ramnit | 864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d

Analysis

max time kernel
157s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe
Size

143KB
MD5

4b4326bf46b1b510ff7bc50ad96e7d74
SHA1

369e40f3e7b87b9eebdc71590a1c28469a9e6112
SHA256

864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d
SHA512

456238502a4ea6710b279776fbbf66346bec3aebb38129228d3a40f320d904433041fec0888546ed72d88da17a1d0d970f36f3b3ab50187e06c8cd3380f51955
SSDEEP

1536:IR0In3Pc0LCH9MtbvabUDzJYWu3BGI5juMlXyUEu02fk:IRTn3k0CdM1vabyzJYWqn3E92fk

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
1292	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1548-135-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1548-136-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1548-144-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1292-145-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1292-146-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1292-147-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1292-148-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1292-151-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1292-154-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1292-153-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1292-152-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1292-155-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA6F3.tmp	864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
636	2652	WerFault.exe	86

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AF33EC2B-74F1-11ED-BF5F-DE991C57DA8F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AF34133B-74F1-11ED-BF5F-DE991C57DA8F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000830"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000830"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2239698275"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000830"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2239698275"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2658134833"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377046717"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe
1292	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3752	iexplore.exe
2020	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2020	iexplore.exe
2020	iexplore.exe
3752	iexplore.exe
3752	iexplore.exe
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1548	864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe
1292	WaterMark.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1292	1548	864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe	85
PID 1548 wrote to memory of 1292	1548	864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe	85
PID 1548 wrote to memory of 1292	1548	864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe	85
PID 1292 wrote to memory of 2652	1292	WaterMark.exe	86
PID 1292 wrote to memory of 2652	1292	WaterMark.exe	86
PID 1292 wrote to memory of 2652	1292	WaterMark.exe	86
PID 1292 wrote to memory of 2652	1292	WaterMark.exe	86
PID 1292 wrote to memory of 2652	1292	WaterMark.exe	86
PID 1292 wrote to memory of 2652	1292	WaterMark.exe	86
PID 1292 wrote to memory of 2652	1292	WaterMark.exe	86
PID 1292 wrote to memory of 2652	1292	WaterMark.exe	86
PID 1292 wrote to memory of 2652	1292	WaterMark.exe	86
PID 1292 wrote to memory of 3752	1292	WaterMark.exe	89
PID 1292 wrote to memory of 3752	1292	WaterMark.exe	89
PID 1292 wrote to memory of 2020	1292	WaterMark.exe	90
PID 1292 wrote to memory of 2020	1292	WaterMark.exe	90
PID 3752 wrote to memory of 1060	3752	iexplore.exe	91
PID 3752 wrote to memory of 1060	3752	iexplore.exe	91
PID 3752 wrote to memory of 1060	3752	iexplore.exe	91
PID 2020 wrote to memory of 2184	2020	iexplore.exe	92
PID 2020 wrote to memory of 2184	2020	iexplore.exe	92
PID 2020 wrote to memory of 2184	2020	iexplore.exe	92

C:\Users\Admin\AppData\Local\Temp\864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe
"C:\Users\Admin\AppData\Local\Temp\864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 204
      4⤵
      Program crash
      PID:636
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3752 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1060
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2652 -ip 2652
1⤵
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
143KB

MD5
4b4326bf46b1b510ff7bc50ad96e7d74

SHA1
369e40f3e7b87b9eebdc71590a1c28469a9e6112

SHA256
864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d

SHA512
456238502a4ea6710b279776fbbf66346bec3aebb38129228d3a40f320d904433041fec0888546ed72d88da17a1d0d970f36f3b3ab50187e06c8cd3380f51955

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
143KB

MD5
4b4326bf46b1b510ff7bc50ad96e7d74

SHA1
369e40f3e7b87b9eebdc71590a1c28469a9e6112

SHA256
864cbb3cbbea52b6af69f75d515ec4e0b9c3548c75e8349f7260d81511e1a37d

SHA512
456238502a4ea6710b279776fbbf66346bec3aebb38129228d3a40f320d904433041fec0888546ed72d88da17a1d0d970f36f3b3ab50187e06c8cd3380f51955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AF33EC2B-74F1-11ED-BF5F-DE991C57DA8F}.dat

Filesize
5KB

MD5
0d8c02c78da5c09aff22a480cda9187d

SHA1
a56bc0582d7992e44c448887a780f17eac8a8389

SHA256
95883b54de9bd6be0940d7e0ad6f82f3a675232528cc782381ecd8d46d9fa466

SHA512
0463edc43e541dbbfbad83b0f10430c3d400e5d624691aa774889be4f8e7fef88095fe05ca4b1f542cd146b4bd6361e6ca83de33c87431c05772f3e0a7fe3ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AF34133B-74F1-11ED-BF5F-DE991C57DA8F}.dat

Filesize
4KB

MD5
bea9fcfcbf69d2d72c897423527bb4df

SHA1
63d014f1db23bca7799e5751d87e9dccaa20aa1f

SHA256
64ad474781e229c77e60e2c6d09e04af0e8436bdafdf96a88e8ad86195bd4350

SHA512
5a66fafe3452e19052a72a5a9b68873249aff9893daafc2c52443628a9e05767befe38ffb293f8dd82d0dbb3d5db5b4cb7624d501dae2e78f5be5bca48467281

Download Submit
memory/1292-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-155-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1292-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1548-136-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1548-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download