ramnit | c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f

Analysis

max time kernel
630s
max time network
617s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe
Size

464KB
MD5

5ff1999425fe352ee7fe4d1eb995a2fe
SHA1

2cb44adb130a1316010cee3e54dbbc432f40d807
SHA256

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f
SHA512

58bb4d99c717a52fe7cd516eb6a1db45428e666788742d452eae902a80391ccb8249f40bd05a2c2f79826d0c744859e8b2c85e0d4578867cf2ff5ab6acceb4f1
SSDEEP

6144:5Sl3cEjScqKbDFrXNAvJ3BEXDhI0ifpxzxGqW7qcRa9Br7ierTrD9f5jxZ8YFYZH:QlsEGZK1SB30mRG9mcrefJ1bXCtsdu

Score

10^/10

ramnit 9 ��banker execution persistence spyware stealer trojan worm

Malware Config

Extracted

Family

ramnit

Botnet

coolinrek.eu:443

Attributes

campaign_timestamp
1.512372688e+09
compile_timestamp
1.507285437e+09
dga_seed
2.559241794e+09
listen_port
0
num_dga_domains
100

xor.base64

rc4.plain

rsa_pubkey.base64

Extracted

Family

ramnit

Botnet

��

coolinrek.eu:443

Attributes

campaign_timestamp
1.512372688e+09
compile_timestamp
1.507285437e+09
dga_seed
2.559241794e+09
listen_port
0
num_dga_domains
100

xor.base64

rc4.plain

rsa_pubkey.base64

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

Deletes itself 1 IoCs

Processes:

wmplayer.exe

pid process

1812 wmplayer.exe
Loads dropped DLL 1 IoCs

Processes:

wmplayer.exe

pid process

1812 wmplayer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\gypetjkd = "C:\\Users\\Admin\\AppData\\Roaming\\gypetjkd\\vlogceio.vbs"	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

description	pid	process	target process
PID 1988 set thread context of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 1988 set thread context of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2816 powershell.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\gypetjkd\ofhqejqt.exe:Zone.Identifier cmd.exe

pid	process
2816	powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\gypetjkd\ofhqejqt.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wmplayer.exepowershell.exe

pid	process
1812	wmplayer.exe
2816	powershell.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe
1812	wmplayer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

pid process

1988 c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

pid	process
1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exewmplayer.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe
Token: SeSecurityPrivilege	1812	wmplayer.exe
Token: SeDebugPrivilege	1812	wmplayer.exe
Token: SeRestorePrivilege	1812	wmplayer.exe
Token: SeBackupPrivilege	1812	wmplayer.exe
Token: SeDebugPrivilege	1812	wmplayer.exe
Token: SeDebugPrivilege	2816	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exewmplayer.exepowershell.exe

description	pid	process	target process
PID 1988 wrote to memory of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 1988 wrote to memory of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 1988 wrote to memory of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 1988 wrote to memory of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 1988 wrote to memory of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 1988 wrote to memory of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 1988 wrote to memory of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 1988 wrote to memory of 1812	1988	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 1812 wrote to memory of 2556	1812	wmplayer.exe	WScript.exe
PID 1812 wrote to memory of 2556	1812	wmplayer.exe	WScript.exe
PID 1812 wrote to memory of 2556	1812	wmplayer.exe	WScript.exe
PID 1812 wrote to memory of 2556	1812	wmplayer.exe	WScript.exe
PID 1812 wrote to memory of 2816	1812	wmplayer.exe	powershell.exe
PID 1812 wrote to memory of 2816	1812	wmplayer.exe	powershell.exe
PID 1812 wrote to memory of 2816	1812	wmplayer.exe	powershell.exe
PID 1812 wrote to memory of 2816	1812	wmplayer.exe	powershell.exe
PID 2816 wrote to memory of 1632	2816	powershell.exe	cmd.exe
PID 2816 wrote to memory of 1632	2816	powershell.exe	cmd.exe
PID 2816 wrote to memory of 1632	2816	powershell.exe	cmd.exe
PID 2816 wrote to memory of 1632	2816	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe
"C:\Users\Admin\AppData\Local\Temp\c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gypetjkd\drvvwywj.vbs"
    3⤵
    - Adds Run key to start application
    PID:2556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -File C:\Users\Admin\AppData\Roaming\gypetjkd\rehesoay.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c echo.>C:\Users\Admin\AppData\Roaming\gypetjkd\ofhqejqt.exe:Zone.Identifier
      4⤵
      NTFS ADS
      PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\nouhwkam.log

Filesize
28B

MD5
7c4d59962679d0ad79bb6c716713ea08

SHA1
4e23ea72bdc84ddc83c4a40f2d662522b2197990

SHA256
251f1d2f5c1593cc4607a6c28dfc3f11607918a93681ce3fd79ddb9addc95ee9

SHA512
6dae5b0caf2e25c85c5d72fe8d2f35103ea0b2faeff9a7f223450cf4e444fcfc2a52a42293674423533a9155257129eef1eec4b238db04cc1df20eced698b3b5

Download Submit
C:\Users\Admin\AppData\Roaming\gypetjkd\drvvwywj.vbs

Filesize
193B

MD5
6025dc6983f0d4104727c8ef0f49f52d

SHA1
2657ddbcfefd080b7bc5160f44d75dae1eee787e

SHA256
7d4439d7c00cb10faa33c7866d5eb68eee810f7e2441cabf75ec1007dc12e3d4

SHA512
87e761cdac42dd5187dbfae4202b38ec1fac34bb37866aac6cad658b90e2c1a5a956a4402aaaf4539aa99e20c38f5f6d1ad6d914710d1175d783ed1130d6c5d1

Download Submit
C:\Users\Admin\AppData\Roaming\gypetjkd\ofhqejqt.exe:Zone.Identifier

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\gypetjkd\rehesoay.ps1

Filesize
83B

MD5
2d7646b76444ffef1463831657e8f77e

SHA1
38f78b0f5a3d810989c0775a99c9fd9742e6b455

SHA256
98bbacbc341fda33f481907aa3c0ceda277568c565fdca85f455fb4b10e584ed

SHA512
7d85be11594a4a95eead9c85ff919aee4fe7f4dc72754f7b1ffd74f0aa3502ac112eae08f1b02d3db4e3c9895fcadc4e74a7c165068a6a1038b914daa3ac56db

Download Submit
\Users\Admin\AppData\Local\Temp\~TM16BC.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/1812-44-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-46-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-9-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-6-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-11-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-87-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-15-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-28-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-38-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-36-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-35-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-34-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-42-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-32-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-31-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-85-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-37-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-45-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-33-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-83-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-4-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1812-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1812-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1812-59-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-60-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-62-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-65-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-68-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-70-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-72-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-74-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-76-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1812-78-0x00000000001E0000-0x0000000000221000-memory.dmp

Filesize
260KB

Download
memory/1988-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1988-1-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1988-5-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1988-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download