ramnit | 46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8

General

Target

46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll
Size

444KB
MD5

b4aeda6e33b22221e1fb077eae961960
SHA1

3db02fd2ef363f9344672ae7c4f5139a8c7eee36
SHA256

46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8
SHA512

373b1a5bdd6ac24b9d601de40c93b583a734c771576a6741519faba1f81b40f366b79a4389ad2cb73e4cf02b55b1e67709fa0f2a27caae26fc6f554d1ab3e618
SSDEEP

12288:iehnaNPpSVZmNxRCwnwm3W3OHIIf5amBUFCWi2:ieh0PpS6NxNnwYeOHX1UgH2

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2056	rundll32mgr.exe
5084	WaterMark.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2056-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5084-28-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5084-29-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2056-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2056-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2056-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2056-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2056-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2056-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5084-37-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5084-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5084-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxABB1.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2644	2148	WerFault.exe	88
5028	1312	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{626E00D5-BDAA-11EF-B9B6-FAA11E730504} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440734378"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe
5084	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	WaterMark.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2392	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2392	iexplore.exe
2392	iexplore.exe
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2056	rundll32mgr.exe
5084	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1312	4980	rundll32.exe	83
PID 4980 wrote to memory of 1312	4980	rundll32.exe	83
PID 4980 wrote to memory of 1312	4980	rundll32.exe	83
PID 1312 wrote to memory of 2056	1312	rundll32.exe	84
PID 1312 wrote to memory of 2056	1312	rundll32.exe	84
PID 1312 wrote to memory of 2056	1312	rundll32.exe	84
PID 2056 wrote to memory of 5084	2056	rundll32mgr.exe	86
PID 2056 wrote to memory of 5084	2056	rundll32mgr.exe	86
PID 2056 wrote to memory of 5084	2056	rundll32mgr.exe	86
PID 5084 wrote to memory of 2148	5084	WaterMark.exe	88
PID 5084 wrote to memory of 2148	5084	WaterMark.exe	88
PID 5084 wrote to memory of 2148	5084	WaterMark.exe	88
PID 5084 wrote to memory of 2148	5084	WaterMark.exe	88
PID 5084 wrote to memory of 2148	5084	WaterMark.exe	88
PID 5084 wrote to memory of 2148	5084	WaterMark.exe	88
PID 5084 wrote to memory of 2148	5084	WaterMark.exe	88
PID 5084 wrote to memory of 2148	5084	WaterMark.exe	88
PID 5084 wrote to memory of 2148	5084	WaterMark.exe	88
PID 5084 wrote to memory of 3444	5084	WaterMark.exe	93
PID 5084 wrote to memory of 3444	5084	WaterMark.exe	93
PID 5084 wrote to memory of 2392	5084	WaterMark.exe	94
PID 5084 wrote to memory of 2392	5084	WaterMark.exe	94
PID 2392 wrote to memory of 2632	2392	iexplore.exe	96
PID 2392 wrote to memory of 2632	2392	iexplore.exe	96
PID 2392 wrote to memory of 2632	2392	iexplore.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\46dc3fd59d5ddea1430ebc0f156920bf657e16e47ded79368c5b8985442b4ae8N.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 204
        6⤵
        Program crash
        
        PID:2644
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        
        PID:3444
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 608
    3⤵
    - Program crash
    PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1312 -ip 1312
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2148 -ip 2148
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
60KB

MD5
94f2f6ffbba8e7644668b51b39983916

SHA1
63357bbdf90101969117983dbc0d4ed0e713c4d7

SHA256
ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

SHA512
d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

Download Submit
memory/1312-1-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/1312-35-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/2056-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2056-5-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2056-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2056-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2056-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2056-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2056-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2056-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2056-25-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2056-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2056-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2148-33-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2148-34-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/5084-30-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/5084-32-0x0000000077CA2000-0x0000000077CA3000-memory.dmp

Filesize
4KB

Download
memory/5084-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5084-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5084-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5084-36-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5084-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5084-39-0x0000000077CA2000-0x0000000077CA3000-memory.dmp

Filesize
4KB

Download
memory/5084-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing