ramnit | b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30

General

Target

SHITYOURSELF.exe
Size

121KB
MD5

c497c71621630045eb8d0673ae817d70
SHA1

74c6e0b93f8c6d5d5634bf32a47a6c4968fefc01
SHA256

b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
SHA512

73a8f54b95ccdfaa5f2e42dca771687612e514de87904840f4eac5fc87f0262051e614c0b0f4d576fe99f58b421dc106f45fe3bea011e0eb8bdc2d99e92f6463

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

SHITYOURSELFSrv.exe

pid process

1616 SHITYOURSELFSrv.exe

pid	process
1616	SHITYOURSELFSrv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe	upx
behavioral1/memory/1616-60-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

SHITYOURSELF.exe

pid process

1564 SHITYOURSELF.exe

Drops file in Program Files directory 3 IoCs

Processes:

SHITYOURSELFSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px3D9C.tmp	SHITYOURSELFSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	SHITYOURSELFSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	SHITYOURSELFSrv.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SHITYOURSELF.exe

pid process

1564 SHITYOURSELF.exe

Suspicious behavior: MapViewOfSection 21 IoCs

Processes:

SHITYOURSELF.exe

pid	process
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe
1564	SHITYOURSELF.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SHITYOURSELF.exe

description	pid	process
Token: SeDebugPrivilege	1564	SHITYOURSELF.exe
Token: SeTakeOwnershipPrivilege	1564	SHITYOURSELF.exe
Token: SeRestorePrivilege	1564	SHITYOURSELF.exe
Token: SeBackupPrivilege	1564	SHITYOURSELF.exe
Token: SeChangeNotifyPrivilege	1564	SHITYOURSELF.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SHITYOURSELF.exe

description	pid	process	target process
PID 1564 wrote to memory of 1616	1564	SHITYOURSELF.exe	SHITYOURSELFSrv.exe
PID 1564 wrote to memory of 1616	1564	SHITYOURSELF.exe	SHITYOURSELFSrv.exe
PID 1564 wrote to memory of 1616	1564	SHITYOURSELF.exe	SHITYOURSELFSrv.exe
PID 1564 wrote to memory of 1616	1564	SHITYOURSELF.exe	SHITYOURSELFSrv.exe
PID 1564 wrote to memory of 368	1564	SHITYOURSELF.exe	wininit.exe
PID 1564 wrote to memory of 368	1564	SHITYOURSELF.exe	wininit.exe
PID 1564 wrote to memory of 368	1564	SHITYOURSELF.exe	wininit.exe
PID 1564 wrote to memory of 368	1564	SHITYOURSELF.exe	wininit.exe
PID 1564 wrote to memory of 368	1564	SHITYOURSELF.exe	wininit.exe
PID 1564 wrote to memory of 368	1564	SHITYOURSELF.exe	wininit.exe
PID 1564 wrote to memory of 368	1564	SHITYOURSELF.exe	wininit.exe
PID 1564 wrote to memory of 376	1564	SHITYOURSELF.exe	csrss.exe
PID 1564 wrote to memory of 376	1564	SHITYOURSELF.exe	csrss.exe
PID 1564 wrote to memory of 376	1564	SHITYOURSELF.exe	csrss.exe
PID 1564 wrote to memory of 376	1564	SHITYOURSELF.exe	csrss.exe
PID 1564 wrote to memory of 376	1564	SHITYOURSELF.exe	csrss.exe
PID 1564 wrote to memory of 376	1564	SHITYOURSELF.exe	csrss.exe
PID 1564 wrote to memory of 376	1564	SHITYOURSELF.exe	csrss.exe
PID 1564 wrote to memory of 416	1564	SHITYOURSELF.exe	winlogon.exe
PID 1564 wrote to memory of 416	1564	SHITYOURSELF.exe	winlogon.exe
PID 1564 wrote to memory of 416	1564	SHITYOURSELF.exe	winlogon.exe
PID 1564 wrote to memory of 416	1564	SHITYOURSELF.exe	winlogon.exe
PID 1564 wrote to memory of 416	1564	SHITYOURSELF.exe	winlogon.exe
PID 1564 wrote to memory of 416	1564	SHITYOURSELF.exe	winlogon.exe
PID 1564 wrote to memory of 416	1564	SHITYOURSELF.exe	winlogon.exe
PID 1564 wrote to memory of 464	1564	SHITYOURSELF.exe	services.exe
PID 1564 wrote to memory of 464	1564	SHITYOURSELF.exe	services.exe
PID 1564 wrote to memory of 464	1564	SHITYOURSELF.exe	services.exe
PID 1564 wrote to memory of 464	1564	SHITYOURSELF.exe	services.exe
PID 1564 wrote to memory of 464	1564	SHITYOURSELF.exe	services.exe
PID 1564 wrote to memory of 464	1564	SHITYOURSELF.exe	services.exe
PID 1564 wrote to memory of 464	1564	SHITYOURSELF.exe	services.exe
PID 1564 wrote to memory of 472	1564	SHITYOURSELF.exe	lsass.exe
PID 1564 wrote to memory of 472	1564	SHITYOURSELF.exe	lsass.exe
PID 1564 wrote to memory of 472	1564	SHITYOURSELF.exe	lsass.exe
PID 1564 wrote to memory of 472	1564	SHITYOURSELF.exe	lsass.exe
PID 1564 wrote to memory of 472	1564	SHITYOURSELF.exe	lsass.exe
PID 1564 wrote to memory of 472	1564	SHITYOURSELF.exe	lsass.exe
PID 1564 wrote to memory of 472	1564	SHITYOURSELF.exe	lsass.exe
PID 1564 wrote to memory of 480	1564	SHITYOURSELF.exe	lsm.exe
PID 1564 wrote to memory of 480	1564	SHITYOURSELF.exe	lsm.exe
PID 1564 wrote to memory of 480	1564	SHITYOURSELF.exe	lsm.exe
PID 1564 wrote to memory of 480	1564	SHITYOURSELF.exe	lsm.exe
PID 1564 wrote to memory of 480	1564	SHITYOURSELF.exe	lsm.exe
PID 1564 wrote to memory of 480	1564	SHITYOURSELF.exe	lsm.exe
PID 1564 wrote to memory of 480	1564	SHITYOURSELF.exe	lsm.exe
PID 1564 wrote to memory of 592	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 592	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 592	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 592	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 592	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 592	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 592	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 672	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 672	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 672	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 672	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 672	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 672	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 672	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 756	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 756	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 756	1564	SHITYOURSELF.exe	svchost.exe
PID 1564 wrote to memory of 756	1564	SHITYOURSELF.exe	svchost.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:336

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:1056

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:808

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1156

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:1676

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:480

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe
"C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe
MD5
69dc6baf34bc7dc2197cfc6d15bc0a83

SHA1
193e9f44ce7e10fff6691ae05eb0a7c391698b25

SHA256
60b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2

SHA512
c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe
MD5
69dc6baf34bc7dc2197cfc6d15bc0a83

SHA1
193e9f44ce7e10fff6691ae05eb0a7c391698b25

SHA256
60b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2

SHA512
c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c

Download Submit
\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe
MD5
69dc6baf34bc7dc2197cfc6d15bc0a83

SHA1
193e9f44ce7e10fff6691ae05eb0a7c391698b25

SHA256
60b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2

SHA512
c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c

Download Submit
memory/1616-56-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/1616-58-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1616-59-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1616-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads