ramnit | 300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3

Analysis

max time kernel
187s
max time network
165s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3.dll
Size

132KB
MD5

80dcee8c8858c5e1123692425da2e962
SHA1

02d2a9adcd60de8e8c4905f54377934f03c0bf59
SHA256

300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3
SHA512

47ed7952dd09803f6df071b77e94e5fcaad60bc033ec7454656344d9b0e35250606da41a171c1c6f6ac9ad6f412e460869f642b11cbb524d98513a512d0ad1d7
SSDEEP

1536:gfxdLVZgZVOjClgHpwNmFmwYps0nd4d5AgjE/887CXnPufK7RP7:EbnWwYpRndtPgPufI7

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\wtnlgyyp\\fabmobct.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
520	rundll32mgr.exe
828	wfassbkmnfvbptsa.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fabmobct.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fabmobct.exe	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1740	rundll32.exe
1740	rundll32.exe
520	rundll32mgr.exe
520	rundll32mgr.exe
520	rundll32mgr.exe
520	rundll32mgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\FabMobct = "C:\\Users\\Admin\\AppData\\Local\\wtnlgyyp\\fabmobct.exe"	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	520	rundll32mgr.exe
Token: SeDebugPrivilege	520	rundll32mgr.exe
Token: SeSecurityPrivilege	1708	svchost.exe
Token: SeSecurityPrivilege	760	svchost.exe
Token: SeDebugPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeSecurityPrivilege	828	wfassbkmnfvbptsa.exe
Token: SeLoadDriverPrivilege	828	wfassbkmnfvbptsa.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe
Token: SeBackupPrivilege	760	svchost.exe
Token: SeRestorePrivilege	760	svchost.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1740	1608	rundll32.exe	28
PID 1608 wrote to memory of 1740	1608	rundll32.exe	28
PID 1608 wrote to memory of 1740	1608	rundll32.exe	28
PID 1608 wrote to memory of 1740	1608	rundll32.exe	28
PID 1608 wrote to memory of 1740	1608	rundll32.exe	28
PID 1608 wrote to memory of 1740	1608	rundll32.exe	28
PID 1608 wrote to memory of 1740	1608	rundll32.exe	28
PID 1740 wrote to memory of 520	1740	rundll32.exe	29
PID 1740 wrote to memory of 520	1740	rundll32.exe	29
PID 1740 wrote to memory of 520	1740	rundll32.exe	29
PID 1740 wrote to memory of 520	1740	rundll32.exe	29
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 1708	520	rundll32mgr.exe	30
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 760	520	rundll32mgr.exe	31
PID 520 wrote to memory of 828	520	rundll32mgr.exe	32
PID 520 wrote to memory of 828	520	rundll32mgr.exe	32
PID 520 wrote to memory of 828	520	rundll32mgr.exe	32
PID 520 wrote to memory of 828	520	rundll32mgr.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\300a9dcd1521f08f0516a1578d3c5ec72e8c25501b300a886b9b2ff74107d9a3.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks BIOS information in registry
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:760
  - - C:\Users\Admin\AppData\Local\Temp\wfassbkmnfvbptsa.exe
      "C:\Users\Admin\AppData\Local\Temp\wfassbkmnfvbptsa.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wfassbkmnfvbptsa.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfassbkmnfvbptsa.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
\Users\Admin\AppData\Local\Temp\wfassbkmnfvbptsa.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
\Users\Admin\AppData\Local\Temp\wfassbkmnfvbptsa.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
\Users\Admin\AppData\Local\Temp\wfassbkmnfvbptsa.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
\Users\Admin\AppData\Local\Temp\wfassbkmnfvbptsa.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
109KB

MD5
78036c32093e1442208584bf60fed0a5

SHA1
958f6b326ec4a3782a301b225b97b7025addf8ec

SHA256
5b33da19431d37272fbc06dde361cb17035d5c09fd6fb9c26c01fb90fe55c61d

SHA512
5b275e7c4166e5d90a647c57fd032691834338457911bb5a4044dd35faba27afaba53dc835cf627f8bdd458f48ffaed28b9d65e6b521442cc571251ac8aefa5d

Download Submit
memory/520-80-0x0000000000400000-0x00000000004374CC-memory.dmp

Filesize
221KB

Download
memory/520-89-0x0000000000710000-0x0000000000748000-memory.dmp

Filesize
224KB

Download
memory/760-76-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/760-72-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/828-90-0x0000000000400000-0x00000000004374CC-memory.dmp

Filesize
221KB

Download
memory/828-91-0x0000000000400000-0x00000000004374CC-memory.dmp

Filesize
221KB

Download
memory/1708-66-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1708-63-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1740-55-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download