ramnit | e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2

Analysis

max time kernel
153s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
Size

110KB
MD5

a7af90f5da509415d3e03b2636628529
SHA1

ab5f9294f77211bce8c0860964ef0408eeccf9f5
SHA256

e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2
SHA512

02e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845
SSDEEP

3072:ch6Jsu7EQ7qOIx4J2vNbGfvGnd3gW5ZM4/us:+0V7EQ7GNdndPZMTs

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\epgoenfr\\mvxboqoi.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1472	ebvvtsqoipirywfk.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mvxboqoi.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mvxboqoi.exe	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MvxBoqoi = "C:\\Users\\Admin\\AppData\\Local\\epgoenfr\\mvxboqoi.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
Token: SeDebugPrivilege	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
Token: SeSecurityPrivilege	1968	svchost.exe
Token: SeSecurityPrivilege	1528	svchost.exe
Token: SeDebugPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeSecurityPrivilege	1472	ebvvtsqoipirywfk.exe
Token: SeLoadDriverPrivilege	1472	ebvvtsqoipirywfk.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1968	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	26
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1528	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	27
PID 1488 wrote to memory of 1472	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	28
PID 1488 wrote to memory of 1472	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	28
PID 1488 wrote to memory of 1472	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	28
PID 1488 wrote to memory of 1472	1488	e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe	28

C:\Users\Admin\AppData\Local\Temp\e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
"C:\Users\Admin\AppData\Local\Temp\e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Checks BIOS information in registry
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe
  "C:\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe

Filesize
110KB

MD5
a7af90f5da509415d3e03b2636628529

SHA1
ab5f9294f77211bce8c0860964ef0408eeccf9f5

SHA256
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2

SHA512
02e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe

Filesize
110KB

MD5
a7af90f5da509415d3e03b2636628529

SHA1
ab5f9294f77211bce8c0860964ef0408eeccf9f5

SHA256
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2

SHA512
02e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845

Download Submit
\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe

Filesize
110KB

MD5
a7af90f5da509415d3e03b2636628529

SHA1
ab5f9294f77211bce8c0860964ef0408eeccf9f5

SHA256
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2

SHA512
02e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845

Download Submit
\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe

Filesize
110KB

MD5
a7af90f5da509415d3e03b2636628529

SHA1
ab5f9294f77211bce8c0860964ef0408eeccf9f5

SHA256
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2

SHA512
02e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845

Download Submit
\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe

Filesize
110KB

MD5
a7af90f5da509415d3e03b2636628529

SHA1
ab5f9294f77211bce8c0860964ef0408eeccf9f5

SHA256
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2

SHA512
02e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845

Download Submit
\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe

Filesize
110KB

MD5
a7af90f5da509415d3e03b2636628529

SHA1
ab5f9294f77211bce8c0860964ef0408eeccf9f5

SHA256
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2

SHA512
02e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845

Download Submit
memory/1472-86-0x0000000000400000-0x0000000000437D74-memory.dmp

Filesize
223KB

Download
memory/1488-56-0x0000000000400000-0x0000000000437D74-memory.dmp

Filesize
223KB

Download
memory/1488-79-0x0000000001F90000-0x0000000001FC8000-memory.dmp

Filesize
224KB

Download
memory/1488-80-0x0000000001F90000-0x0000000001FC8000-memory.dmp

Filesize
224KB

Download
memory/1488-54-0x0000000000400000-0x0000000000437D74-memory.dmp

Filesize
223KB

Download
memory/1488-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-85-0x0000000000400000-0x0000000000437D74-memory.dmp

Filesize
223KB

Download
memory/1528-67-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/1528-71-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/1968-61-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1968-58-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download