ramnit | 20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546

General

Target

20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe
Size

830KB
MD5

9640eccfd30d456c8013219d0fef5922
SHA1

6cf2f6a1eade4334df67c6889c831b1971669e67
SHA256

20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546
SHA512

a0cf9fa410041eff21054b0124eded4591e954c9e191114b9838a46387cf36506b4aa9532800b7ba312c536f8fe45bdbe9bf6b8f2f4dc96a7a4e37d6097f8008
SSDEEP

12288:76tERgNg5unckhtpDKZczPrlh+Sl4qyBe/Sn4txi2:7Fu7MCRPa98/aj2

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
940	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546mgr.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/940-63-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1812	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe
1812	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe
940	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546mgr.exe
1812	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe
940	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1328	940	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	520	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	520	AUDIODG.EXE
Token: 33	520	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	520	AUDIODG.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 940	1812	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe	28
PID 1812 wrote to memory of 940	1812	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe	28
PID 1812 wrote to memory of 940	1812	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe	28
PID 1812 wrote to memory of 940	1812	20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe	28

C:\Users\Admin\AppData\Local\Temp\20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe
"C:\Users\Admin\AppData\Local\Temp\20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546mgr.exe
  C:\Users\Admin\AppData\Local\Temp\20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 180
    3⤵
    - Program crash
    PID:1328

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546mgr.exe

Filesize
354KB

MD5
a8245f71e4e4aff10e574300abd2bcc2

SHA1
7ea3ae53a0697e526c6bc877b103b390af042d7a

SHA256
7bf945e4d87567106bfe8980b4fe1e6482578ab91fa9d82426c804ae5c3f2546

SHA512
8c32f1f55c0475ce06ddbd3db80d529addb401089bd61491641d2e2c0c36020eabc5a947735388ae7a90514c543cb29450afa13b1e3f90387e432b62d4628978

Download Submit
\Users\Admin\AppData\Local\Temp\20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546mgr.exe

Filesize
354KB

MD5
a8245f71e4e4aff10e574300abd2bcc2

SHA1
7ea3ae53a0697e526c6bc877b103b390af042d7a

SHA256
7bf945e4d87567106bfe8980b4fe1e6482578ab91fa9d82426c804ae5c3f2546

SHA512
8c32f1f55c0475ce06ddbd3db80d529addb401089bd61491641d2e2c0c36020eabc5a947735388ae7a90514c543cb29450afa13b1e3f90387e432b62d4628978

Download Submit
\Users\Admin\AppData\Local\Temp\20e6166b228b6d65536f4689521c14da5676d49bd47b378d581081220cecc546mgr.exe

Filesize
354KB

MD5
a8245f71e4e4aff10e574300abd2bcc2

SHA1
7ea3ae53a0697e526c6bc877b103b390af042d7a

SHA256
7bf945e4d87567106bfe8980b4fe1e6482578ab91fa9d82426c804ae5c3f2546

SHA512
8c32f1f55c0475ce06ddbd3db80d529addb401089bd61491641d2e2c0c36020eabc5a947735388ae7a90514c543cb29450afa13b1e3f90387e432b62d4628978

Download Submit
\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Local\Temp\~TM9CDC.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM9D6A.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/940-63-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/940-58-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/940-64-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/940-67-0x00000000771E0000-0x0000000077360000-memory.dmp

Filesize
1.5MB

Download
memory/940-69-0x00000000771E0000-0x0000000077360000-memory.dmp

Filesize
1.5MB

Download
memory/1812-65-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1812-66-0x0000000000230000-0x000000000028C000-memory.dmp

Filesize
368KB

Download
memory/1812-68-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1812-70-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1812-71-0x0000000000230000-0x000000000028C000-memory.dmp

Filesize
368KB

Download
memory/1812-72-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1812-73-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing