ramnit | b49d15a32d474df3888da6663c70a4adc598222429ab2041c91e59e5d675ae34

General

Target

b49d15a32d474df3888da6663c70a4adc598222429ab2041c91e59e5d675ae34.dll
Size

128KB
MD5

42e09c9b0082be6da68c40981853d780
SHA1

3c5de68a29e61d47ebb77d6309fd5939e0604bdb
SHA256

b49d15a32d474df3888da6663c70a4adc598222429ab2041c91e59e5d675ae34
SHA512

94a4d77d8182f3fcde97cc9e8a9b090d430147711448bdd1f022b58e62dc23ac840c4fc0e38191155460f4c882de51124dabe85cb48c18d007a6eec3c6ec8199
SSDEEP

3072:4NEqkap78Etee0O9jQoJMoNEJuAhf8up:CEqkE4HNORVJnNEthfXp

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

rundll32Srv.exeWaterMark.exe

pid process

1340 rundll32Srv.exe
468 WaterMark.exe

pid	process
1340	rundll32Srv.exe
468	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\rundll32Srv.exe	upx
\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
behavioral1/memory/1340-60-0x0000000000400000-0x0000000000448000-memory.dmp	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
\Program Files (x86)\Microsoft\WaterMark.exe	upx
\Program Files (x86)\Microsoft\WaterMark.exe	upx
behavioral1/memory/1340-66-0x0000000000400000-0x0000000000448000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\WaterMark.exe	upx
C:\Program Files (x86)\Microsoft\WaterMark.exe	upx
behavioral1/memory/468-77-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/468-195-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32Srv.exe

pid process

1420 rundll32.exe
1420 rundll32.exe
1340 rundll32Srv.exe
1340 rundll32Srv.exe

pid	process
1420	rundll32.exe
1420	rundll32.exe
1340	rundll32Srv.exe
1340	rundll32Srv.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

rundll32Srv.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px10A4.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
468	WaterMark.exe
468	WaterMark.exe
468	WaterMark.exe
468	WaterMark.exe
468	WaterMark.exe
468	WaterMark.exe
468	WaterMark.exe
468	WaterMark.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe
692	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WaterMark.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	468	WaterMark.exe
Token: SeDebugPrivilege	692	svchost.exe
Token: SeDebugPrivilege	468	WaterMark.exe
Token: SeDebugPrivilege	1468	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32Srv.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1760 wrote to memory of 1420	1760	rundll32.exe	rundll32.exe
PID 1760 wrote to memory of 1420	1760	rundll32.exe	rundll32.exe
PID 1760 wrote to memory of 1420	1760	rundll32.exe	rundll32.exe
PID 1760 wrote to memory of 1420	1760	rundll32.exe	rundll32.exe
PID 1760 wrote to memory of 1420	1760	rundll32.exe	rundll32.exe
PID 1760 wrote to memory of 1420	1760	rundll32.exe	rundll32.exe
PID 1760 wrote to memory of 1420	1760	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1340	1420	rundll32.exe	rundll32Srv.exe
PID 1420 wrote to memory of 1340	1420	rundll32.exe	rundll32Srv.exe
PID 1420 wrote to memory of 1340	1420	rundll32.exe	rundll32Srv.exe
PID 1420 wrote to memory of 1340	1420	rundll32.exe	rundll32Srv.exe
PID 1340 wrote to memory of 468	1340	rundll32Srv.exe	WaterMark.exe
PID 1340 wrote to memory of 468	1340	rundll32Srv.exe	WaterMark.exe
PID 1340 wrote to memory of 468	1340	rundll32Srv.exe	WaterMark.exe
PID 1340 wrote to memory of 468	1340	rundll32Srv.exe	WaterMark.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 1468	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 468 wrote to memory of 692	468	WaterMark.exe	svchost.exe
PID 692 wrote to memory of 260	692	svchost.exe	smss.exe
PID 692 wrote to memory of 260	692	svchost.exe	smss.exe
PID 692 wrote to memory of 260	692	svchost.exe	smss.exe
PID 692 wrote to memory of 260	692	svchost.exe	smss.exe
PID 692 wrote to memory of 260	692	svchost.exe	smss.exe
PID 692 wrote to memory of 332	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 332	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 332	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 332	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 332	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 368	692	svchost.exe	wininit.exe
PID 692 wrote to memory of 368	692	svchost.exe	wininit.exe
PID 692 wrote to memory of 368	692	svchost.exe	wininit.exe
PID 692 wrote to memory of 368	692	svchost.exe	wininit.exe
PID 692 wrote to memory of 368	692	svchost.exe	wininit.exe
PID 692 wrote to memory of 380	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 380	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 380	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 380	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 380	692	svchost.exe	csrss.exe
PID 692 wrote to memory of 416	692	svchost.exe	winlogon.exe
PID 692 wrote to memory of 416	692	svchost.exe	winlogon.exe
PID 692 wrote to memory of 416	692	svchost.exe	winlogon.exe
PID 692 wrote to memory of 416	692	svchost.exe	winlogon.exe
PID 692 wrote to memory of 416	692	svchost.exe	winlogon.exe
PID 692 wrote to memory of 460	692	svchost.exe	services.exe
PID 692 wrote to memory of 460	692	svchost.exe	services.exe
PID 692 wrote to memory of 460	692	svchost.exe	services.exe
PID 692 wrote to memory of 460	692	svchost.exe	services.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:812

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1196

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1132

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1092

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1124

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b49d15a32d474df3888da6663c70a4adc598222429ab2041c91e59e5d675ae34.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b49d15a32d474df3888da6663c70a4adc598222429ab2041c91e59e5d675ae34.dll,#1
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1340

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
82KB

MD5
9f7cdf21871f6483f6504a3d894acb3f

SHA1
7674a1c28c4e2af091adc12ea745d76784fe8e82

SHA256
3ee814fa6fa6fa73da43dea11fef18fe5b0631dfa062868f4b86bafc9ed55b83

SHA512
14e5aaa9906516bab8188186c8f45b9cb8c1d8520e83e61d11c7c38ceb13ced09ee99d6fc5d7dd8f35b908880e9fd1d536d940bc9dfbea9971598e0a388c8e40

Download Submit
memory/468-64-0x0000000000000000-mapping.dmp

Download
memory/468-77-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/468-195-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/692-80-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/692-82-0x0000000000000000-mapping.dmp

Download
memory/692-83-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1340-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1340-66-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1340-58-0x0000000000000000-mapping.dmp

Download
memory/1420-54-0x0000000000000000-mapping.dmp

Download
memory/1420-55-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1468-71-0x0000000000000000-mapping.dmp

Download
memory/1468-73-0x0000000020010000-0x0000000020021000-memory.dmp

Filesize
68KB

Download
memory/1468-69-0x0000000020010000-0x0000000020021000-memory.dmp

Filesize
68KB

Download
memory/1468-78-0x0000000020010000-0x0000000020021000-memory.dmp

Filesize
68KB

Download
memory/1468-196-0x0000000020010000-0x0000000020021000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads