ramnit | d63e2c3f4ccd7d0048f50e7fb6bac25bb9bb79e21452e552c83f2d98a4fa46ab

General

Target

ptu621.exe
Size

5.0MB
MD5

516e4e61cf92a3d6b17ad2c181c2a939
SHA1

3f3f81dea9779a5d9d8478b0386867ccbe17d450
SHA256

3cb1389aa245b496d15d20d25fcefa35f35f85744413205e90caa78f0805902c
SHA512

143e0372ca5ca9c7197d4de69f595fb5b13d517db424331737274b252f16f4cec7490956d08618fcd823f9a9b42e95a7f0439c01a032568722dc864f2b3df71e
SSDEEP

98304:RUxt0mBCcZbMMWl7ZSnSC/Ao4f2uZE+2N3wALB2QviKo8D5yEg9yUPvnoh8dKjn8:uEA7YURz4RZEL3Z2ElcTywrdKj7KNQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

ptu621Srv.exe

pid process

2752 ptu621Srv.exe
Loads dropped DLL 1 IoCs

Processes:

ptu621.exe

pid process

2748 ptu621.exe

pid	process
2752	ptu621Srv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ptu621Srv.exe	upx
behavioral1/memory/2748-4-0x0000000000400000-0x0000000000CA5000-memory.dmp	upx
behavioral1/memory/2752-7-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2752-11-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2748-24-0x0000000000400000-0x0000000000CA5000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

ptu621Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px78F.tmp	ptu621Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ptu621Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ptu621Srv.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ptu621.exe

pid process

2748 ptu621.exe

Suspicious behavior: MapViewOfSection 22 IoCs

Processes:

ptu621.exe

pid	process
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe
2748	ptu621.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ptu621.exe

description pid process

Token: SeDebugPrivilege 2748 ptu621.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ptu621.exe

pid process

2748 ptu621.exe
2748 ptu621.exe

description	pid	process
Token: SeDebugPrivilege	2748	ptu621.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ptu621.exe

description	pid	process	target process
PID 2748 wrote to memory of 2752	2748	ptu621.exe	ptu621Srv.exe
PID 2748 wrote to memory of 2752	2748	ptu621.exe	ptu621Srv.exe
PID 2748 wrote to memory of 2752	2748	ptu621.exe	ptu621Srv.exe
PID 2748 wrote to memory of 2752	2748	ptu621.exe	ptu621Srv.exe
PID 2748 wrote to memory of 388	2748	ptu621.exe	wininit.exe
PID 2748 wrote to memory of 388	2748	ptu621.exe	wininit.exe
PID 2748 wrote to memory of 388	2748	ptu621.exe	wininit.exe
PID 2748 wrote to memory of 388	2748	ptu621.exe	wininit.exe
PID 2748 wrote to memory of 388	2748	ptu621.exe	wininit.exe
PID 2748 wrote to memory of 388	2748	ptu621.exe	wininit.exe
PID 2748 wrote to memory of 400	2748	ptu621.exe	csrss.exe
PID 2748 wrote to memory of 400	2748	ptu621.exe	csrss.exe
PID 2748 wrote to memory of 400	2748	ptu621.exe	csrss.exe
PID 2748 wrote to memory of 400	2748	ptu621.exe	csrss.exe
PID 2748 wrote to memory of 400	2748	ptu621.exe	csrss.exe
PID 2748 wrote to memory of 400	2748	ptu621.exe	csrss.exe
PID 2748 wrote to memory of 436	2748	ptu621.exe	winlogon.exe
PID 2748 wrote to memory of 436	2748	ptu621.exe	winlogon.exe
PID 2748 wrote to memory of 436	2748	ptu621.exe	winlogon.exe
PID 2748 wrote to memory of 436	2748	ptu621.exe	winlogon.exe
PID 2748 wrote to memory of 436	2748	ptu621.exe	winlogon.exe
PID 2748 wrote to memory of 436	2748	ptu621.exe	winlogon.exe
PID 2748 wrote to memory of 480	2748	ptu621.exe	services.exe
PID 2748 wrote to memory of 480	2748	ptu621.exe	services.exe
PID 2748 wrote to memory of 480	2748	ptu621.exe	services.exe
PID 2748 wrote to memory of 480	2748	ptu621.exe	services.exe
PID 2748 wrote to memory of 480	2748	ptu621.exe	services.exe
PID 2748 wrote to memory of 480	2748	ptu621.exe	services.exe
PID 2748 wrote to memory of 496	2748	ptu621.exe	lsass.exe
PID 2748 wrote to memory of 496	2748	ptu621.exe	lsass.exe
PID 2748 wrote to memory of 496	2748	ptu621.exe	lsass.exe
PID 2748 wrote to memory of 496	2748	ptu621.exe	lsass.exe
PID 2748 wrote to memory of 496	2748	ptu621.exe	lsass.exe
PID 2748 wrote to memory of 496	2748	ptu621.exe	lsass.exe
PID 2748 wrote to memory of 504	2748	ptu621.exe	lsm.exe
PID 2748 wrote to memory of 504	2748	ptu621.exe	lsm.exe
PID 2748 wrote to memory of 504	2748	ptu621.exe	lsm.exe
PID 2748 wrote to memory of 504	2748	ptu621.exe	lsm.exe
PID 2748 wrote to memory of 504	2748	ptu621.exe	lsm.exe
PID 2748 wrote to memory of 504	2748	ptu621.exe	lsm.exe
PID 2748 wrote to memory of 600	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 600	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 600	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 600	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 600	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 600	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 676	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 676	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 676	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 676	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 676	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 676	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 752	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 752	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 752	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 752	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 752	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 752	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 824	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 824	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 824	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 824	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 824	2748	ptu621.exe	svchost.exe
PID 2748 wrote to memory of 824	2748	ptu621.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:824

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:348

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1060

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2132

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2300

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\ptu621.exe
"C:\Users\Admin\AppData\Local\Temp\ptu621.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\ptu621Srv.exe
C:\Users\Admin\AppData\Local\Temp\ptu621Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2752

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ptu621Srv.exe
Filesize
74KB

MD5
cb458dd109a10f16c430dee34464cd8f

SHA1
1bc955db0463913cc7d0434c2318c9f2202240e0

SHA256
21aa1977c0d7d0404f97515d87d6f26f3f2c2b01d054be6056d119d33d3856e3

SHA512
5321f11d92150fdb07f94092fa97fe88bd45714237e4ba245b7f5fbfd4425857fa8d242858d4fd038d77ee7644d276dfb63b7403469ddaf1b53879f391c3f490

Download Submit
memory/2748-4-0x0000000000400000-0x0000000000CA5000-memory.dmp

Filesize
8.6MB

Download
memory/2748-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2748-14-0x00000000775DF000-0x00000000775E0000-memory.dmp

Filesize
4KB

Download
memory/2748-13-0x00000000775E0000-0x00000000775E1000-memory.dmp

Filesize
4KB

Download
memory/2748-22-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2748-23-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2748-24-0x0000000000400000-0x0000000000CA5000-memory.dmp

Filesize
8.6MB

Download
memory/2748-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2752-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-12-0x000000007EFA0000-0x000000007EFA9000-memory.dmp

Filesize
36KB

Download
memory/2752-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads