ramnit | 69cc84e019560b1ad8540f167cea60d5cf64e5b64adecfc6741136d4d6c8e29c

Analysis

max time kernel
184s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69cc84e019560b1ad8540f167cea60d5cf64e5b64adecfc6741136d4d6c8e29c.dll
Size

448KB
MD5

d229c3a7abd79e7e0202293d85e4b570
SHA1

a5df0fc7609cd5e7df98b5ca42afd9e183ebf316
SHA256

69cc84e019560b1ad8540f167cea60d5cf64e5b64adecfc6741136d4d6c8e29c
SHA512

253a3ebee5161e0412bfaeb9d8a25ad10f428c3d3725667921875823cfe6887aea9520c68c27bf50db7f03d696490d4fa93397fcad1b57c0180193c6c8f6cbfc
SSDEEP

12288:FehnaNPpSVZmNxRCwnwm3W3OHIIf5SnF/C0:Feh0PpS6NxNnwYeOHX0ntC0

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
5056	rundll32mgr.exe
3412	WaterMark.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5056-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3412-142-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3412-146-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3412-147-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px7271.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3492	2316	WerFault.exe	90
2644	664	WerFault.exe	82

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "791037730"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001147"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001147"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{44119CF2-762E-11ED-919F-7A41DBBD5662} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "791037730"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377182660"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{440F3C6C-762E-11ED-919F-7A41DBBD5662} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe
3412	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2620	iexplore.exe
3128	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3128	iexplore.exe
3128	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
764	IEXPLORE.EXE
764	IEXPLORE.EXE
4288	IEXPLORE.EXE
4288	IEXPLORE.EXE
4288	IEXPLORE.EXE
4288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 664	4368	rundll32.exe	82
PID 4368 wrote to memory of 664	4368	rundll32.exe	82
PID 4368 wrote to memory of 664	4368	rundll32.exe	82
PID 664 wrote to memory of 5056	664	rundll32.exe	85
PID 664 wrote to memory of 5056	664	rundll32.exe	85
PID 664 wrote to memory of 5056	664	rundll32.exe	85
PID 5056 wrote to memory of 3412	5056	rundll32mgr.exe	88
PID 5056 wrote to memory of 3412	5056	rundll32mgr.exe	88
PID 5056 wrote to memory of 3412	5056	rundll32mgr.exe	88
PID 3412 wrote to memory of 2316	3412	WaterMark.exe	90
PID 3412 wrote to memory of 2316	3412	WaterMark.exe	90
PID 3412 wrote to memory of 2316	3412	WaterMark.exe	90
PID 3412 wrote to memory of 2316	3412	WaterMark.exe	90
PID 3412 wrote to memory of 2316	3412	WaterMark.exe	90
PID 3412 wrote to memory of 2316	3412	WaterMark.exe	90
PID 3412 wrote to memory of 2316	3412	WaterMark.exe	90
PID 3412 wrote to memory of 2316	3412	WaterMark.exe	90
PID 3412 wrote to memory of 2316	3412	WaterMark.exe	90
PID 3412 wrote to memory of 2620	3412	WaterMark.exe	94
PID 3412 wrote to memory of 2620	3412	WaterMark.exe	94
PID 3412 wrote to memory of 3128	3412	WaterMark.exe	95
PID 3412 wrote to memory of 3128	3412	WaterMark.exe	95
PID 3128 wrote to memory of 4288	3128	iexplore.exe	97
PID 3128 wrote to memory of 4288	3128	iexplore.exe	97
PID 3128 wrote to memory of 4288	3128	iexplore.exe	97
PID 2620 wrote to memory of 764	2620	iexplore.exe	96
PID 2620 wrote to memory of 764	2620	iexplore.exe	96
PID 2620 wrote to memory of 764	2620	iexplore.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cc84e019560b1ad8540f167cea60d5cf64e5b64adecfc6741136d4d6c8e29c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cc84e019560b1ad8540f167cea60d5cf64e5b64adecfc6741136d4d6c8e29c.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 204
        6⤵
        Program crash
        
        PID:3492
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:764
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 580
    3⤵
    - Program crash
    PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 664 -ip 664
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2316 -ip 2316
1⤵
PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
65KB

MD5
a9ea94ee4a3bb43d4057823b2072dc54

SHA1
94ade3c34ec08613daba8a1240586c24f8169794

SHA256
7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

SHA512
0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
65KB

MD5
a9ea94ee4a3bb43d4057823b2072dc54

SHA1
94ade3c34ec08613daba8a1240586c24f8169794

SHA256
7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

SHA512
0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{440F3C6C-762E-11ED-919F-7A41DBBD5662}.dat

Filesize
3KB

MD5
39c66e4b8453ce17764fcc60d8cedffb

SHA1
b6dd9c25abef41ccc01ace77bbe6f834d7634879

SHA256
23de54360dea06e19f965911259991b9aeecac70af39c987da033d111a5f0cc9

SHA512
192e6c10f50bfe0014888d9d3c6f438fa8f496dbf8857847c350d0f31033f9c3c2c9be3f7ed7e5567325673c2e65a1c38fa416613f4a46dbbf61df388e0e08ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{44119CF2-762E-11ED-919F-7A41DBBD5662}.dat

Filesize
5KB

MD5
c24c4489a9449e36a43ab1e437ac2ea9

SHA1
f31e07102dd22175c454a73815620ede366dca19

SHA256
e87820f6b9ab7f757aa4e9e100c828ffa3926fe0f2f7f57d20bffe32c9ce24b1

SHA512
42bca8ff70cf2bc44bbd5faa4200dfead7f419aa86f1d30765558b02b7a446093b8ea9e21e5ae96503a9da2e49a488b4dd030171cd86b58084518fd9285cfc1c

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
65KB

MD5
a9ea94ee4a3bb43d4057823b2072dc54

SHA1
94ade3c34ec08613daba8a1240586c24f8169794

SHA256
7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

SHA512
0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
65KB

MD5
a9ea94ee4a3bb43d4057823b2072dc54

SHA1
94ade3c34ec08613daba8a1240586c24f8169794

SHA256
7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

SHA512
0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

Download Submit
memory/664-141-0x0000000010000000-0x0000000010072000-memory.dmp

Filesize
456KB

Download
memory/664-132-0x0000000000000000-mapping.dmp

Download
memory/2316-145-0x0000000000000000-mapping.dmp

Download
memory/3412-136-0x0000000000000000-mapping.dmp

Download
memory/3412-143-0x0000000002020000-0x0000000002041000-memory.dmp

Filesize
132KB

Download
memory/3412-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3412-146-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3412-147-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5056-140-0x0000000000540000-0x0000000000561000-memory.dmp

Filesize
132KB

Download
memory/5056-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5056-133-0x0000000000000000-mapping.dmp

Download