ramnit | 284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb

Analysis

max time kernel
203s
max time network
228s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 05:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe
Size

95KB
MD5

9d5ac0b51b13de350cf4e18c3ae102d0
SHA1

b83a33fc509ee70201cbb56bd5dcde968be48657
SHA256

284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb
SHA512

c550a201dc1155ab78fa50dcc2c1620293afbbeb21c9bd9a21df68ef7fcba870c936853adbaffc799eb38645d7cbcd2ea0a50372933ce92f2cc46313d80a7ebb
SSDEEP

768:r06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:5R0vxn3Pc0LCH9MtbvabUDzJYWu3B

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
4736	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/60-135-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/60-136-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/60-143-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4736-147-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4736-148-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4736-150-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4736-149-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4736-152-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4736-153-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4736-154-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4736-155-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4736-156-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px99A0.tmp	284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2784	428	WerFault.exe	87
5000	428	WerFault.exe	87

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1739657104"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1727157714"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1727157714"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C066716-72F7-11ED-919F-FE1968EF3A40} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C064006-72F7-11ED-919F-FE1968EF3A40} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1739657104"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000324"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000324"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000324"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376829317"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000324"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe
4736	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3772	iexplore.exe
4108	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4108	iexplore.exe
4108	iexplore.exe
3772	iexplore.exe
3772	iexplore.exe
3084	IEXPLORE.EXE
3084	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
60	284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe
4736	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4736	60	284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe	86
PID 60 wrote to memory of 4736	60	284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe	86
PID 60 wrote to memory of 4736	60	284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe	86
PID 4736 wrote to memory of 428	4736	WaterMark.exe	87
PID 4736 wrote to memory of 428	4736	WaterMark.exe	87
PID 4736 wrote to memory of 428	4736	WaterMark.exe	87
PID 4736 wrote to memory of 428	4736	WaterMark.exe	87
PID 4736 wrote to memory of 428	4736	WaterMark.exe	87
PID 4736 wrote to memory of 428	4736	WaterMark.exe	87
PID 4736 wrote to memory of 428	4736	WaterMark.exe	87
PID 4736 wrote to memory of 428	4736	WaterMark.exe	87
PID 4736 wrote to memory of 428	4736	WaterMark.exe	87
PID 4736 wrote to memory of 4108	4736	WaterMark.exe	90
PID 4736 wrote to memory of 4108	4736	WaterMark.exe	90
PID 4736 wrote to memory of 3772	4736	WaterMark.exe	91
PID 4736 wrote to memory of 3772	4736	WaterMark.exe	91
PID 428 wrote to memory of 2784	428	svchost.exe	93
PID 428 wrote to memory of 2784	428	svchost.exe	93
PID 428 wrote to memory of 2784	428	svchost.exe	93
PID 3772 wrote to memory of 1564	3772	iexplore.exe	95
PID 3772 wrote to memory of 1564	3772	iexplore.exe	95
PID 3772 wrote to memory of 1564	3772	iexplore.exe	95
PID 4108 wrote to memory of 3084	4108	iexplore.exe	96
PID 4108 wrote to memory of 3084	4108	iexplore.exe	96
PID 4108 wrote to memory of 3084	4108	iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe
"C:\Users\Admin\AppData\Local\Temp\284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:60
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 204
      4⤵
      Program crash
      PID:2784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 204
      4⤵
      Program crash
      PID:5000
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4108 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3084
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3772 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 428 -ip 428
1⤵
PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
95KB

MD5
9d5ac0b51b13de350cf4e18c3ae102d0

SHA1
b83a33fc509ee70201cbb56bd5dcde968be48657

SHA256
284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb

SHA512
c550a201dc1155ab78fa50dcc2c1620293afbbeb21c9bd9a21df68ef7fcba870c936853adbaffc799eb38645d7cbcd2ea0a50372933ce92f2cc46313d80a7ebb

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
95KB

MD5
9d5ac0b51b13de350cf4e18c3ae102d0

SHA1
b83a33fc509ee70201cbb56bd5dcde968be48657

SHA256
284025925ec0a4dc517b65f2320dc487f156d78429368a08ec8db025773bd4bb

SHA512
c550a201dc1155ab78fa50dcc2c1620293afbbeb21c9bd9a21df68ef7fcba870c936853adbaffc799eb38645d7cbcd2ea0a50372933ce92f2cc46313d80a7ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8C064006-72F7-11ED-919F-FE1968EF3A40}.dat

Filesize
5KB

MD5
85f66d949e328f11b381155ba5f5c47c

SHA1
99a66feb5334cb211db90448452d47c8eba97e35

SHA256
7dde723ab483723c596e32db9afc4393f951a3d8338c53ee81b8ef879019ec73

SHA512
3358f0bcad8e782ea8ab62242246d99d8bc8ece1ac9324c4daaecc878371cdf9fbeceb2a1dc5213deaae0e7c28ace6285a924a6997d729b90abff0bac0d5277e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8C066716-72F7-11ED-919F-FE1968EF3A40}.dat

Filesize
3KB

MD5
b87b5b130df6abda32f45a4b8e402e47

SHA1
d0abba5347f071cb0ae7e54b8f81409b4fd29c7d

SHA256
abbf0249ec7b5c406f9df8f882b29bdd5960f0dea3b20a453a9027f633c68108

SHA512
734502915956642a53d5cbe05164b1077b4211753fc20f9b3f9bebff142f1eee38d0e5d10e805f23787588d2beb9b182b48bcfb3eae114b61114cb9ecce60ea0

Download Submit
memory/60-132-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/60-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/60-136-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/60-143-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4736-150-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4736-149-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4736-148-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4736-152-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4736-153-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4736-154-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4736-155-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4736-156-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4736-147-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download