ramnit | 33b4058adaed65e17b07ee1c11af2c1a53e65dbd98f86cdfc72d841529160c14

General

Target

94ff4db57862654ab6d3c556ae03f533.exe
Size

377KB
MD5

94ff4db57862654ab6d3c556ae03f533
SHA1

6f052cd8cb59ae932bbe235a993c5e63a8aa078b
SHA256

33b4058adaed65e17b07ee1c11af2c1a53e65dbd98f86cdfc72d841529160c14
SHA512

83a0c02fe2211a8355584de69004f1edecbfdfb402c5c1955ad67ffe511bca5ddfa98410015926d1ef5c1de9e773ca4303c266da589a4f0c62fc51b0e83497c2

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\fdk1E3B.tmp	acprotect

Executes dropped EXE 1 IoCs

Processes:

94ff4db57862654ab6d3c556ae03f533Srv.exe

pid process

1740 94ff4db57862654ab6d3c556ae03f533Srv.exe

pid	process
1740	94ff4db57862654ab6d3c556ae03f533Srv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\94ff4db57862654ab6d3c556ae03f533Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\94ff4db57862654ab6d3c556ae03f533Srv.exe	upx
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\94FF4DB57862654AB6D3C556AE03F533SRV.EXE	upx
behavioral1/memory/1740-62-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

94ff4db57862654ab6d3c556ae03f533.exe

pid process

892 94ff4db57862654ab6d3c556ae03f533.exe
892 94ff4db57862654ab6d3c556ae03f533.exe

Drops file in Program Files directory 3 IoCs

Processes:

94ff4db57862654ab6d3c556ae03f533Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	94ff4db57862654ab6d3c556ae03f533Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1FC1.tmp	94ff4db57862654ab6d3c556ae03f533Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	94ff4db57862654ab6d3c556ae03f533Srv.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

94ff4db57862654ab6d3c556ae03f533.exe

pid process

892 94ff4db57862654ab6d3c556ae03f533.exe

Suspicious behavior: MapViewOfSection 23 IoCs

Processes:

94ff4db57862654ab6d3c556ae03f533.exe

pid	process
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe
892	94ff4db57862654ab6d3c556ae03f533.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

94ff4db57862654ab6d3c556ae03f533.exe94ff4db57862654ab6d3c556ae03f533Srv.exe

description	pid	process
Token: SeDebugPrivilege	892	94ff4db57862654ab6d3c556ae03f533.exe
Token: SeTakeOwnershipPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeRestorePrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeBackupPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeChangeNotifyPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeTakeOwnershipPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeRestorePrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeBackupPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeChangeNotifyPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeTakeOwnershipPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeRestorePrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeBackupPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeChangeNotifyPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeTakeOwnershipPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeRestorePrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeBackupPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeChangeNotifyPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeTakeOwnershipPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeRestorePrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeBackupPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe
Token: SeChangeNotifyPrivilege	1740	94ff4db57862654ab6d3c556ae03f533Srv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

94ff4db57862654ab6d3c556ae03f533.exe

pid process

892 94ff4db57862654ab6d3c556ae03f533.exe
892 94ff4db57862654ab6d3c556ae03f533.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

94ff4db57862654ab6d3c556ae03f533.exe

description	pid	process	target process
PID 892 wrote to memory of 1740	892	94ff4db57862654ab6d3c556ae03f533.exe	94ff4db57862654ab6d3c556ae03f533Srv.exe
PID 892 wrote to memory of 1740	892	94ff4db57862654ab6d3c556ae03f533.exe	94ff4db57862654ab6d3c556ae03f533Srv.exe
PID 892 wrote to memory of 1740	892	94ff4db57862654ab6d3c556ae03f533.exe	94ff4db57862654ab6d3c556ae03f533Srv.exe
PID 892 wrote to memory of 1740	892	94ff4db57862654ab6d3c556ae03f533.exe	94ff4db57862654ab6d3c556ae03f533Srv.exe
PID 892 wrote to memory of 368	892	94ff4db57862654ab6d3c556ae03f533.exe	wininit.exe
PID 892 wrote to memory of 368	892	94ff4db57862654ab6d3c556ae03f533.exe	wininit.exe
PID 892 wrote to memory of 368	892	94ff4db57862654ab6d3c556ae03f533.exe	wininit.exe
PID 892 wrote to memory of 368	892	94ff4db57862654ab6d3c556ae03f533.exe	wininit.exe
PID 892 wrote to memory of 368	892	94ff4db57862654ab6d3c556ae03f533.exe	wininit.exe
PID 892 wrote to memory of 368	892	94ff4db57862654ab6d3c556ae03f533.exe	wininit.exe
PID 892 wrote to memory of 368	892	94ff4db57862654ab6d3c556ae03f533.exe	wininit.exe
PID 892 wrote to memory of 380	892	94ff4db57862654ab6d3c556ae03f533.exe	csrss.exe
PID 892 wrote to memory of 380	892	94ff4db57862654ab6d3c556ae03f533.exe	csrss.exe
PID 892 wrote to memory of 380	892	94ff4db57862654ab6d3c556ae03f533.exe	csrss.exe
PID 892 wrote to memory of 380	892	94ff4db57862654ab6d3c556ae03f533.exe	csrss.exe
PID 892 wrote to memory of 380	892	94ff4db57862654ab6d3c556ae03f533.exe	csrss.exe
PID 892 wrote to memory of 380	892	94ff4db57862654ab6d3c556ae03f533.exe	csrss.exe
PID 892 wrote to memory of 380	892	94ff4db57862654ab6d3c556ae03f533.exe	csrss.exe
PID 892 wrote to memory of 416	892	94ff4db57862654ab6d3c556ae03f533.exe	winlogon.exe
PID 892 wrote to memory of 416	892	94ff4db57862654ab6d3c556ae03f533.exe	winlogon.exe
PID 892 wrote to memory of 416	892	94ff4db57862654ab6d3c556ae03f533.exe	winlogon.exe
PID 892 wrote to memory of 416	892	94ff4db57862654ab6d3c556ae03f533.exe	winlogon.exe
PID 892 wrote to memory of 416	892	94ff4db57862654ab6d3c556ae03f533.exe	winlogon.exe
PID 892 wrote to memory of 416	892	94ff4db57862654ab6d3c556ae03f533.exe	winlogon.exe
PID 892 wrote to memory of 416	892	94ff4db57862654ab6d3c556ae03f533.exe	winlogon.exe
PID 892 wrote to memory of 464	892	94ff4db57862654ab6d3c556ae03f533.exe	services.exe
PID 892 wrote to memory of 464	892	94ff4db57862654ab6d3c556ae03f533.exe	services.exe
PID 892 wrote to memory of 464	892	94ff4db57862654ab6d3c556ae03f533.exe	services.exe
PID 892 wrote to memory of 464	892	94ff4db57862654ab6d3c556ae03f533.exe	services.exe
PID 892 wrote to memory of 464	892	94ff4db57862654ab6d3c556ae03f533.exe	services.exe
PID 892 wrote to memory of 464	892	94ff4db57862654ab6d3c556ae03f533.exe	services.exe
PID 892 wrote to memory of 464	892	94ff4db57862654ab6d3c556ae03f533.exe	services.exe
PID 892 wrote to memory of 472	892	94ff4db57862654ab6d3c556ae03f533.exe	lsass.exe
PID 892 wrote to memory of 472	892	94ff4db57862654ab6d3c556ae03f533.exe	lsass.exe
PID 892 wrote to memory of 472	892	94ff4db57862654ab6d3c556ae03f533.exe	lsass.exe
PID 892 wrote to memory of 472	892	94ff4db57862654ab6d3c556ae03f533.exe	lsass.exe
PID 892 wrote to memory of 472	892	94ff4db57862654ab6d3c556ae03f533.exe	lsass.exe
PID 892 wrote to memory of 472	892	94ff4db57862654ab6d3c556ae03f533.exe	lsass.exe
PID 892 wrote to memory of 472	892	94ff4db57862654ab6d3c556ae03f533.exe	lsass.exe
PID 892 wrote to memory of 480	892	94ff4db57862654ab6d3c556ae03f533.exe	lsm.exe
PID 892 wrote to memory of 480	892	94ff4db57862654ab6d3c556ae03f533.exe	lsm.exe
PID 892 wrote to memory of 480	892	94ff4db57862654ab6d3c556ae03f533.exe	lsm.exe
PID 892 wrote to memory of 480	892	94ff4db57862654ab6d3c556ae03f533.exe	lsm.exe
PID 892 wrote to memory of 480	892	94ff4db57862654ab6d3c556ae03f533.exe	lsm.exe
PID 892 wrote to memory of 480	892	94ff4db57862654ab6d3c556ae03f533.exe	lsm.exe
PID 892 wrote to memory of 480	892	94ff4db57862654ab6d3c556ae03f533.exe	lsm.exe
PID 892 wrote to memory of 572	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 572	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 572	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 572	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 572	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 572	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 572	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 652	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 652	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 652	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 652	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 652	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 652	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 652	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 732	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 732	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 732	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe
PID 892 wrote to memory of 732	892	94ff4db57862654ab6d3c556ae03f533.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:732

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1800

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:572

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\94ff4db57862654ab6d3c556ae03f533.exe
"C:\Users\Admin\AppData\Local\Temp\94ff4db57862654ab6d3c556ae03f533.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\94ff4db57862654ab6d3c556ae03f533Srv.exe
C:\Users\Admin\AppData\Local\Temp\94ff4db57862654ab6d3c556ae03f533Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1888

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1860

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\94FF4DB57862654AB6D3C556AE03F533SRV.EXE
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\94ff4db57862654ab6d3c556ae03f533Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\94ff4db57862654ab6d3c556ae03f533Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\fdk1E3B.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/892-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-61-0x0000000000440000-0x00000000004B3000-memory.dmp

Filesize
460KB

Download
memory/1740-56-0x0000000000000000-mapping.dmp

Download
memory/1740-58-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1740-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1740-63-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads