ramnit | 7c33ba919601a74d1b8f466c4c4085571e0594869ced36a31215dfa2c44b8457

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

291a03f237fe743e035176ad357447a5_JaffaCakes118.dll
Size

151KB
MD5

291a03f237fe743e035176ad357447a5
SHA1

a00da3fc2f027dd4b4c62948b924913edba01052
SHA256

7c33ba919601a74d1b8f466c4c4085571e0594869ced36a31215dfa2c44b8457
SHA512

ff8163098b7c65c1fb3993f3d7eb926335e004fbd0b7da6dc392d413e5c20742a64a38a44543d3229f66bc973452b07c6bd18b7e423a2a0d465b86dd4a22d6ec
SSDEEP

3072:Lo3WZFcOaU151ihucggqEzy03AtqHZhuKLR5Apeb2:rZFcS5uu70QtsRLR+eb

Score

10^/10

ramnit banker defense_evasion evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\eufeqkkw\\mbwqbntk.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mbwqbntk.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mbwqbntk.exe	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2320	dg4Ef43
2348	eguldlkrafrlgrla.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1796	rundll32.exe
1796	rundll32.exe
2320	dg4Ef43
2320	dg4Ef43
2320	dg4Ef43
2320	dg4Ef43

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MbwQbntk = "C:\\Users\\Admin\\AppData\\Local\\eufeqkkw\\mbwqbntk.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe
2836	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2320	dg4Ef43
Token: SeDebugPrivilege	2320	dg4Ef43
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2836	svchost.exe
Token: SeDebugPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeSecurityPrivilege	2348	eguldlkrafrlgrla.exe
Token: SeLoadDriverPrivilege	2348	eguldlkrafrlgrla.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe
Token: SeBackupPrivilege	2836	svchost.exe
Token: SeRestorePrivilege	2836	svchost.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1796	2064	rundll32.exe	29
PID 2064 wrote to memory of 1796	2064	rundll32.exe	29
PID 2064 wrote to memory of 1796	2064	rundll32.exe	29
PID 2064 wrote to memory of 1796	2064	rundll32.exe	29
PID 2064 wrote to memory of 1796	2064	rundll32.exe	29
PID 2064 wrote to memory of 1796	2064	rundll32.exe	29
PID 2064 wrote to memory of 1796	2064	rundll32.exe	29
PID 1796 wrote to memory of 2320	1796	rundll32.exe	30
PID 1796 wrote to memory of 2320	1796	rundll32.exe	30
PID 1796 wrote to memory of 2320	1796	rundll32.exe	30
PID 1796 wrote to memory of 2320	1796	rundll32.exe	30
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2708	2320	dg4Ef43	31
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2836	2320	dg4Ef43	32
PID 2320 wrote to memory of 2348	2320	dg4Ef43	33
PID 2320 wrote to memory of 2348	2320	dg4Ef43	33
PID 2320 wrote to memory of 2348	2320	dg4Ef43	33
PID 2320 wrote to memory of 2348	2320	dg4Ef43	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\291a03f237fe743e035176ad357447a5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\291a03f237fe743e035176ad357447a5_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\dg4Ef43
    "dg4Ef43"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks BIOS information in registry
      Drops startup file
      Impair Defenses: Safe Mode Boot
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\eguldlkrafrlgrla.exe
      "C:\Users\Admin\AppData\Local\Temp\eguldlkrafrlgrla.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\dg4Ef43

Filesize
96KB

MD5
254e4fa9c285f829b8134f470bbd08b9

SHA1
c6198611124c86c8d13204bd84c20fa41f8a9f20

SHA256
c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57

SHA512
f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9

Download Submit
memory/1796-10-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/1796-2-0x0000000064140000-0x0000000064176000-memory.dmp

Filesize
216KB

Download
memory/1796-1-0x0000000064140000-0x0000000064176000-memory.dmp

Filesize
216KB

Download
memory/1796-0-0x0000000064140000-0x0000000064176000-memory.dmp

Filesize
216KB

Download
memory/2320-14-0x0000000076D60000-0x0000000076F09000-memory.dmp

Filesize
1.7MB

Download
memory/2320-17-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2320-16-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2320-88-0x00000000027E0000-0x000000000281B000-memory.dmp

Filesize
236KB

Download
memory/2320-79-0x00000000027D0000-0x000000000280B000-memory.dmp

Filesize
236KB

Download
memory/2320-12-0x0000000000400000-0x000000000043A21C-memory.dmp

Filesize
232KB

Download
memory/2320-90-0x0000000000400000-0x000000000043A21C-memory.dmp

Filesize
232KB

Download
memory/2320-86-0x00000000027E0000-0x000000000281B000-memory.dmp

Filesize
236KB

Download
memory/2348-96-0x0000000000400000-0x000000000043A21C-memory.dmp

Filesize
232KB

Download
memory/2348-91-0x0000000000400000-0x000000000043A21C-memory.dmp

Filesize
232KB

Download
memory/2708-19-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2708-38-0x0000000076D60000-0x0000000076F09000-memory.dmp

Filesize
1.7MB

Download
memory/2708-29-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2708-30-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2708-31-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2708-25-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2708-21-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2836-48-0x0000000076D60000-0x0000000076F09000-memory.dmp

Filesize
1.7MB

Download
memory/2836-62-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-67-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-60-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-52-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-53-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-42-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-35-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-97-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-98-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-99-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-100-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-101-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-102-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-103-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-104-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-105-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2836-106-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download