ramnit | 87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\giyuhypu\\ooqhrcyl.exe"	svchost.exe

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

gtoctexr.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe

Modifies security service 2 TTPs 8 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

svchost.exegtoctexr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

svchost.exegtoctexr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gtoctexr.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

svchost.exegtoctexr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

gtoctexr.exegtoctexr.exe

pid process

1816 gtoctexr.exe
1608 gtoctexr.exe

pid	process
1816	gtoctexr.exe
1608	gtoctexr.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ooqhrcyl.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ooqhrcyl.exe	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.execmd.exe

pid	process
1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe
1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe
1868	cmd.exe
1868	cmd.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

gtoctexr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gtoctexr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	gtoctexr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\OoqHrcyl = "C:\\Users\\Admin\\AppData\\Local\\giyuhypu\\ooqhrcyl.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

gtoctexr.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gtoctexr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gtoctexr.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

svchost.exegtoctexr.exe

pid	process
1328	svchost.exe
1328	svchost.exe
1608	gtoctexr.exe
1608	gtoctexr.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exesvchost.exesvchost.exegtoctexr.exegtoctexr.exe

description	pid	process
Token: SeSecurityPrivilege	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe
Token: SeDebugPrivilege	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe
Token: SeSecurityPrivilege	1992	svchost.exe
Token: SeSecurityPrivilege	1328	svchost.exe
Token: SeDebugPrivilege	1328	svchost.exe
Token: SeDebugPrivilege	1328	svchost.exe
Token: SeRestorePrivilege	1328	svchost.exe
Token: SeBackupPrivilege	1328	svchost.exe
Token: SeDebugPrivilege	1328	svchost.exe
Token: SeSecurityPrivilege	1816	gtoctexr.exe
Token: SeSecurityPrivilege	1608	gtoctexr.exe
Token: SeLoadDriverPrivilege	1608	gtoctexr.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exegtoctexr.execmd.exe

description	pid	process	target process
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1992	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1328	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	svchost.exe
PID 1644 wrote to memory of 1816	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	gtoctexr.exe
PID 1644 wrote to memory of 1816	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	gtoctexr.exe
PID 1644 wrote to memory of 1816	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	gtoctexr.exe
PID 1644 wrote to memory of 1816	1644	87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe	gtoctexr.exe
PID 1816 wrote to memory of 1868	1816	gtoctexr.exe	cmd.exe
PID 1816 wrote to memory of 1868	1816	gtoctexr.exe	cmd.exe
PID 1816 wrote to memory of 1868	1816	gtoctexr.exe	cmd.exe
PID 1816 wrote to memory of 1868	1816	gtoctexr.exe	cmd.exe
PID 1868 wrote to memory of 1608	1868	cmd.exe	gtoctexr.exe
PID 1868 wrote to memory of 1608	1868	cmd.exe	gtoctexr.exe
PID 1868 wrote to memory of 1608	1868	cmd.exe	gtoctexr.exe
PID 1868 wrote to memory of 1608	1868	cmd.exe	gtoctexr.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

gtoctexr.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gtoctexr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gtoctexr.exe

C:\Users\Admin\AppData\Local\Temp\87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe
"C:\Users\Admin\AppData\Local\Temp\87a42043bc478cec68bf5f181efa3de0e597ceb0c2a68e4b626d1e53e3f29b1d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Users\Admin\AppData\Local\Temp\gtoctexr.exe
"C:\Users\Admin\AppData\Local\Temp\gtoctexr.exe" elevate
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\gtoctexr.exe"" admin
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\gtoctexr.exe
"C:\Users\Admin\AppData\Local\Temp\gtoctexr.exe" admin
4⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

8

Bypass User Account Control

T1088

Disabling Security Tools

3