ramnit | ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406

Analysis

max time kernel
151s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406.dll
Size

163KB
MD5

2ad25d81e8d455471a4f9f803acd02ce
SHA1

0580f084f662cf2b79896eceec2cc57e44e95507
SHA256

ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406
SHA512

56a5d0e48c49918130b173291d75f41c73f85e63615d11ad64bf25ee5fcb97404e8521253a097f7cffa8432693abb8b1394c04d1601f6e69066985cdb7709a77
SSDEEP

3072:nv4tCk6tj9tnCRLMGbwQG52xKUgfyFRsxxulukd0pF:vMAtCRYGbG52gUHRU

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\bxwlbvvj\\jeoxlvfw.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Executes dropped EXE 2 IoCs

Processes:

qnOwJ23bjmvnxhgaqpgeaid.exe

pid process

1916 qnOwJ23
1748 bjmvnxhgaqpgeaid.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

pid	process
1916	qnOwJ23
1748	bjmvnxhgaqpgeaid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jeoxlvfw.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jeoxlvfw.exe	svchost.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exeqnOwJ23

pid process

1676 rundll32.exe
1676 rundll32.exe
1916 qnOwJ23
1916 qnOwJ23
1916 qnOwJ23
1916 qnOwJ23

pid	process
1676	rundll32.exe
1676	rundll32.exe
1916	qnOwJ23
1916	qnOwJ23
1916	qnOwJ23
1916	qnOwJ23

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\JeoXlvfw = "C:\\Users\\Admin\\AppData\\Local\\bxwlbvvj\\jeoxlvfw.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

svchost.exe

pid	process
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

qnOwJ23svchost.exesvchost.exebjmvnxhgaqpgeaid.exe

description	pid	process
Token: SeSecurityPrivilege	1916	qnOwJ23
Token: SeDebugPrivilege	1916	qnOwJ23
Token: SeSecurityPrivilege	1740	svchost.exe
Token: SeSecurityPrivilege	1744	svchost.exe
Token: SeDebugPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeSecurityPrivilege	1748	bjmvnxhgaqpgeaid.exe
Token: SeLoadDriverPrivilege	1748	bjmvnxhgaqpgeaid.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe
Token: SeBackupPrivilege	1744	svchost.exe
Token: SeRestorePrivilege	1744	svchost.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

rundll32.exerundll32.exeqnOwJ23

description	pid	process	target process
PID 1624 wrote to memory of 1676	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1916	1676	rundll32.exe	qnOwJ23
PID 1676 wrote to memory of 1916	1676	rundll32.exe	qnOwJ23
PID 1676 wrote to memory of 1916	1676	rundll32.exe	qnOwJ23
PID 1676 wrote to memory of 1916	1676	rundll32.exe	qnOwJ23
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1740	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1744	1916	qnOwJ23	svchost.exe
PID 1916 wrote to memory of 1748	1916	qnOwJ23	bjmvnxhgaqpgeaid.exe
PID 1916 wrote to memory of 1748	1916	qnOwJ23	bjmvnxhgaqpgeaid.exe
PID 1916 wrote to memory of 1748	1916	qnOwJ23	bjmvnxhgaqpgeaid.exe
PID 1916 wrote to memory of 1748	1916	qnOwJ23	bjmvnxhgaqpgeaid.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406.dll,#1
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\qnOwJ23
"qnOwJ23"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Local\Temp\bjmvnxhgaqpgeaid.exe
"C:\Users\Admin\AppData\Local\Temp\bjmvnxhgaqpgeaid.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bjmvnxhgaqpgeaid.exe

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjmvnxhgaqpgeaid.exe

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnOwJ23

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnOwJ23

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
\Users\Admin\AppData\Local\Temp\bjmvnxhgaqpgeaid.exe

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
\Users\Admin\AppData\Local\Temp\bjmvnxhgaqpgeaid.exe

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
\Users\Admin\AppData\Local\Temp\bjmvnxhgaqpgeaid.exe

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
\Users\Admin\AppData\Local\Temp\bjmvnxhgaqpgeaid.exe

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
\Users\Admin\AppData\Local\Temp\qnOwJ23

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
\Users\Admin\AppData\Local\Temp\qnOwJ23

Filesize
95KB

MD5
5b1a0c379ccc8cab0d06cbeb1338451b

SHA1
ae615e94824e0547027768d74d03af8b23fefd4d

SHA256
2dccbfc709478a47a8c039619c5aecc11731f3fe8e3a70c26b4e6f668f190d29

SHA512
a4433852b9c404df4b8e2d68cabe0df3ff02a2c9ebda7ecc468e73d1651119bd1dc878474f3c508b8d42b8bb78c1c08d1fe5c93175f8e2b15a9765019179c581

Download Submit
memory/1676-54-0x0000000000000000-mapping.dmp

Download
memory/1676-55-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1676-80-0x0000000050590000-0x00000000505BB000-memory.dmp

Filesize
172KB

Download
memory/1676-81-0x00000000000B0000-0x00000000000EB000-memory.dmp

Filesize
236KB

Download
memory/1676-83-0x00000000000B0000-0x00000000000B6000-memory.dmp

Filesize
24KB

Download
memory/1740-63-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1740-65-0x0000000000000000-mapping.dmp

Download
memory/1740-66-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1744-74-0x0000000000000000-mapping.dmp

Download
memory/1744-76-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/1744-72-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/1748-88-0x0000000000000000-mapping.dmp

Download
memory/1748-92-0x0000000000400000-0x000000000043A0CC-memory.dmp

Filesize
232KB

Download
memory/1748-93-0x0000000000400000-0x000000000043A0CC-memory.dmp

Filesize
232KB

Download
memory/1916-82-0x0000000000400000-0x000000000043A0CC-memory.dmp

Filesize
232KB

Download
memory/1916-58-0x0000000000000000-mapping.dmp

Download