ramnit | b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf

General

Target

b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
Size

120KB
MD5

fc767171269c89ab964faa2daa471e31
SHA1

05a912999017ede0c5885dd65db92fd8200542c2
SHA256

b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf
SHA512

6ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849
SSDEEP

768:DQxkwifBsIqHpcrkMEYEhA7P4RhAtmaZFb79U9MKAjBEig6/1k21m3uHRdMNDj2Y:D8kwilTEhU4HDa1KkjWXUa21mc/Mue9

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

WaterMark.exe

pid process

1008 WaterMark.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1208-57-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/1008-70-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/1008-183-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe

pid	process
1208	b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
1208	b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

Processes:

b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF586.tmp	b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
1008	WaterMark.exe
1008	WaterMark.exe
1008	WaterMark.exe
1008	WaterMark.exe
1008	WaterMark.exe
1008	WaterMark.exe
1008	WaterMark.exe
1008	WaterMark.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe
1304	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WaterMark.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1008 WaterMark.exe
Token: SeDebugPrivilege 1304 svchost.exe
Token: SeDebugPrivilege 1008 WaterMark.exe

description	pid	process
Token: SeDebugPrivilege	1008	WaterMark.exe
Token: SeDebugPrivilege	1304	svchost.exe
Token: SeDebugPrivilege	1008	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1208 wrote to memory of 1008	1208	b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe	WaterMark.exe
PID 1208 wrote to memory of 1008	1208	b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe	WaterMark.exe
PID 1208 wrote to memory of 1008	1208	b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe	WaterMark.exe
PID 1208 wrote to memory of 1008	1208	b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe	WaterMark.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1940	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1008 wrote to memory of 1304	1008	WaterMark.exe	svchost.exe
PID 1304 wrote to memory of 260	1304	svchost.exe	smss.exe
PID 1304 wrote to memory of 260	1304	svchost.exe	smss.exe
PID 1304 wrote to memory of 260	1304	svchost.exe	smss.exe
PID 1304 wrote to memory of 260	1304	svchost.exe	smss.exe
PID 1304 wrote to memory of 260	1304	svchost.exe	smss.exe
PID 1304 wrote to memory of 332	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 332	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 332	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 332	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 332	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 368	1304	svchost.exe	wininit.exe
PID 1304 wrote to memory of 368	1304	svchost.exe	wininit.exe
PID 1304 wrote to memory of 368	1304	svchost.exe	wininit.exe
PID 1304 wrote to memory of 368	1304	svchost.exe	wininit.exe
PID 1304 wrote to memory of 368	1304	svchost.exe	wininit.exe
PID 1304 wrote to memory of 376	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 376	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 376	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 376	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 376	1304	svchost.exe	csrss.exe
PID 1304 wrote to memory of 416	1304	svchost.exe	winlogon.exe
PID 1304 wrote to memory of 416	1304	svchost.exe	winlogon.exe
PID 1304 wrote to memory of 416	1304	svchost.exe	winlogon.exe
PID 1304 wrote to memory of 416	1304	svchost.exe	winlogon.exe
PID 1304 wrote to memory of 416	1304	svchost.exe	winlogon.exe
PID 1304 wrote to memory of 460	1304	svchost.exe	services.exe
PID 1304 wrote to memory of 460	1304	svchost.exe	services.exe
PID 1304 wrote to memory of 460	1304	svchost.exe	services.exe
PID 1304 wrote to memory of 460	1304	svchost.exe	services.exe
PID 1304 wrote to memory of 460	1304	svchost.exe	services.exe
PID 1304 wrote to memory of 476	1304	svchost.exe	lsass.exe
PID 1304 wrote to memory of 476	1304	svchost.exe	lsass.exe
PID 1304 wrote to memory of 476	1304	svchost.exe	lsass.exe
PID 1304 wrote to memory of 476	1304	svchost.exe	lsass.exe
PID 1304 wrote to memory of 476	1304	svchost.exe	lsass.exe
PID 1304 wrote to memory of 484	1304	svchost.exe	lsm.exe
PID 1304 wrote to memory of 484	1304	svchost.exe	lsm.exe
PID 1304 wrote to memory of 484	1304	svchost.exe	lsm.exe
PID 1304 wrote to memory of 484	1304	svchost.exe	lsm.exe
PID 1304 wrote to memory of 484	1304	svchost.exe	lsm.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1832

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1988

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe
"C:\Users\Admin\AppData\Local\Temp\b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf.exe"
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1208

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
120KB

MD5
fc767171269c89ab964faa2daa471e31

SHA1
05a912999017ede0c5885dd65db92fd8200542c2

SHA256
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf

SHA512
6ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
120KB

MD5
fc767171269c89ab964faa2daa471e31

SHA1
05a912999017ede0c5885dd65db92fd8200542c2

SHA256
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf

SHA512
6ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
120KB

MD5
fc767171269c89ab964faa2daa471e31

SHA1
05a912999017ede0c5885dd65db92fd8200542c2

SHA256
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf

SHA512
6ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
120KB

MD5
fc767171269c89ab964faa2daa471e31

SHA1
05a912999017ede0c5885dd65db92fd8200542c2

SHA256
b548592f80db58c1571a31920aafb2a42ee0caf364723bd1d50204f8639366bf

SHA512
6ffff7778c4dc5fdc49676872820301e5107145d64f8304ccb0e434157efdaafbe3dfb963041539b410cdff7bb0dd6b4888a7bea9a6884ec64a58d3a3782e849

Download Submit
memory/1008-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1008-56-0x0000000000000000-mapping.dmp

Download
memory/1008-183-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1008-131-0x0000000020021000-0x0000000020028000-memory.dmp

Filesize
28KB

Download
memory/1008-71-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/1208-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1208-59-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1304-77-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1304-74-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1304-76-0x0000000000000000-mapping.dmp

Download
memory/1940-66-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1940-72-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1940-65-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1940-64-0x0000000000000000-mapping.dmp

Download
memory/1940-62-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1940-184-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads