ramnit | 3b47910e69e7050a8f0225fd3bdfc003802b392e12519f5f2413462e6481e47a

General

Target

719be2a7e0f7dfd0aba67017ec2966cb.exe
Size

220KB
MD5

719be2a7e0f7dfd0aba67017ec2966cb
SHA1

7f64efceb554aed2ddf665ebfca47eaa71ab3677
SHA256

3b47910e69e7050a8f0225fd3bdfc003802b392e12519f5f2413462e6481e47a
SHA512

ca95c58fc4d5aed75c1d6c6c95b799fde9c7665dcce3aab5c47971a53324977e0211206cd1f17659c4f5de3fda632dbacc0be62e5c79d8d4b384506856f4e143
SSDEEP

3072:GMsCUsER3Fx/asAm3jUWvUIYeMYqFquq8RnPZKlNkfKN5CS+t9CpZ+AS7P1ZBGjh:GMsCUpR35iLs8WD4HCGX7BGqy+lY

Score

10^/10

ramnit 26 ��1 banker persistence spyware stealer trojan worm

Malware Config

Extracted

Family

ramnit

Botnet

26

C2

��1:8001

Attributes

campaign_timestamp
1.505981184e+09
compile_timestamp
1.500910876e+09
dga_seed
7.90544302e+08
listen_port
0
num_dga_domains
40

xor.base64

rc4.plain

rsa_pubkey.base64

Extracted

Family

ramnit

Botnet

��1

C2

��1:8001

Attributes

campaign_timestamp
1.505981184e+09
compile_timestamp
1.500910876e+09
dga_seed
7.90544302e+08
listen_port
0
num_dga_domains
40

xor.base64

rc4.plain

rsa_pubkey.base64

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Deletes itself 1 IoCs

Processes:

wmplayer.exe

pid process

5016 wmplayer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\awyhryyo = "C:\\Users\\Admin\\AppData\\Roaming\\awyhryyo\\pjxmatwa.vbs"	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

719be2a7e0f7dfd0aba67017ec2966cb.exe

description	pid	process	target process
PID 4876 set thread context of 5016	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4876 set thread context of 5016	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe

Modifies registry class 1 IoCs

Processes:

wmplayer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings wmplayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wmplayer.exe

pid	process
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe
5016	wmplayer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

719be2a7e0f7dfd0aba67017ec2966cb.exe

pid process

4876 719be2a7e0f7dfd0aba67017ec2966cb.exe

pid	process
4876	719be2a7e0f7dfd0aba67017ec2966cb.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

719be2a7e0f7dfd0aba67017ec2966cb.exewmplayer.exe

description	pid	process
Token: SeDebugPrivilege	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe
Token: SeSecurityPrivilege	5016	wmplayer.exe
Token: SeDebugPrivilege	5016	wmplayer.exe
Token: SeRestorePrivilege	5016	wmplayer.exe
Token: SeBackupPrivilege	5016	wmplayer.exe
Token: SeDebugPrivilege	5016	wmplayer.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

719be2a7e0f7dfd0aba67017ec2966cb.exewmplayer.exe

description	pid	process	target process
PID 4876 wrote to memory of 5016	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4876 wrote to memory of 5016	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4876 wrote to memory of 5016	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4876 wrote to memory of 5016	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4876 wrote to memory of 5016	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4876 wrote to memory of 5016	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4876 wrote to memory of 5016	4876	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 5016 wrote to memory of 2516	5016	wmplayer.exe	WScript.exe
PID 5016 wrote to memory of 2516	5016	wmplayer.exe	WScript.exe
PID 5016 wrote to memory of 2516	5016	wmplayer.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\719be2a7e0f7dfd0aba67017ec2966cb.exe
"C:\Users\Admin\AppData\Local\Temp\719be2a7e0f7dfd0aba67017ec2966cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
2⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\awyhryyo\wpfcxolu.vbs"
3⤵
- Adds Run key to start application
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5016-0-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/5016-2-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-7-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-6-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-1-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/5016-20-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-29-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-32-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-36-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-39-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-33-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-31-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-30-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-28-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-44-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-27-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-25-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-24-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-23-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-46-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-49-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-52-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-54-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-56-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-59-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-61-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/5016-63-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads