ramnit | db2224fd25fb45150d7033001ff2ea90da3fd56d8a3f1d99f1f3fab14705fe09

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b642633a36a25817bd10003d5d4dea0.exe
Size

100KB
MD5

4b642633a36a25817bd10003d5d4dea0
SHA1

66e64cc788ae62e354596207bf670be4a6882c49
SHA256

db2224fd25fb45150d7033001ff2ea90da3fd56d8a3f1d99f1f3fab14705fe09
SHA512

cc47e3e65fa5aca36a092af0f489574ec157fbae3f6fa06dbb4de4c0e794dc8ce2c4e6286d48d8b32c8b0d457b6ca8e22442e34ef79322a3aa960d30ca8fff94
SSDEEP

3072:gi9cmKEV+l7/qlNPQ6Qpmj2dDqSGVk8jwaaHw7Koj4rDMN0:gicUWrqfPnumjkDqSk

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\lromjllx\\txgytluo.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\txgytluo.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\txgytluo.exe	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	ldetvnwufpyrmcgb.exe

Loads dropped DLL 5 IoCs

pid	Process
2244	4b642633a36a25817bd10003d5d4dea0.exe
2244	4b642633a36a25817bd10003d5d4dea0.exe
2244	4b642633a36a25817bd10003d5d4dea0.exe
2244	4b642633a36a25817bd10003d5d4dea0.exe
2244	4b642633a36a25817bd10003d5d4dea0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\TxgYtluo = "C:\\Users\\Admin\\AppData\\Local\\lromjllx\\txgytluo.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
484	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2244	4b642633a36a25817bd10003d5d4dea0.exe
Token: SeDebugPrivilege	2244	4b642633a36a25817bd10003d5d4dea0.exe
Token: SeSecurityPrivilege	2252	svchost.exe
Token: SeSecurityPrivilege	2732	svchost.exe
Token: SeDebugPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeSecurityPrivilege	2536	ldetvnwufpyrmcgb.exe
Token: SeLoadDriverPrivilege	2536	ldetvnwufpyrmcgb.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2252	2244	4b642633a36a25817bd10003d5d4dea0.exe	15
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2732	2244	4b642633a36a25817bd10003d5d4dea0.exe	14
PID 2244 wrote to memory of 2536	2244	4b642633a36a25817bd10003d5d4dea0.exe	30
PID 2244 wrote to memory of 2536	2244	4b642633a36a25817bd10003d5d4dea0.exe	30
PID 2244 wrote to memory of 2536	2244	4b642633a36a25817bd10003d5d4dea0.exe	30
PID 2244 wrote to memory of 2536	2244	4b642633a36a25817bd10003d5d4dea0.exe	30

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Users\Admin\AppData\Local\Temp\4b642633a36a25817bd10003d5d4dea0.exe
"C:\Users\Admin\AppData\Local\Temp\4b642633a36a25817bd10003d5d4dea0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\ldetvnwufpyrmcgb.exe
  "C:\Users\Admin\AppData\Local\Temp\ldetvnwufpyrmcgb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\lromjllx\txgytluo.exe

Filesize
100KB

MD5
4b642633a36a25817bd10003d5d4dea0

SHA1
66e64cc788ae62e354596207bf670be4a6882c49

SHA256
db2224fd25fb45150d7033001ff2ea90da3fd56d8a3f1d99f1f3fab14705fe09

SHA512
cc47e3e65fa5aca36a092af0f489574ec157fbae3f6fa06dbb4de4c0e794dc8ce2c4e6286d48d8b32c8b0d457b6ca8e22442e34ef79322a3aa960d30ca8fff94

Download Submit
\Users\Admin\AppData\Local\Temp\ldetvnwufpyrmcgb.exe

Filesize
92KB

MD5
8073e92f00b42fc3de60f010e6b4ff0c

SHA1
0004d848bb7d725c2a68516f17943be0bfcfb02f

SHA256
77a435f9eac296f2e5164f5e76342dfa723ebef4958215259451b0f6811de751

SHA512
725d6544655d023bef493f2536443c54486c6ef1dacf47765dc43b76559d1cc599980d93293a4c699ed6f96ad514f8b1b610beae89574f6d5bc6e1fb81306c5e

Download Submit
memory/2244-71-0x0000000002720000-0x000000000275B000-memory.dmp

Filesize
236KB

Download
memory/2244-63-0x0000000002720000-0x000000000275B000-memory.dmp

Filesize
236KB

Download
memory/2244-73-0x0000000000400000-0x000000000043A608-memory.dmp

Filesize
233KB

Download
memory/2244-53-0x0000000077090000-0x0000000077091000-memory.dmp

Filesize
4KB

Download
memory/2244-8-0x0000000077090000-0x0000000077091000-memory.dmp

Filesize
4KB

Download
memory/2244-0-0x0000000000400000-0x000000000043A608-memory.dmp

Filesize
233KB

Download
memory/2244-61-0x0000000002720000-0x000000000275B000-memory.dmp

Filesize
236KB

Download
memory/2244-1-0x0000000000400000-0x000000000043A608-memory.dmp

Filesize
233KB

Download
memory/2244-2-0x0000000000400000-0x000000000043A608-memory.dmp

Filesize
233KB

Download
memory/2244-5-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2244-4-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2244-6-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2244-7-0x000000007708F000-0x0000000077090000-memory.dmp

Filesize
4KB

Download
memory/2252-21-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2252-12-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2252-16-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2252-20-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2252-28-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2252-22-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2252-25-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2252-26-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2252-10-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2536-75-0x0000000000400000-0x000000000043A608-memory.dmp

Filesize
233KB

Download
memory/2536-77-0x0000000000400000-0x000000000043A608-memory.dmp

Filesize
233KB

Download
memory/2536-80-0x0000000000400000-0x000000000043A608-memory.dmp

Filesize
233KB

Download
memory/2536-78-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2732-45-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-81-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-44-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-35-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-29-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-90-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-89-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-88-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-87-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-86-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-84-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-51-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-82-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-91-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-92-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-93-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-94-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-95-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-96-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-97-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-98-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-99-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2732-100-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download