ramnit | 63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe
Size

188KB
MD5

2100d4b16c6dc70b4acc720a8d17adc5
SHA1

ac3d09e5ee4fedf41f96d267bac68cb6fcdd47ae
SHA256

63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e
SHA512

c4b9b2bcdaaa378838d7e1b8e54caeba5141cca85edb2459cde22f65d83a1504e8315cf9db60d1bb5a7bcb91398d398d9e36c76d7a759d82cc032093ff3400db
SSDEEP

1536:1ug4y8vhN4lBi17Mgyj6icBVeLiY8kNIZpjnkxIm+8m+Rfr0wsj:41T34l81guikeemCZFkPt3Rfr0wU

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1252	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe
968	WaterMark.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1252-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1252-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1252-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/968-87-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/968-89-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/968-203-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1760	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe
1760	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe
1252	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe
1252	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC9F.tmp	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
968	WaterMark.exe
968	WaterMark.exe
968	WaterMark.exe
968	WaterMark.exe
968	WaterMark.exe
968	WaterMark.exe
968	WaterMark.exe
968	WaterMark.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	WaterMark.exe
Token: SeDebugPrivilege	1152	svchost.exe
Token: SeDebugPrivilege	1760	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe
Token: SeDebugPrivilege	968	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1252	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe
968	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1252	1760	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe	27
PID 1760 wrote to memory of 1252	1760	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe	27
PID 1760 wrote to memory of 1252	1760	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe	27
PID 1760 wrote to memory of 1252	1760	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe	27
PID 1252 wrote to memory of 968	1252	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe	28
PID 1252 wrote to memory of 968	1252	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe	28
PID 1252 wrote to memory of 968	1252	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe	28
PID 1252 wrote to memory of 968	1252	63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe	28
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 516	968	WaterMark.exe	29
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 968 wrote to memory of 1152	968	WaterMark.exe	30
PID 1152 wrote to memory of 260	1152	svchost.exe	25
PID 1152 wrote to memory of 260	1152	svchost.exe	25
PID 1152 wrote to memory of 260	1152	svchost.exe	25
PID 1152 wrote to memory of 260	1152	svchost.exe	25
PID 1152 wrote to memory of 260	1152	svchost.exe	25
PID 1152 wrote to memory of 332	1152	svchost.exe	6
PID 1152 wrote to memory of 332	1152	svchost.exe	6
PID 1152 wrote to memory of 332	1152	svchost.exe	6
PID 1152 wrote to memory of 332	1152	svchost.exe	6
PID 1152 wrote to memory of 332	1152	svchost.exe	6
PID 1152 wrote to memory of 368	1152	svchost.exe	5
PID 1152 wrote to memory of 368	1152	svchost.exe	5
PID 1152 wrote to memory of 368	1152	svchost.exe	5
PID 1152 wrote to memory of 368	1152	svchost.exe	5
PID 1152 wrote to memory of 368	1152	svchost.exe	5
PID 1152 wrote to memory of 376	1152	svchost.exe	4
PID 1152 wrote to memory of 376	1152	svchost.exe	4
PID 1152 wrote to memory of 376	1152	svchost.exe	4
PID 1152 wrote to memory of 376	1152	svchost.exe	4
PID 1152 wrote to memory of 376	1152	svchost.exe	4
PID 1152 wrote to memory of 416	1152	svchost.exe	3
PID 1152 wrote to memory of 416	1152	svchost.exe	3
PID 1152 wrote to memory of 416	1152	svchost.exe	3
PID 1152 wrote to memory of 416	1152	svchost.exe	3
PID 1152 wrote to memory of 416	1152	svchost.exe	3
PID 1152 wrote to memory of 464	1152	svchost.exe	2
PID 1152 wrote to memory of 464	1152	svchost.exe	2
PID 1152 wrote to memory of 464	1152	svchost.exe	2
PID 1152 wrote to memory of 464	1152	svchost.exe	2
PID 1152 wrote to memory of 464	1152	svchost.exe	2
PID 1152 wrote to memory of 472	1152	svchost.exe	1
PID 1152 wrote to memory of 472	1152	svchost.exe	1
PID 1152 wrote to memory of 472	1152	svchost.exe	1
PID 1152 wrote to memory of 472	1152	svchost.exe	1
PID 1152 wrote to memory of 472	1152	svchost.exe	1
PID 1152 wrote to memory of 480	1152	svchost.exe	24

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:868
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:1816
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1112
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:744
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1708
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1072
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:828
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:480

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe
  "C:\Users\Admin\AppData\Local\Temp\63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe
    C:\Users\Admin\AppData\Local\Temp\63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:516
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
135KB

MD5
0c9fa7c964f4d20d7e982735266cee79

SHA1
69b1fa66722c470b303e4f4f9467613024d246be

SHA256
78aea8073e5407bc63cc9740e1661ee768446404ddee587ae61170cffee9a13c

SHA512
832cbfc843acd7095a2fcfc4296c54fc02b0c9164b28a138e6a1ecf5c1e38d1e18fd1de564e9faf081fe7461c6caf1799be7a09fea78531e34ee757fb332a662

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
135KB

MD5
0c9fa7c964f4d20d7e982735266cee79

SHA1
69b1fa66722c470b303e4f4f9467613024d246be

SHA256
78aea8073e5407bc63cc9740e1661ee768446404ddee587ae61170cffee9a13c

SHA512
832cbfc843acd7095a2fcfc4296c54fc02b0c9164b28a138e6a1ecf5c1e38d1e18fd1de564e9faf081fe7461c6caf1799be7a09fea78531e34ee757fb332a662

Download Submit
C:\Users\Admin\AppData\Local\Temp\63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe

Filesize
135KB

MD5
0c9fa7c964f4d20d7e982735266cee79

SHA1
69b1fa66722c470b303e4f4f9467613024d246be

SHA256
78aea8073e5407bc63cc9740e1661ee768446404ddee587ae61170cffee9a13c

SHA512
832cbfc843acd7095a2fcfc4296c54fc02b0c9164b28a138e6a1ecf5c1e38d1e18fd1de564e9faf081fe7461c6caf1799be7a09fea78531e34ee757fb332a662

Download Submit
C:\Users\Admin\AppData\Local\Temp\63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe

Filesize
135KB

MD5
0c9fa7c964f4d20d7e982735266cee79

SHA1
69b1fa66722c470b303e4f4f9467613024d246be

SHA256
78aea8073e5407bc63cc9740e1661ee768446404ddee587ae61170cffee9a13c

SHA512
832cbfc843acd7095a2fcfc4296c54fc02b0c9164b28a138e6a1ecf5c1e38d1e18fd1de564e9faf081fe7461c6caf1799be7a09fea78531e34ee757fb332a662

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
135KB

MD5
0c9fa7c964f4d20d7e982735266cee79

SHA1
69b1fa66722c470b303e4f4f9467613024d246be

SHA256
78aea8073e5407bc63cc9740e1661ee768446404ddee587ae61170cffee9a13c

SHA512
832cbfc843acd7095a2fcfc4296c54fc02b0c9164b28a138e6a1ecf5c1e38d1e18fd1de564e9faf081fe7461c6caf1799be7a09fea78531e34ee757fb332a662

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
135KB

MD5
0c9fa7c964f4d20d7e982735266cee79

SHA1
69b1fa66722c470b303e4f4f9467613024d246be

SHA256
78aea8073e5407bc63cc9740e1661ee768446404ddee587ae61170cffee9a13c

SHA512
832cbfc843acd7095a2fcfc4296c54fc02b0c9164b28a138e6a1ecf5c1e38d1e18fd1de564e9faf081fe7461c6caf1799be7a09fea78531e34ee757fb332a662

Download Submit
\Users\Admin\AppData\Local\Temp\63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe

Filesize
135KB

MD5
0c9fa7c964f4d20d7e982735266cee79

SHA1
69b1fa66722c470b303e4f4f9467613024d246be

SHA256
78aea8073e5407bc63cc9740e1661ee768446404ddee587ae61170cffee9a13c

SHA512
832cbfc843acd7095a2fcfc4296c54fc02b0c9164b28a138e6a1ecf5c1e38d1e18fd1de564e9faf081fe7461c6caf1799be7a09fea78531e34ee757fb332a662

Download Submit
\Users\Admin\AppData\Local\Temp\63ad1e9029480a43bc290320055495a84185e67c95ed72df36c0fa845a172a8emgr.exe

Filesize
135KB

MD5
0c9fa7c964f4d20d7e982735266cee79

SHA1
69b1fa66722c470b303e4f4f9467613024d246be

SHA256
78aea8073e5407bc63cc9740e1661ee768446404ddee587ae61170cffee9a13c

SHA512
832cbfc843acd7095a2fcfc4296c54fc02b0c9164b28a138e6a1ecf5c1e38d1e18fd1de564e9faf081fe7461c6caf1799be7a09fea78531e34ee757fb332a662

Download Submit
memory/516-76-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/516-204-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/516-88-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/516-78-0x0000000000000000-mapping.dmp

Download
memory/516-80-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/968-87-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/968-203-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/968-66-0x0000000000000000-mapping.dmp

Download
memory/968-89-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1152-93-0x0000000000000000-mapping.dmp

Download
memory/1152-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1152-94-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1252-56-0x0000000000000000-mapping.dmp

Download
memory/1252-58-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1252-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1252-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1252-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1760-85-0x00000000002C0000-0x00000000002F2000-memory.dmp

Filesize
200KB

Download
memory/1760-84-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download
memory/1760-86-0x00000000002C0000-0x00000000002F2000-memory.dmp

Filesize
200KB

Download
memory/1760-156-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download