ramnit | 199a8d08c1494d025330e8ef939fd6d4f183fd8395b5ce9d0d23583bbf22dc78

Analysis

max time kernel
151s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

199a8d08c1494d025330e8ef939fd6d4f183fd8395b5ce9d0d23583bbf22dc78.dll
Size

750KB
MD5

a2c658faafefc73827e31ee9f0d02a00
SHA1

8343119d82f68fa8c91e454e89cbfe685c58b9bd
SHA256

199a8d08c1494d025330e8ef939fd6d4f183fd8395b5ce9d0d23583bbf22dc78
SHA512

904b0a7bdaf9aae0a7b0628ebb322bb4af522183be9712738099320d5cd078a728c199f1225ba7e4d340d4ea392b23fc03261b6198527b3e85b7e56b33c0dfd5
SSDEEP

12288:nzb9rMfc+CKUQyUmjtc4euuzPrs9pGp8hunWoopooK9kwPMqMH:nzb1MlCKUQyUmjtczu6Prs9pgWoopoob

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1492	rundll32mgr.exe
960	WaterMark.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1492-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1492-63-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1492-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/960-79-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/960-206-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1160	rundll32.exe
1160	rundll32.exe
1492	rundll32mgr.exe
1492	rundll32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2147.tmp	rundll32mgr.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe
1468	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	WaterMark.exe
Token: SeDebugPrivilege	1468	svchost.exe
Token: SeDebugPrivilege	1160	rundll32.exe
Token: SeDebugPrivilege	960	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1492	rundll32mgr.exe
960	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1160	748	rundll32.exe	28
PID 748 wrote to memory of 1160	748	rundll32.exe	28
PID 748 wrote to memory of 1160	748	rundll32.exe	28
PID 748 wrote to memory of 1160	748	rundll32.exe	28
PID 748 wrote to memory of 1160	748	rundll32.exe	28
PID 748 wrote to memory of 1160	748	rundll32.exe	28
PID 748 wrote to memory of 1160	748	rundll32.exe	28
PID 1160 wrote to memory of 1492	1160	rundll32.exe	29
PID 1160 wrote to memory of 1492	1160	rundll32.exe	29
PID 1160 wrote to memory of 1492	1160	rundll32.exe	29
PID 1160 wrote to memory of 1492	1160	rundll32.exe	29
PID 1492 wrote to memory of 960	1492	rundll32mgr.exe	30
PID 1492 wrote to memory of 960	1492	rundll32mgr.exe	30
PID 1492 wrote to memory of 960	1492	rundll32mgr.exe	30
PID 1492 wrote to memory of 960	1492	rundll32mgr.exe	30
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1292	960	WaterMark.exe	31
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 960 wrote to memory of 1468	960	WaterMark.exe	32
PID 1468 wrote to memory of 260	1468	svchost.exe	7
PID 1468 wrote to memory of 260	1468	svchost.exe	7
PID 1468 wrote to memory of 260	1468	svchost.exe	7
PID 1468 wrote to memory of 260	1468	svchost.exe	7
PID 1468 wrote to memory of 260	1468	svchost.exe	7
PID 1468 wrote to memory of 332	1468	svchost.exe	6
PID 1468 wrote to memory of 332	1468	svchost.exe	6
PID 1468 wrote to memory of 332	1468	svchost.exe	6
PID 1468 wrote to memory of 332	1468	svchost.exe	6
PID 1468 wrote to memory of 332	1468	svchost.exe	6
PID 1468 wrote to memory of 368	1468	svchost.exe	5
PID 1468 wrote to memory of 368	1468	svchost.exe	5
PID 1468 wrote to memory of 368	1468	svchost.exe	5
PID 1468 wrote to memory of 368	1468	svchost.exe	5
PID 1468 wrote to memory of 368	1468	svchost.exe	5
PID 1468 wrote to memory of 384	1468	svchost.exe	4
PID 1468 wrote to memory of 384	1468	svchost.exe	4
PID 1468 wrote to memory of 384	1468	svchost.exe	4
PID 1468 wrote to memory of 384	1468	svchost.exe	4
PID 1468 wrote to memory of 384	1468	svchost.exe	4
PID 1468 wrote to memory of 420	1468	svchost.exe	3
PID 1468 wrote to memory of 420	1468	svchost.exe	3
PID 1468 wrote to memory of 420	1468	svchost.exe	3
PID 1468 wrote to memory of 420	1468	svchost.exe	3
PID 1468 wrote to memory of 420	1468	svchost.exe	3
PID 1468 wrote to memory of 464	1468	svchost.exe	2
PID 1468 wrote to memory of 464	1468	svchost.exe	2
PID 1468 wrote to memory of 464	1468	svchost.exe	2
PID 1468 wrote to memory of 464	1468	svchost.exe	2

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:860
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:756
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1092
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1148
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1056
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:884
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:760
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1248

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2000

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1928

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\199a8d08c1494d025330e8ef939fd6d4f183fd8395b5ce9d0d23583bbf22dc78.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\199a8d08c1494d025330e8ef939fd6d4f183fd8395b5ce9d0d23583bbf22dc78.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1292
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
92KB

MD5
9d3d4023d6c9814fbe58d5284869555b

SHA1
5065b70e1cf14a0a7f7395da22cf4fb4101dbb75

SHA256
a640e464766c1894408f11ea61089d7b603358335fa1026d6138931d5aeaf991

SHA512
1da71af630504be7e36dd3a7207d86b20021fe836720e9f9503c6a4986b7ccea188a774e869e18beffcd2c0171678dcb629e36ec6ed0e17d9458f9190626770e

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
92KB

MD5
9d3d4023d6c9814fbe58d5284869555b

SHA1
5065b70e1cf14a0a7f7395da22cf4fb4101dbb75

SHA256
a640e464766c1894408f11ea61089d7b603358335fa1026d6138931d5aeaf991

SHA512
1da71af630504be7e36dd3a7207d86b20021fe836720e9f9503c6a4986b7ccea188a774e869e18beffcd2c0171678dcb629e36ec6ed0e17d9458f9190626770e

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
92KB

MD5
9d3d4023d6c9814fbe58d5284869555b

SHA1
5065b70e1cf14a0a7f7395da22cf4fb4101dbb75

SHA256
a640e464766c1894408f11ea61089d7b603358335fa1026d6138931d5aeaf991

SHA512
1da71af630504be7e36dd3a7207d86b20021fe836720e9f9503c6a4986b7ccea188a774e869e18beffcd2c0171678dcb629e36ec6ed0e17d9458f9190626770e

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
92KB

MD5
9d3d4023d6c9814fbe58d5284869555b

SHA1
5065b70e1cf14a0a7f7395da22cf4fb4101dbb75

SHA256
a640e464766c1894408f11ea61089d7b603358335fa1026d6138931d5aeaf991

SHA512
1da71af630504be7e36dd3a7207d86b20021fe836720e9f9503c6a4986b7ccea188a774e869e18beffcd2c0171678dcb629e36ec6ed0e17d9458f9190626770e

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
92KB

MD5
9d3d4023d6c9814fbe58d5284869555b

SHA1
5065b70e1cf14a0a7f7395da22cf4fb4101dbb75

SHA256
a640e464766c1894408f11ea61089d7b603358335fa1026d6138931d5aeaf991

SHA512
1da71af630504be7e36dd3a7207d86b20021fe836720e9f9503c6a4986b7ccea188a774e869e18beffcd2c0171678dcb629e36ec6ed0e17d9458f9190626770e

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
92KB

MD5
9d3d4023d6c9814fbe58d5284869555b

SHA1
5065b70e1cf14a0a7f7395da22cf4fb4101dbb75

SHA256
a640e464766c1894408f11ea61089d7b603358335fa1026d6138931d5aeaf991

SHA512
1da71af630504be7e36dd3a7207d86b20021fe836720e9f9503c6a4986b7ccea188a774e869e18beffcd2c0171678dcb629e36ec6ed0e17d9458f9190626770e

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
92KB

MD5
9d3d4023d6c9814fbe58d5284869555b

SHA1
5065b70e1cf14a0a7f7395da22cf4fb4101dbb75

SHA256
a640e464766c1894408f11ea61089d7b603358335fa1026d6138931d5aeaf991

SHA512
1da71af630504be7e36dd3a7207d86b20021fe836720e9f9503c6a4986b7ccea188a774e869e18beffcd2c0171678dcb629e36ec6ed0e17d9458f9190626770e

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
92KB

MD5
9d3d4023d6c9814fbe58d5284869555b

SHA1
5065b70e1cf14a0a7f7395da22cf4fb4101dbb75

SHA256
a640e464766c1894408f11ea61089d7b603358335fa1026d6138931d5aeaf991

SHA512
1da71af630504be7e36dd3a7207d86b20021fe836720e9f9503c6a4986b7ccea188a774e869e18beffcd2c0171678dcb629e36ec6ed0e17d9458f9190626770e

Download Submit
memory/960-79-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/960-206-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1160-75-0x0000000005000000-0x00000000050C1000-memory.dmp

Filesize
772KB

Download
memory/1160-78-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/1160-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1292-87-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1292-77-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1292-83-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1292-207-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1468-89-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1468-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1492-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1492-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1492-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download