ramnit | c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f

Analysis

max time kernel
629s
max time network
637s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe
Size

464KB
MD5

5ff1999425fe352ee7fe4d1eb995a2fe
SHA1

2cb44adb130a1316010cee3e54dbbc432f40d807
SHA256

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f
SHA512

58bb4d99c717a52fe7cd516eb6a1db45428e666788742d452eae902a80391ccb8249f40bd05a2c2f79826d0c744859e8b2c85e0d4578867cf2ff5ab6acceb4f1
SSDEEP

6144:5Sl3cEjScqKbDFrXNAvJ3BEXDhI0ifpxzxGqW7qcRa9Br7ierTrD9f5jxZ8YFYZH:QlsEGZK1SB30mRG9mcrefJ1bXCtsdu

Score

10^/10

ramnit 9 ��banker execution persistence spyware stealer trojan worm

Malware Config

Extracted

Family

ramnit

Botnet

coolinrek.eu:443

Attributes

campaign_timestamp
1.512372688e+09
compile_timestamp
1.507285437e+09
dga_seed
2.559241794e+09
listen_port
0
num_dga_domains
100

xor.base64

rc4.plain

rsa_pubkey.base64

Extracted

Family

ramnit

Botnet

��

coolinrek.eu:443

Attributes

campaign_timestamp
1.512372688e+09
compile_timestamp
1.507285437e+09
dga_seed
2.559241794e+09
listen_port
0
num_dga_domains
100

xor.base64

rc4.plain

rsa_pubkey.base64

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

Deletes itself 1 IoCs

Processes:

wmplayer.exe

pid process

4092 wmplayer.exe
Loads dropped DLL 1 IoCs

Processes:

wmplayer.exe

pid process

4092 wmplayer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asovkydn = "C:\\Users\\Admin\\AppData\\Roaming\\asovkydn\\pfnxswby.vbs"	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

description	pid	process	target process
PID 3152 set thread context of 4092	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 3152 set thread context of 4092	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3740 powershell.exe
Modifies registry class 1 IoCs

Processes:

wmplayer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings wmplayer.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\asovkydn\iygiuyme.exe:Zone.Identifier cmd.exe

pid	process
3740	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	wmplayer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\asovkydn\iygiuyme.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wmplayer.exepowershell.exe

pid	process
4092	wmplayer.exe
4092	wmplayer.exe
3740	powershell.exe
3740	powershell.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe
4092	wmplayer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

pid process

3152 c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

pid	process
3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exewmplayer.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe
Token: SeSecurityPrivilege	4092	wmplayer.exe
Token: SeDebugPrivilege	4092	wmplayer.exe
Token: SeRestorePrivilege	4092	wmplayer.exe
Token: SeBackupPrivilege	4092	wmplayer.exe
Token: SeDebugPrivilege	4092	wmplayer.exe
Token: SeDebugPrivilege	3740	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exewmplayer.exepowershell.exe

description	pid	process	target process
PID 3152 wrote to memory of 4092	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 3152 wrote to memory of 4092	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 3152 wrote to memory of 4092	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 3152 wrote to memory of 4092	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 3152 wrote to memory of 4092	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 3152 wrote to memory of 4092	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 3152 wrote to memory of 4092	3152	c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe	wmplayer.exe
PID 4092 wrote to memory of 1900	4092	wmplayer.exe	WScript.exe
PID 4092 wrote to memory of 1900	4092	wmplayer.exe	WScript.exe
PID 4092 wrote to memory of 1900	4092	wmplayer.exe	WScript.exe
PID 4092 wrote to memory of 3740	4092	wmplayer.exe	powershell.exe
PID 4092 wrote to memory of 3740	4092	wmplayer.exe	powershell.exe
PID 4092 wrote to memory of 3740	4092	wmplayer.exe	powershell.exe
PID 3740 wrote to memory of 2160	3740	powershell.exe	cmd.exe
PID 3740 wrote to memory of 2160	3740	powershell.exe	cmd.exe
PID 3740 wrote to memory of 2160	3740	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe
"C:\Users\Admin\AppData\Local\Temp\c191595a7ab6af9541dadd4b6544c9b65a9e5fa76f49836d1f3fc28a50c0459f.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\asovkydn\wlunnrst.vbs"
    3⤵
    - Adds Run key to start application
    PID:1900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -File C:\Users\Admin\AppData\Roaming\asovkydn\lxjvjhvg.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c echo.>C:\Users\Admin\AppData\Roaming\asovkydn\iygiuyme.exe:Zone.Identifier
      4⤵
      NTFS ADS
      PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1w1qakg.5ti.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM3902.tmp

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Users\Admin\AppData\Local\hitynawj.log

Filesize
28B

MD5
b150a7db3c24b5ebc0f8534a3e57aa0e

SHA1
5af4a53faa6cc2457b63b26766cb5da7dc07f1bd

SHA256
d9cff8fe1bdbef1cc46aa54ad16ec006e2cf07765802352169b35fd80e06e734

SHA512
4dc07b6c76bf29f5523070cc35626d38857ad71999997b6bdfb866c90919cd96451778a9968a59b082b99743c0af7891da2a3fc2c13cc51acdb0b3b98f000e9e

Download Submit
C:\Users\Admin\AppData\Roaming\asovkydn\iygiuyme.exe:Zone.Identifier

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\asovkydn\lxjvjhvg.ps1

Filesize
83B

MD5
7a2d1e2bfe89e26e6a27995f89820c6f

SHA1
a8d8c0c6de69d1b3b373e6c6f80913b3488a73f8

SHA256
ecafd7ae9d996f0ee057463c284b92137490c19b4061b269be0a035e0b1b3592

SHA512
27eee429709f8ee682a771839c7dcc0f907cf592e16bc0e069c340dec2bbbea79db89559d1a97c4c4b9ed6084f110c119c175caa81d6ab9c3ef4c24eb9d22315

Download Submit
C:\Users\Admin\AppData\Roaming\asovkydn\wlunnrst.vbs

Filesize
193B

MD5
925953129e9bb5fedebf21f20d213bd9

SHA1
bae5f72c65a56c1b90c06c0efeefbeb19308eb30

SHA256
6a1cdbd0ef4bec2f9b04546999d5b69e8a93b9821c40fecb69427151f11776e5

SHA512
663a46f05f9913ec73f91dd0f9f7b5b4b136b2c39a64327c676c373992705710092d13073dc68c65a7231ce6f7a076cf032192506ddbf88a49adcac1bf6a69d3

Download Submit
memory/3152-0-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3152-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3152-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3152-1-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3740-74-0x0000000006260000-0x000000000627E000-memory.dmp

Filesize
120KB

Download
memory/3740-73-0x0000000005CF0000-0x0000000006044000-memory.dmp

Filesize
3.3MB

Download
memory/3740-84-0x00000000735E0000-0x0000000073D90000-memory.dmp

Filesize
7.7MB

Download
memory/3740-56-0x00000000735EE000-0x00000000735EF000-memory.dmp

Filesize
4KB

Download
memory/3740-62-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/3740-63-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/3740-61-0x00000000052A0000-0x00000000052C2000-memory.dmp

Filesize
136KB

Download
memory/3740-60-0x00000000735E0000-0x0000000073D90000-memory.dmp

Filesize
7.7MB

Download
memory/3740-59-0x00000000735E0000-0x0000000073D90000-memory.dmp

Filesize
7.7MB

Download
memory/3740-58-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/3740-75-0x0000000006300000-0x000000000634C000-memory.dmp

Filesize
304KB

Download
memory/3740-57-0x0000000002950000-0x0000000002986000-memory.dmp

Filesize
216KB

Download
memory/4092-34-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-78-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-32-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-35-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-36-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-43-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-44-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-45-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-37-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-38-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-40-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-29-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-12-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-16-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-8-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-5-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-77-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-33-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-4-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/4092-3-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/4092-85-0x00000000776DB000-0x00000000776DC000-memory.dmp

Filesize
4KB

Download
memory/4092-86-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-92-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-96-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-99-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-101-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-103-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-108-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-112-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-116-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-118-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-121-0x0000000000BF0000-0x0000000000C31000-memory.dmp

Filesize
260KB

Download
memory/4092-2-0x00000000776DB000-0x00000000776DC000-memory.dmp

Filesize
4KB

Download