ramnit | 9a2aaf533a5c7edb2c30f9da3adea44cf6c4b7c35f6effc0669cecb259c6e8cc

Analysis

max time kernel
165s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a2aaf533a5c7edb2c30f9da3adea44cf6c4b7c35f6effc0669cecb259c6e8cc.dll
Size

104KB
MD5

69972048c85c1511e33338a9da653a10
SHA1

1e8f42b31834ffc3deba86856a063f80fff6e735
SHA256

9a2aaf533a5c7edb2c30f9da3adea44cf6c4b7c35f6effc0669cecb259c6e8cc
SHA512

0d7a77cf0740c1cb74257aa4d273284ee5307d7ccb03591541fead7bb84d607b8d1e52821cee75ce14fd30e70daa388ac96f0efc570941b27f094fdfb2bcd053
SSDEEP

3072:3FVd8ng8PHzV+NfJG+a+kj36SB50Att2Az:3Hdj8PHp+9Jm+g3t5tEAz

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
3172	rundll32mgr.exe
2584	WaterMark.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3172-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3172-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3172-142-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2584-151-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2584-152-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2584-153-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2584-154-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2584-155-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2584-156-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2584-157-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px102C.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3064	1800	WerFault.exe	84
452	3956	WerFault.exe	89

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2138518830"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001151"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2361956699"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B1DEE63E-7632-11ED-BF5F-66CD4AA2E676} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001151"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B1DC848A-7632-11ED-BF5F-66CD4AA2E676} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2138518830"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001151"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe
2584	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2708	iexplore.exe
5116	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5116	iexplore.exe
5116	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3172	rundll32mgr.exe
2584	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 1800	3792	rundll32.exe	84
PID 3792 wrote to memory of 1800	3792	rundll32.exe	84
PID 3792 wrote to memory of 1800	3792	rundll32.exe	84
PID 1800 wrote to memory of 3172	1800	rundll32.exe	85
PID 1800 wrote to memory of 3172	1800	rundll32.exe	85
PID 1800 wrote to memory of 3172	1800	rundll32.exe	85
PID 3172 wrote to memory of 2584	3172	rundll32mgr.exe	87
PID 3172 wrote to memory of 2584	3172	rundll32mgr.exe	87
PID 3172 wrote to memory of 2584	3172	rundll32mgr.exe	87
PID 2584 wrote to memory of 3956	2584	WaterMark.exe	89
PID 2584 wrote to memory of 3956	2584	WaterMark.exe	89
PID 2584 wrote to memory of 3956	2584	WaterMark.exe	89
PID 2584 wrote to memory of 3956	2584	WaterMark.exe	89
PID 2584 wrote to memory of 3956	2584	WaterMark.exe	89
PID 2584 wrote to memory of 3956	2584	WaterMark.exe	89
PID 2584 wrote to memory of 3956	2584	WaterMark.exe	89
PID 2584 wrote to memory of 3956	2584	WaterMark.exe	89
PID 2584 wrote to memory of 3956	2584	WaterMark.exe	89
PID 2584 wrote to memory of 2708	2584	WaterMark.exe	92
PID 2584 wrote to memory of 2708	2584	WaterMark.exe	92
PID 2584 wrote to memory of 5116	2584	WaterMark.exe	93
PID 2584 wrote to memory of 5116	2584	WaterMark.exe	93
PID 2708 wrote to memory of 1976	2708	iexplore.exe	98
PID 2708 wrote to memory of 1976	2708	iexplore.exe	98
PID 2708 wrote to memory of 1976	2708	iexplore.exe	98
PID 5116 wrote to memory of 3004	5116	iexplore.exe	99
PID 5116 wrote to memory of 3004	5116	iexplore.exe	99
PID 5116 wrote to memory of 3004	5116	iexplore.exe	99

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a2aaf533a5c7edb2c30f9da3adea44cf6c4b7c35f6effc0669cecb259c6e8cc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a2aaf533a5c7edb2c30f9da3adea44cf6c4b7c35f6effc0669cecb259c6e8cc.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:3956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 212
        6⤵
        Program crash
        
        PID:452
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1976
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5116 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 608
    3⤵
    - Program crash
    PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1800 -ip 1800
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3956 -ip 3956
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B1DC848A-7632-11ED-BF5F-66CD4AA2E676}.dat

Filesize
3KB

MD5
be6e4128433d28691519ce9eb273ef22

SHA1
f5383161c5b9e6e76d0045c0545781ade1f0f53c

SHA256
3b77c3b54072ebb32858c2425a80750ae5fdfb56ed5a7a12fddeb1335c7137c9

SHA512
c43f70fbb73c25e16cfc195679b3f424220f3e2c567c230119cbe83357f21b091ac21af9746e540ea9113560d63187c3aa12bfbfad63191c259699d3f9e788bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B1DEE63E-7632-11ED-BF5F-66CD4AA2E676}.dat

Filesize
3KB

MD5
3508bcfcc869071db03bf92a2ed3cfcf

SHA1
9cb0435409bba82bf2243e1ff47b036be0e42b63

SHA256
0618a92fa8f171e95e36e8ea779741d4d1985951f38b212aaa6ddb8c4fd79991

SHA512
f6c973258ede4c33dfe9ae89676e013da4513c4cbd7f221d489786dada65fa25d906a0d637a7136bfcdae195fbb39e66acf65d12a5cbcfabadabbeb66a776b8f

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/1800-150-0x000000006D140000-0x000000006D15A000-memory.dmp

Filesize
104KB

Download
memory/2584-157-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2584-155-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2584-156-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2584-151-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2584-152-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2584-153-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2584-154-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3172-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3172-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3172-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download