 wrote to memory of 372	1664	svchost.exe	wininit.exe
PID 1664 wrote to memory of 372	1664	svchost.exe	wininit.exe
PID 1664 wrote to memory of 372	1664	svchost.exe	wininit.exe
PID 1664 wrote to memory of 372	1664	svchost.exe	wininit.exe
PID 1664 wrote to memory of 372	1664	svchost.exe	wininit.exe
PID 1664 wrote to memory of 380	1664	svchost.exe	csrss.exe
PID 1664 wrote to memory of 380	1664	svchost.exe	csrss.exe
PID 1664 wrote to memory of 380	1664	svchost.exe	csrss.exe
PID 1664 wrote to memory of 380	1664	svchost.exe	csrss.exe
PID 1664 wrote to memory of 380	1664	svchost.exe	csrss.exe
PID 1664 wrote to memory of 380	1664	svchost.exe	csrss.exe
PID 1664 wrote to memory of 380	1664	svchost.exe	csrss.exe
PID 1664 wrote to memory of 420	1664	svchost.exe	winlogon.exe
PID 1664 wrote to memory of 420	1664	svchost.exe	winlogon.exe
PID 1664 wrote to memory of 420	1664	svchost.exe	winlogon.exe
PID 1664 wrote to memory of 420	1664	svchost.exe	winlogon.exe
PID 1664 wrote to memory of 420	1664	svchost.exe	winlogon.exe
PID 1664 wrote to memory of 420	1664	svchost.exe	winlogon.exe
PID 1664 wrote to memory of 420	1664	svchost.exe	winlogon.exe
PID 1664 wrote to memory of 464	1664	svchost.exe	services.exe
PID 1664 wrote to memory of 464	1664	svchost.exe	services.exe
PID 1664 wrote to memory of 464	1664	svchost.exe	services.exe
PID 1664 wrote to memory of 464	1664	svchost.exe	services.exe
PID 1664 wrote to memory of 464	1664	svchost.exe	services.exe
PID 1664 wrote to memory of 464	1664	svchost.exe	services.exe
PID 1664 wrote to memory of 464	1664	svchost.exe	services.exe
PID 1664 wrote to memory of 480	1664	svchost.exe	lsass.exe
PID 1664 wrote to memory of 480	1664	svchost.exe	lsass.exe
PID 1664 wrote to memory of 480	1664	svchost.exe	lsass.exe
PID 1664 wrote to memory of 480	1664	svchost.exe	lsass.exe
PID 1664 wrote to memory of 480	1664	svchost.exe	lsass.exe
PID 1664 wrote to memory of 480	1664	svchost.exe	lsass.exe
PID 1664 wrote to memory of 480	1664	svchost.exe	lsass.exe
PID 1664 wrote to memory of 488	1664	svchost.exe	lsm.exe
PID 1664 wrote to memory of 488	1664	svchost.exe	lsm.exe
PID 1664 wrote to memory of 488	1664	svchost.exe	lsm.exe
PID 1664 wrote to memory of 488	1664	svchost.exe	lsm.exe
PID 1664 wrote to memory of 488	1664	svchost.exe	lsm.exe
PID 1664 wrote to memory of 488	1664	svchost.exe	lsm.exe
PID 1664 wrote to memory of 488	1664	svchost.exe	lsm.exe
PID 1664 wrote to memory of 584	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 584	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 584	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 584	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 584	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 584	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 584	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 660	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 660	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 660	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 660	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 660	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 660	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 660	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 740	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 740	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 740	1664	svchost.exe	svchost.exe
PID 1664 wrote to memory of 740	1664	svchost.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:324

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1076

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1760

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:660

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RAMN.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SVCHOST.EXE
MD5
df455f0fa8fb3fa4e6699ad57ef54db6

SHA1
51a06248c251d614d3a81ac9d842ba807204d17c

SHA256
15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1

SHA512
f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
df455f0fa8fb3fa4e6699ad57ef54db6

SHA1
51a06248c251d614d3a81ac9d842ba807204d17c

SHA256
15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1

SHA512
f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

Download Submit
memory/1664-56-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1664-58-0x0000000076F00000-0x0000000077080000-memory.dmp

Filesize
1.5MB

Download
memory/1664-59-0x00000000005D0000-0x00000000005DF000-memory.dmp

Filesize
60KB

Download
memory/1664-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-54-0x000007FEFB5A1000-0x000007FEFB5A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads