ramnit | a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80

General

Target

a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe
Size

95KB
MD5

92abcb46ed44b6f5e4457839d63c048f
SHA1

d409f13652b6bd456a3b08ccc775392950aa3739
SHA256

a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80
SHA512

cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6
SSDEEP

1536:u7dkoVi9I2VK/JmpMZGH7+NICr3DUDloBzq3GmT2BbahE7jwaaHw7Koj4rhfu+u1:mdkoV4I2VK/Jmp6Gb+eCDgb3GmT2Bb5B

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\sbwjywsu\\bhovjaci.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Executes dropped EXE 1 IoCs

Processes:

smmqlcbrdnrlrykc.exe

pid process

1704 smmqlcbrdnrlrykc.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

pid	process
1704	smmqlcbrdnrlrykc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bhovjaci.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bhovjaci.exe	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe

pid	process
1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe
1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe
1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe
1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\BhoVjaci = "C:\\Users\\Admin\\AppData\\Local\\sbwjywsu\\bhovjaci.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

svchost.exe

pid	process
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exesvchost.exesvchost.exesmmqlcbrdnrlrykc.exe

description	pid	process
Token: SeSecurityPrivilege	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe
Token: SeDebugPrivilege	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1712	svchost.exe
Token: SeDebugPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeSecurityPrivilege	1704	smmqlcbrdnrlrykc.exe
Token: SeLoadDriverPrivilege	1704	smmqlcbrdnrlrykc.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe
Token: SeBackupPrivilege	1712	svchost.exe
Token: SeRestorePrivilege	1712	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe

description	pid	process	target process
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1604	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1712	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	svchost.exe
PID 1260 wrote to memory of 1704	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	smmqlcbrdnrlrykc.exe
PID 1260 wrote to memory of 1704	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	smmqlcbrdnrlrykc.exe
PID 1260 wrote to memory of 1704	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	smmqlcbrdnrlrykc.exe
PID 1260 wrote to memory of 1704	1260	a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe	smmqlcbrdnrlrykc.exe

C:\Users\Admin\AppData\Local\Temp\a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe
"C:\Users\Admin\AppData\Local\Temp\a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exe
"C:\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

3

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exe
Filesize
95KB

MD5
92abcb46ed44b6f5e4457839d63c048f

SHA1
d409f13652b6bd456a3b08ccc775392950aa3739

SHA256
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80

SHA512
cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6

Download Submit
\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exe
Filesize
95KB

MD5
92abcb46ed44b6f5e4457839d63c048f

SHA1
d409f13652b6bd456a3b08ccc775392950aa3739

SHA256
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80

SHA512
cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6

Download Submit
\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exe
Filesize
95KB

MD5
92abcb46ed44b6f5e4457839d63c048f

SHA1
d409f13652b6bd456a3b08ccc775392950aa3739

SHA256
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80

SHA512
cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6

Download Submit
\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exe
Filesize
95KB

MD5
92abcb46ed44b6f5e4457839d63c048f

SHA1
d409f13652b6bd456a3b08ccc775392950aa3739

SHA256
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80

SHA512
cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6

Download Submit
\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exe
Filesize
95KB

MD5
92abcb46ed44b6f5e4457839d63c048f

SHA1
d409f13652b6bd456a3b08ccc775392950aa3739

SHA256
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80

SHA512
cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6

Download Submit
memory/1260-80-0x0000000000400000-0x000000000043A0EC-memory.dmp

Filesize
232KB

Download
memory/1260-59-0x0000000000400000-0x000000000043A0EC-memory.dmp

Filesize
232KB

Download
memory/1260-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1604-60-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1604-58-0x0000000000000000-mapping.dmp

Download
memory/1604-56-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1704-78-0x0000000000000000-mapping.dmp

Download
memory/1704-82-0x0000000000400000-0x000000000043A0EC-memory.dmp

Filesize
232KB

Download
memory/1712-70-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/1712-68-0x0000000000000000-mapping.dmp

Download
memory/1712-66-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads