ramnit | 90e3a8c7466c9c809e7be85dafa71cf55de16f75a440de49c7479ffa6d6d6a33

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90e3a8c7466c9c809e7be85dafa71cf55de16f75a440de49c7479ffa6d6d6a33.dll
Size

227KB
MD5

96d61cc26876e90464111d8167413565
SHA1

8eec3656b5fa3f9e1dcb3e2ae27d9bfe4289553c
SHA256

90e3a8c7466c9c809e7be85dafa71cf55de16f75a440de49c7479ffa6d6d6a33
SHA512

553be325b74f21cf90422ed3b0b1bf228fbae0555765f95fd9157540d820e2305a8d0ff45030e44785498ff2e019592c4bcddadc96429271d52dee5f5b4a5103
SSDEEP

3072:n0NbrbkYHUyP9eECVWfpIhbWoVnW6IioARoKO7JurqeBTg4vRP86TvOB5n+902eD:MrkYHjIWeWcd71byn/LCK1

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1572	rundll32mgr.exe
3136	WaterMark.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1572-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1572-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1572-143-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1572-142-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1572-141-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1572-147-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3136-154-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3136-155-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3136-156-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3136-159-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3136-160-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3136-161-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3136-162-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA07B.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3688	3916	WerFault.exe	81
3816	1512	WerFault.exe	76

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DF5231ED-756F-11ED-B696-E62BBF623C53} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377100870"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DF4D6EE2-756F-11ED-B696-E62BBF623C53} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe
3136	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1380	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1380	iexplore.exe
4940	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4940	iexplore.exe
4940	iexplore.exe
1380	iexplore.exe
1380	iexplore.exe
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1572	rundll32mgr.exe
3136	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1512	1096	rundll32.exe	76
PID 1096 wrote to memory of 1512	1096	rundll32.exe	76
PID 1096 wrote to memory of 1512	1096	rundll32.exe	76
PID 1512 wrote to memory of 1572	1512	rundll32.exe	77
PID 1512 wrote to memory of 1572	1512	rundll32.exe	77
PID 1512 wrote to memory of 1572	1512	rundll32.exe	77
PID 1572 wrote to memory of 3136	1572	rundll32mgr.exe	79
PID 1572 wrote to memory of 3136	1572	rundll32mgr.exe	79
PID 1572 wrote to memory of 3136	1572	rundll32mgr.exe	79
PID 3136 wrote to memory of 3916	3136	WaterMark.exe	81
PID 3136 wrote to memory of 3916	3136	WaterMark.exe	81
PID 3136 wrote to memory of 3916	3136	WaterMark.exe	81
PID 3136 wrote to memory of 3916	3136	WaterMark.exe	81
PID 3136 wrote to memory of 3916	3136	WaterMark.exe	81
PID 3136 wrote to memory of 3916	3136	WaterMark.exe	81
PID 3136 wrote to memory of 3916	3136	WaterMark.exe	81
PID 3136 wrote to memory of 3916	3136	WaterMark.exe	81
PID 3136 wrote to memory of 3916	3136	WaterMark.exe	81
PID 3136 wrote to memory of 1380	3136	WaterMark.exe	85
PID 3136 wrote to memory of 1380	3136	WaterMark.exe	85
PID 3136 wrote to memory of 4940	3136	WaterMark.exe	86
PID 3136 wrote to memory of 4940	3136	WaterMark.exe	86
PID 4940 wrote to memory of 1528	4940	iexplore.exe	88
PID 4940 wrote to memory of 1528	4940	iexplore.exe	88
PID 4940 wrote to memory of 1528	4940	iexplore.exe	88
PID 1380 wrote to memory of 1280	1380	iexplore.exe	87
PID 1380 wrote to memory of 1280	1380	iexplore.exe	87
PID 1380 wrote to memory of 1280	1380	iexplore.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e3a8c7466c9c809e7be85dafa71cf55de16f75a440de49c7479ffa6d6d6a33.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e3a8c7466c9c809e7be85dafa71cf55de16f75a440de49c7479ffa6d6d6a33.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:3916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 204
        6⤵
        Program crash
        
        PID:3688
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1380 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1280
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 608
    3⤵
    - Program crash
    PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1512 -ip 1512
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3916 -ip 3916
1⤵
PID:2428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF4D6EE2-756F-11ED-B696-E62BBF623C53}.dat

Filesize
4KB

MD5
6f96a1500d44bc87183ec44673864c6a

SHA1
4808daeec30f9e3cfb16053b9ecfe91e2fde4f79

SHA256
0e6cef8b8edc60b0a5dbc816edc6dc2d2fb5a2b1f42e9ea998713b40e82b8fb5

SHA512
be04ad41be49aa74e630e8eddce951d2fa243760e6aeb4cda0c510e8b8f525a1be83da0607b75abecbce81e8e0174635b60bd63c6bad6500bc1a9101cdd91b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF5231ED-756F-11ED-B696-E62BBF623C53}.dat

Filesize
5KB

MD5
a62044e33377ea450039f3d83491cb6c

SHA1
580fe30ebb1508c061fc49ddd648acab6a89933e

SHA256
85035479561ef329ab4af34059b4b461724156b4bf43a6af8167164443cc8b98

SHA512
79b99f678df419ae5802ca3af36c085ad280186300ae63edbd0fe52b32f82ffd105ce31b7e5f35ab2a5ec25e54fd4a74b55d3b7a82641cb966edcc155748c215

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/1512-140-0x0000000075790000-0x00000000757CE000-memory.dmp

Filesize
248KB

Download
memory/1572-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1572-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1572-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1572-141-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1572-147-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1572-143-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3136-154-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3136-155-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3136-156-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3136-159-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3136-160-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3136-161-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3136-162-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download