ramnit | 1e835832f440f1a949ff14547bfe943013f5211e3d5ad80632048554861d70ee

Analysis

max time kernel
108s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02db6c6dd0119ae4dd092c95269ef0fa.exe
Size

104KB
MD5

02db6c6dd0119ae4dd092c95269ef0fa
SHA1

0c847bd4af6ef9eb9da384374fb70117be59150d
SHA256

1e835832f440f1a949ff14547bfe943013f5211e3d5ad80632048554861d70ee
SHA512

b83eef9cd127287da84fc6682b2cf84a1e6961d961fc6b194150ccce15fbdf5dae273a584041d39ffbabb7a55a7e922e43e1be8e67c1dce782360fb31f9d966b
SSDEEP

3072:lQ5faGko6CFrbJKARb0WQ9FSE1Fk8jwaaHw7Koj4rgdy:61afCF3IO0WmFR

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\yycueteg\\hfthotkw.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfthotkw.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfthotkw.exe	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	ykocqvmdrodvxony.exe

Loads dropped DLL 4 IoCs

pid	Process
2076	02db6c6dd0119ae4dd092c95269ef0fa.exe
2076	02db6c6dd0119ae4dd092c95269ef0fa.exe
2076	02db6c6dd0119ae4dd092c95269ef0fa.exe
2076	02db6c6dd0119ae4dd092c95269ef0fa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\HftHotkw = "C:\\Users\\Admin\\AppData\\Local\\yycueteg\\hfthotkw.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe
Token: SeDebugPrivilege	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe
Token: SeSecurityPrivilege	2812	svchost.exe
Token: SeSecurityPrivilege	2764	svchost.exe
Token: SeDebugPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeSecurityPrivilege	2192	ykocqvmdrodvxony.exe
Token: SeLoadDriverPrivilege	2192	ykocqvmdrodvxony.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe
Token: SeBackupPrivilege	2764	svchost.exe
Token: SeRestorePrivilege	2764	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2812	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	15
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2764	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	14
PID 2076 wrote to memory of 2192	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	30
PID 2076 wrote to memory of 2192	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	30
PID 2076 wrote to memory of 2192	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	30
PID 2076 wrote to memory of 2192	2076	02db6c6dd0119ae4dd092c95269ef0fa.exe	30

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe
"C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\ykocqvmdrodvxony.exe
  "C:\Users\Admin\AppData\Local\Temp\ykocqvmdrodvxony.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ykocqvmdrodvxony.exe

Filesize
80KB

MD5
665679f31fd5530f094e7e5b93bc8a46

SHA1
8fab0b5f6618d8440d35d56cade87aaa826bb485

SHA256
a08654b75d3b13a13fac0be1fc219afd8155263472ffdba584f7237e1828ab7d

SHA512
4777345b04465d5641c655bef14d703e3bb02a92f0e9cc9bb58488745bcce2aa1f40205e4f7ba383b55505d0c25d58560b7686f1eeed07a3226b7a7087e41936

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykocqvmdrodvxony.exe

Filesize
92KB

MD5
2e6a231b86ac967e9ee2ab9273fa5b76

SHA1
ceac03d700038f46d9ec4efd38b5154fbf29e3f0

SHA256
607b652e527b63d011f2d8d096f4fd7ff7d811954f1a277045ef3672a0e96e3d

SHA512
143a143f94a9675087c331e535aa6c828c8250e2a3dd1c8b5679f42c5d3a7def4a41715e3de42599a20b4e72e88f3973d0a580d716b795dc8f2bbf1d9035d5d2

Download Submit
C:\Users\Admin\AppData\Local\yycueteg\hfthotkw.exe

Filesize
76KB

MD5
b2d9008940c1422c0619e9b6e14bd22a

SHA1
eb23a9f00b2e9d8405f721451daf2f6294664d87

SHA256
e7ce36fdd8cbb0e5a9b2ceefa59cc3960cb2c01436af9bd9a7650d9f5096376a

SHA512
151ae83bf582bf4385c8064c854e153e64b8634f502896158e67e39835d386dcdd966a071082ef6d237dc6a1fb5099d89fd21bfdd051835fd3f6b92253654036

Download Submit
\Users\Admin\AppData\Local\Temp\ykocqvmdrodvxony.exe

Filesize
104KB

MD5
02db6c6dd0119ae4dd092c95269ef0fa

SHA1
0c847bd4af6ef9eb9da384374fb70117be59150d

SHA256
1e835832f440f1a949ff14547bfe943013f5211e3d5ad80632048554861d70ee

SHA512
b83eef9cd127287da84fc6682b2cf84a1e6961d961fc6b194150ccce15fbdf5dae273a584041d39ffbabb7a55a7e922e43e1be8e67c1dce782360fb31f9d966b

Download Submit
memory/2076-4-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/2076-81-0x0000000002A50000-0x0000000002A8A000-memory.dmp

Filesize
232KB

Download
memory/2076-80-0x0000000002A50000-0x0000000002A8A000-memory.dmp

Filesize
232KB

Download
memory/2076-79-0x0000000002A50000-0x0000000002A8A000-memory.dmp

Filesize
232KB

Download
memory/2076-1-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/2076-78-0x0000000002A50000-0x0000000002A8A000-memory.dmp

Filesize
232KB

Download
memory/2076-3-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2076-6-0x00000000777DF000-0x00000000777E0000-memory.dmp

Filesize
4KB

Download
memory/2076-7-0x00000000777E0000-0x00000000777E1000-memory.dmp

Filesize
4KB

Download
memory/2076-53-0x00000000777E0000-0x00000000777E1000-memory.dmp

Filesize
4KB

Download
memory/2076-77-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/2076-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2076-0-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/2192-90-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/2192-88-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/2192-87-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2192-85-0x0000000000400000-0x0000000000439CD4-memory.dmp

Filesize
231KB

Download
memory/2764-61-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-54-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-58-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-63-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-62-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-100-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-60-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-59-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-57-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-56-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-55-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-91-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-99-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-98-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-96-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-95-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-28-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-43-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-44-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-50-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-34-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-94-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2764-92-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2812-24-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2812-11-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2812-15-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2812-20-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2812-9-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2812-23-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2812-22-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2812-21-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2812-19-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download