ramnit | 9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa

General

Target

9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe
Size

121KB
MD5

2299a2d6f8d62723d3d76cac0bc2c01b
SHA1

a2c396aa7d073b50ddc96a9996eef8f47cb9b04b
SHA256

9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa
SHA512

2bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95
SSDEEP

1536:N8kwilTEhU4HDa1KkjWXUa21mc/Mue9VR:dhlohUEK9ekp6

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

WaterMark.exe

pid process

1932 WaterMark.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1500-57-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1932-70-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1932-178-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe

pid	process
1500	9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe
1500	9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

Processes:

9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF835.tmp	9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
1932	WaterMark.exe
1932	WaterMark.exe
1932	WaterMark.exe
1932	WaterMark.exe
1932	WaterMark.exe
1932	WaterMark.exe
1932	WaterMark.exe
1932	WaterMark.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WaterMark.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1932 WaterMark.exe
Token: SeDebugPrivilege 820 svchost.exe
Token: SeDebugPrivilege 1932 WaterMark.exe

description	pid	process
Token: SeDebugPrivilege	1932	WaterMark.exe
Token: SeDebugPrivilege	820	svchost.exe
Token: SeDebugPrivilege	1932	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1500 wrote to memory of 1932	1500	9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe	WaterMark.exe
PID 1500 wrote to memory of 1932	1500	9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe	WaterMark.exe
PID 1500 wrote to memory of 1932	1500	9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe	WaterMark.exe
PID 1500 wrote to memory of 1932	1500	9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe	WaterMark.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 676	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 1932 wrote to memory of 820	1932	WaterMark.exe	svchost.exe
PID 820 wrote to memory of 260	820	svchost.exe	smss.exe
PID 820 wrote to memory of 260	820	svchost.exe	smss.exe
PID 820 wrote to memory of 260	820	svchost.exe	smss.exe
PID 820 wrote to memory of 260	820	svchost.exe	smss.exe
PID 820 wrote to memory of 260	820	svchost.exe	smss.exe
PID 820 wrote to memory of 332	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 332	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 332	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 332	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 332	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 368	820	svchost.exe	wininit.exe
PID 820 wrote to memory of 368	820	svchost.exe	wininit.exe
PID 820 wrote to memory of 368	820	svchost.exe	wininit.exe
PID 820 wrote to memory of 368	820	svchost.exe	wininit.exe
PID 820 wrote to memory of 368	820	svchost.exe	wininit.exe
PID 820 wrote to memory of 380	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 380	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 380	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 380	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 380	820	svchost.exe	csrss.exe
PID 820 wrote to memory of 416	820	svchost.exe	winlogon.exe
PID 820 wrote to memory of 416	820	svchost.exe	winlogon.exe
PID 820 wrote to memory of 416	820	svchost.exe	winlogon.exe
PID 820 wrote to memory of 416	820	svchost.exe	winlogon.exe
PID 820 wrote to memory of 416	820	svchost.exe	winlogon.exe
PID 820 wrote to memory of 464	820	svchost.exe	services.exe
PID 820 wrote to memory of 464	820	svchost.exe	services.exe
PID 820 wrote to memory of 464	820	svchost.exe	services.exe
PID 820 wrote to memory of 464	820	svchost.exe	services.exe
PID 820 wrote to memory of 464	820	svchost.exe	services.exe
PID 820 wrote to memory of 472	820	svchost.exe	lsass.exe
PID 820 wrote to memory of 472	820	svchost.exe	lsass.exe
PID 820 wrote to memory of 472	820	svchost.exe	lsass.exe
PID 820 wrote to memory of 472	820	svchost.exe	lsass.exe
PID 820 wrote to memory of 472	820	svchost.exe	lsass.exe
PID 820 wrote to memory of 480	820	svchost.exe	lsm.exe
PID 820 wrote to memory of 480	820	svchost.exe	lsm.exe
PID 820 wrote to memory of 480	820	svchost.exe	lsm.exe
PID 820 wrote to memory of 480	820	svchost.exe	lsm.exe
PID 820 wrote to memory of 480	820	svchost.exe	lsm.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:828

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1476

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1040

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:480

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe
"C:\Users\Admin\AppData\Local\Temp\9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa.exe"
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:676

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:684

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
121KB

MD5
2299a2d6f8d62723d3d76cac0bc2c01b

SHA1
a2c396aa7d073b50ddc96a9996eef8f47cb9b04b

SHA256
9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa

SHA512
2bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
121KB

MD5
2299a2d6f8d62723d3d76cac0bc2c01b

SHA1
a2c396aa7d073b50ddc96a9996eef8f47cb9b04b

SHA256
9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa

SHA512
2bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
121KB

MD5
2299a2d6f8d62723d3d76cac0bc2c01b

SHA1
a2c396aa7d073b50ddc96a9996eef8f47cb9b04b

SHA256
9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa

SHA512
2bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
121KB

MD5
2299a2d6f8d62723d3d76cac0bc2c01b

SHA1
a2c396aa7d073b50ddc96a9996eef8f47cb9b04b

SHA256
9124e6062db2c318517de2d45158e3f7e580e20884d80ee03625861f830f94fa

SHA512
2bc19355cc23cfa3c43e629d39742a8ceb75bec402202cbaaea78e39f452da250296628c0f35ff043047458275eaaca4f9b04768754f4ce475d92b4c32521a95

Download Submit
memory/676-66-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/676-71-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/676-179-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/676-62-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/676-64-0x0000000000000000-mapping.dmp

Download
memory/676-65-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/820-75-0x0000000000000000-mapping.dmp

Download
memory/820-73-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/820-76-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1500-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1500-60-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1932-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1932-56-0x0000000000000000-mapping.dmp

Download
memory/1932-129-0x0000000020020000-0x000000002002B000-memory.dmp

Filesize
44KB

Download
memory/1932-128-0x0000000020021000-0x0000000020028000-memory.dmp

Filesize
28KB

Download
memory/1932-178-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads