ramnit | 35baf27fd781c9a61e35c7ab6876a8b0ab1d9e955684eeb2125306e9e4c5058c

Analysis

max time kernel
3s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c637afe2b5b7c2eaa54f6c8fec6f619.exe
Size

400KB
MD5

3c637afe2b5b7c2eaa54f6c8fec6f619
SHA1

243880b0a824f4e79a1886c47f28d9f92f62a92f
SHA256

35baf27fd781c9a61e35c7ab6876a8b0ab1d9e955684eeb2125306e9e4c5058c
SHA512

00f3758ac5f8b399b0253b38b73463fb117d01992bac91feeee4656531fc8651e5904e37fc54fd5952729e633991281f457dec85ba5bf12315a74f859d0da3e8
SSDEEP

6144:Qy+WiBQDdCxKHsEbBv4oCTsJTcpWJ+L+EJbc+iN:D+ZBQxCAMEbBgoCTMAp9iEPiN

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2880	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe
2740	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
1680	3c637afe2b5b7c2eaa54f6c8fec6f619.exe
1680	3c637afe2b5b7c2eaa54f6c8fec6f619.exe
2880	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe
2880	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2880-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2880-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2880-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2880-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2880-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2880-13-0x0000000000400000-0x0000000000428E39-memory.dmp	upx
behavioral1/memory/2880-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2880-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-458-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-462-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px147A.tmp	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	WaterMark.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1680	3c637afe2b5b7c2eaa54f6c8fec6f619.exe
1680	3c637afe2b5b7c2eaa54f6c8fec6f619.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2880	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe
2740	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2880	1680	3c637afe2b5b7c2eaa54f6c8fec6f619.exe	18
PID 1680 wrote to memory of 2880	1680	3c637afe2b5b7c2eaa54f6c8fec6f619.exe	18
PID 1680 wrote to memory of 2880	1680	3c637afe2b5b7c2eaa54f6c8fec6f619.exe	18
PID 1680 wrote to memory of 2880	1680	3c637afe2b5b7c2eaa54f6c8fec6f619.exe	18
PID 2880 wrote to memory of 2740	2880	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe	16
PID 2880 wrote to memory of 2740	2880	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe	16
PID 2880 wrote to memory of 2740	2880	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe	16
PID 2880 wrote to memory of 2740	2880	3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe	16
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2640	2740	WaterMark.exe	17
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31
PID 2740 wrote to memory of 2400	2740	WaterMark.exe	31

C:\Users\Admin\AppData\Local\Temp\3c637afe2b5b7c2eaa54f6c8fec6f619.exe
"C:\Users\Admin\AppData\Local\Temp\3c637afe2b5b7c2eaa54f6c8fec6f619.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe
  C:\Users\Admin\AppData\Local\Temp\3c637afe2b5b7c2eaa54f6c8fec6f619mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2880

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:2640
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-10-0x00000000003A0000-0x00000000003C9000-memory.dmp

Filesize
164KB

Download
memory/1680-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1680-12-0x00000000003A0000-0x00000000003C9000-memory.dmp

Filesize
164KB

Download
memory/1680-286-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/1680-287-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1680-290-0x0000000076F30000-0x0000000076F31000-memory.dmp

Filesize
4KB

Download
memory/2400-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2400-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2400-90-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2400-93-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2400-94-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2400-89-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2400-118-0x0000000076F30000-0x0000000076F31000-memory.dmp

Filesize
4KB

Download
memory/2400-74-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2400-85-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2640-54-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2640-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2640-459-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2640-59-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2640-62-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2640-68-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2640-66-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2640-65-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2640-63-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2640-46-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2740-39-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2740-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-462-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-458-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-72-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2740-44-0x0000000076F2F000-0x0000000076F30000-memory.dmp

Filesize
4KB

Download
memory/2740-84-0x0000000076F2F000-0x0000000076F30000-memory.dmp

Filesize
4KB

Download
memory/2740-31-0x0000000000400000-0x0000000000428E39-memory.dmp

Filesize
163KB

Download
memory/2740-308-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2740-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2880-13-0x0000000000400000-0x0000000000428E39-memory.dmp

Filesize
163KB

Download
memory/2880-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2880-15-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2880-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2880-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2880-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2880-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2880-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2880-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download