ramnit | 5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2

Analysis

max time kernel
133s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll
Size

275KB
MD5

a130da82f39d8bad198cbbf5e213e470
SHA1

2489c6fd0ef7989180d68865b41dbeafd8bc5c91
SHA256

5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2
SHA512

bb04db4a7a89019316290dabff9845b9326217a361d3cd6630821887d8a26eb1f1d41000c5566fff8882c41144cb52152dbbc81df1fbc7741af09fd10fcf3f65
SSDEEP

3072:UnMoFkOKCg3CXmSSZlzgeBTg4vRPo5NNFs+XNtUU/chmcFTulOVq5pNOM9hioVE5:UMJOWK4l0wqOVq1Iy1uULkpeI

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
4932	rundll32mgr.exe
4804	WaterMark.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4932-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4932-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4932-143-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4804-151-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4804-152-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4804-153-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4804-154-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4804-157-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4804-158-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4804-159-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4804-160-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9455.tmp	rundll32mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	440	WerFault.exe	84

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C097EB5-594A-11ED-B696-EE6CABA3804C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993751"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C0256EF-594A-11ED-B696-EE6CABA3804C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374006162"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993751"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1094406119"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1094406119"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe
4804	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
948	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
948	iexplore.exe
1100	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
948	iexplore.exe
948	iexplore.exe
1100	iexplore.exe
1100	iexplore.exe
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4932	rundll32mgr.exe
4804	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 984	1124	rundll32.exe	81
PID 1124 wrote to memory of 984	1124	rundll32.exe	81
PID 1124 wrote to memory of 984	1124	rundll32.exe	81
PID 984 wrote to memory of 4932	984	rundll32.exe	82
PID 984 wrote to memory of 4932	984	rundll32.exe	82
PID 984 wrote to memory of 4932	984	rundll32.exe	82
PID 4932 wrote to memory of 4804	4932	rundll32mgr.exe	83
PID 4932 wrote to memory of 4804	4932	rundll32mgr.exe	83
PID 4932 wrote to memory of 4804	4932	rundll32mgr.exe	83
PID 4804 wrote to memory of 440	4804	WaterMark.exe	84
PID 4804 wrote to memory of 440	4804	WaterMark.exe	84
PID 4804 wrote to memory of 440	4804	WaterMark.exe	84
PID 4804 wrote to memory of 440	4804	WaterMark.exe	84
PID 4804 wrote to memory of 440	4804	WaterMark.exe	84
PID 4804 wrote to memory of 440	4804	WaterMark.exe	84
PID 4804 wrote to memory of 440	4804	WaterMark.exe	84
PID 4804 wrote to memory of 440	4804	WaterMark.exe	84
PID 4804 wrote to memory of 440	4804	WaterMark.exe	84
PID 4804 wrote to memory of 1100	4804	WaterMark.exe	87
PID 4804 wrote to memory of 1100	4804	WaterMark.exe	87
PID 4804 wrote to memory of 948	4804	WaterMark.exe	88
PID 4804 wrote to memory of 948	4804	WaterMark.exe	88
PID 948 wrote to memory of 320	948	iexplore.exe	90
PID 948 wrote to memory of 320	948	iexplore.exe	90
PID 948 wrote to memory of 320	948	iexplore.exe	90
PID 1100 wrote to memory of 2436	1100	iexplore.exe	89
PID 1100 wrote to memory of 2436	1100	iexplore.exe	89
PID 1100 wrote to memory of 2436	1100	iexplore.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:440
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 208
        6⤵
        Program crash
        
        PID:2636
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1100 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2436
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:948
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 440 -ip 440
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
124KB

MD5
f0e18ddeb04313caa6b28a5e1634d73c

SHA1
70c359935a774ff3e82d394c902ad6c3f601e019

SHA256
d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab

SHA512
296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
124KB

MD5
f0e18ddeb04313caa6b28a5e1634d73c

SHA1
70c359935a774ff3e82d394c902ad6c3f601e019

SHA256
d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab

SHA512
296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C0256EF-594A-11ED-B696-EE6CABA3804C}.dat

Filesize
3KB

MD5
6e51fefa9f9f94b10f2efa162c6720f5

SHA1
feaa3a9ba1650cd707798b5647f8d8307e9db5b9

SHA256
699e1bb00cb6c0e4191e8ed24c7bbd1f0c78dcc1324b0c09a7f29837f7a6939c

SHA512
526e5b52763c9fcb8bfb6a3b1aff813129b704763b22ee101c659d7a23e838b82ea5e8b85c957c94ddc5a53d2a9ca05864762a51807d25f955738e1cb1599c08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C097EB5-594A-11ED-B696-EE6CABA3804C}.dat

Filesize
5KB

MD5
816555bcff2df8239c771dabfea8e38c

SHA1
f6bb3fa7baddb9987dd5aec1ef9a231b328f989e

SHA256
90886b9a45846f3d5070ce9a9ba56338b83bce58213b1d1814add99a8e112084

SHA512
1db1d44d365a0551a14656a7c276517f013238811e8d7db8ebd62d30ac263f6ba1618ff07c4f3c8c15d141e4a539449baa592086bc64296628c421a3d7caf815

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
124KB

MD5
f0e18ddeb04313caa6b28a5e1634d73c

SHA1
70c359935a774ff3e82d394c902ad6c3f601e019

SHA256
d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab

SHA512
296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
124KB

MD5
f0e18ddeb04313caa6b28a5e1634d73c

SHA1
70c359935a774ff3e82d394c902ad6c3f601e019

SHA256
d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab

SHA512
296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47

Download Submit
memory/984-150-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/4804-154-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4804-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4804-152-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4804-153-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4804-157-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4804-158-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4804-159-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4804-160-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4932-143-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4932-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4932-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download