ramnit | 59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095

Analysis

max time kernel
6s
max time network
118s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe
Size

123KB
MD5

0060bacecd724271979e39a875160390
SHA1

786f4cc8ef9c834e6df320f798ae23d491f53cb6
SHA256

59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095
SHA512

bafa131b9b24b76fafc0d8e10c6e70afd70e6257254abdb5c28d3634e10e3089f12b70293654fef17c2c96fba7f081e8828dbd20f7b3e79127440b1f76c80071
SSDEEP

768:F06R0UtgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9ICW:zR0Zn3Pc0LCH9MtbvabUDzJYWu3B

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
1600	WaterMark.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-58-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1688-57-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1688-63-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1600-81-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1600-79-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral1/memory/1600-188-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1688	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe
1688	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px60A.tmp	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1600	WaterMark.exe
1600	WaterMark.exe
1600	WaterMark.exe
1600	WaterMark.exe
1600	WaterMark.exe
1600	WaterMark.exe
1600	WaterMark.exe
1600	WaterMark.exe
1700	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	WaterMark.exe
Token: SeDebugPrivilege	1700	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1688	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe
1600	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1600	1688	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe	19
PID 1688 wrote to memory of 1600	1688	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe	19
PID 1688 wrote to memory of 1600	1688	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe	19
PID 1688 wrote to memory of 1600	1688	59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe	19
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 2044	1600	WaterMark.exe	18
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1600 wrote to memory of 1700	1600	WaterMark.exe	29
PID 1700 wrote to memory of 260	1700	svchost.exe	7
PID 1700 wrote to memory of 260	1700	svchost.exe	7
PID 1700 wrote to memory of 260	1700	svchost.exe	7
PID 1700 wrote to memory of 260	1700	svchost.exe	7
PID 1700 wrote to memory of 260	1700	svchost.exe	7
PID 1700 wrote to memory of 336	1700	svchost.exe	6
PID 1700 wrote to memory of 336	1700	svchost.exe	6
PID 1700 wrote to memory of 336	1700	svchost.exe	6
PID 1700 wrote to memory of 336	1700	svchost.exe	6
PID 1700 wrote to memory of 336	1700	svchost.exe	6
PID 1700 wrote to memory of 372	1700	svchost.exe	5
PID 1700 wrote to memory of 372	1700	svchost.exe	5
PID 1700 wrote to memory of 372	1700	svchost.exe	5
PID 1700 wrote to memory of 372	1700	svchost.exe	5
PID 1700 wrote to memory of 372	1700	svchost.exe	5
PID 1700 wrote to memory of 384	1700	svchost.exe	4
PID 1700 wrote to memory of 384	1700	svchost.exe	4
PID 1700 wrote to memory of 384	1700	svchost.exe	4
PID 1700 wrote to memory of 384	1700	svchost.exe	4
PID 1700 wrote to memory of 384	1700	svchost.exe	4
PID 1700 wrote to memory of 420	1700	svchost.exe	3
PID 1700 wrote to memory of 420	1700	svchost.exe	3
PID 1700 wrote to memory of 420	1700	svchost.exe	3
PID 1700 wrote to memory of 420	1700	svchost.exe	3
PID 1700 wrote to memory of 420	1700	svchost.exe	3
PID 1700 wrote to memory of 464	1700	svchost.exe	2
PID 1700 wrote to memory of 464	1700	svchost.exe	2
PID 1700 wrote to memory of 464	1700	svchost.exe	2
PID 1700 wrote to memory of 464	1700	svchost.exe	2
PID 1700 wrote to memory of 464	1700	svchost.exe	2
PID 1700 wrote to memory of 480	1700	svchost.exe	1
PID 1700 wrote to memory of 480	1700	svchost.exe	1
PID 1700 wrote to memory of 480	1700	svchost.exe	1
PID 1700 wrote to memory of 480	1700	svchost.exe	1
PID 1700 wrote to memory of 480	1700	svchost.exe	1
PID 1700 wrote to memory of 488	1700	svchost.exe	8
PID 1700 wrote to memory of 488	1700	svchost.exe	8
PID 1700 wrote to memory of 488	1700	svchost.exe	8
PID 1700 wrote to memory of 488	1700	svchost.exe	8
PID 1700 wrote to memory of 488	1700	svchost.exe	8

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:760
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:852
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:888
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe
"C:\Users\Admin\AppData\Local\Temp\59bd4cb74f42201a106ee56fcd396c0745ca1e67a91c7910858a592ec2348095.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
42KB

MD5
c51be5fd3dbfcf9f5c4b35f54639c5e3

SHA1
5a2a0f32dcd57fe8467ec392f3343c6d4053f81a

SHA256
8e6a294429624fae4fb048db4f85dd08ca93006a2f579972ada8bb2e33cce19e

SHA512
9b44f1bb7c677d8c7cbd95e83783a9d7835fa66efea05dc05da176ac904a7509d18079da6971794b8517fdb496bce97f0e101a7c80b6bedab2a1efaaa7b18838

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
93KB

MD5
f8e3fe43a4adc6fc08edfe3c387d0426

SHA1
41c4c671565a0e1aec42ee610ee611411237e30d

SHA256
207de1e0fbbc1c79a0d2f30a36d17673f01b8c3c3ebf67f55200a2427eba18df

SHA512
d45532ca7146a3662a12e4c60b978f9f90d58fa832291672b7ff73bb9cfe84dadba3afc145cd424901947bec05af2e39c867b8ce8c7f8e4255e76eb2bc46ae96

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
43KB

MD5
d9b72e734231f206071075840faf9089

SHA1
746fc2fb1b94af6f538891309ce5e20ac68c6d27

SHA256
fe0cb0735055e76e9a0167248dd8405291fa925dda7a39c82e91f6d4ef34d83e

SHA512
0c515fb23c85d16f11898281457e8bdc2ad6ec6aa566b86c3b4af2882a8995a3cb4c20074113354ce5749b19fdf212be0cacea700b30c2f0d316d4a9783ef0c7

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
43KB

MD5
0daacaf624597bc03648276f58b2a5ab

SHA1
6b346b081c8391a26ac254bd1442c7556039107a

SHA256
67071f81ddd343eaa6e7800423a67036e0fe735a20a3d86df430e23587774114

SHA512
19f74763d8ab83c5f114b9b5ff5e9ecb960756b607dd82b83a7a0dff99d57bd54264a9a00ae61e4873614b830c942a91f9119f87dfb1aaf65918be45059516e7

Download Submit
memory/1600-61-0x0000000000000000-mapping.dmp

Download
memory/1600-81-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1600-188-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1600-79-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1688-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1688-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1688-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1688-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1700-85-0x0000000000000000-mapping.dmp

Download
memory/1700-86-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1700-83-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2044-71-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2044-80-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2044-75-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2044-73-0x0000000000000000-mapping.dmp

Download
memory/2044-189-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download