ramnit | a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1

General

Target

a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1.exe
Size

150KB
MD5

33fba2e3a137f68bc6cb3a20b248c344
SHA1

31c06305bcdcf16fa73536795bb6513043abb3ca
SHA256

a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1
SHA512

35611b2afae57a1ab46d687b0966c6cedf7b497eab9fc05dbed6b9a79f80e077a231f2551cbdd6704249e3a75dcb0c22cea5a5fa7fc4b4e158cefd113ebd89ee
SSDEEP

1536:5LHvv4a3pfYRPit5k1zcY6F4lX7IncXC6h25Fin0Xe2oOQLsx:5Dvv4aZfEPitqzsGLInKCOQS9LlU

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
3020	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe
3416	WaterMark.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3020-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3020-140-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3020-141-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3020-142-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3020-147-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3416-154-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3416-153-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3416-155-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3416-156-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3416-157-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3416-158-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB75B.tmp	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4816	3712	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3416	WaterMark.exe
3416	WaterMark.exe
3416	WaterMark.exe
3416	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3020	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe
3416	WaterMark.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3020	208	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1.exe	81
PID 208 wrote to memory of 3020	208	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1.exe	81
PID 208 wrote to memory of 3020	208	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1.exe	81
PID 3020 wrote to memory of 3416	3020	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe	84
PID 3020 wrote to memory of 3416	3020	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe	84
PID 3020 wrote to memory of 3416	3020	a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe	84
PID 3416 wrote to memory of 3712	3416	WaterMark.exe	85
PID 3416 wrote to memory of 3712	3416	WaterMark.exe	85
PID 3416 wrote to memory of 3712	3416	WaterMark.exe	85
PID 3416 wrote to memory of 3712	3416	WaterMark.exe	85
PID 3416 wrote to memory of 3712	3416	WaterMark.exe	85
PID 3416 wrote to memory of 3712	3416	WaterMark.exe	85
PID 3416 wrote to memory of 3712	3416	WaterMark.exe	85
PID 3416 wrote to memory of 3712	3416	WaterMark.exe	85
PID 3416 wrote to memory of 3712	3416	WaterMark.exe	85

C:\Users\Admin\AppData\Local\Temp\a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1.exe
"C:\Users\Admin\AppData\Local\Temp\a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe
  C:\Users\Admin\AppData\Local\Temp\a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:3712
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 204
        5⤵
        Program crash
        
        PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3712 -ip 3712
1⤵
PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3035079e038eb110a8ef5b762dd2a32ec774b849c51cf20722bdd2379ed08b1mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/208-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/208-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3020-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3020-147-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3020-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3020-141-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3020-140-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3416-155-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3416-154-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3416-153-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3416-156-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3416-157-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3416-158-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing