ramnit | b433ca863e6c3df4740907ee4d9c5cae3803ec6b38d4c8f3e0d6443b6e940681

General

Target

smzy_2016小妹刷QB软件.exe
Size

1.3MB
MD5

fda68efd40295fd40a620060a8fc9e72
SHA1

f77ed41fc1de0bd5ca99bdd5eefe98894be5ab01
SHA256

c107d5d3baa13dfdd1e91ee9aafc8583e0b1f7c86e721132fb37724625717049
SHA512

7dd384dc749025aa15c9a9e81db69ac46c1ae42cedc781849342433961187a366fbaaa7de36c413bc37168645337011e84d568c88d856527a8fd2bf66dcde527

Score

10^/10

ramnit banker bootkit persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1488-130-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-131-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1488-173-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

smzy_2016小妹刷QB软件.exe

description ioc process

File opened for modification \??\PhysicalDrive0 smzy_2016小妹刷QB软件.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

smzy_2016小妹刷QB软件.exe

pid process

1488 smzy_2016小妹刷QB软件.exe
1488 smzy_2016小妹刷QB软件.exe
1488 smzy_2016小妹刷QB软件.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	smzy_2016小妹刷QB软件.exe

pid	process
1488	smzy_2016小妹刷QB软件.exe
1488	smzy_2016小妹刷QB软件.exe
1488	smzy_2016小妹刷QB软件.exe

C:\Users\Admin\AppData\Local\Temp\smzy_2016小妹刷QB软件.exe
"C:\Users\Admin\AppData\Local\Temp\smzy_2016小妹刷QB软件.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-130-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-131-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1488-173-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing