ramnit | 06c42ae4f07296f930276bcb954c352ea20ec3ddb756accd1c0b7c57ed6af8ed

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe
Size

7.0MB
MD5

61a91fd5c7263dee33d275e148c2ac21
SHA1

01b0cd6f83f4dd3e1bfde42b61dd458300deba31
SHA256

06c42ae4f07296f930276bcb954c352ea20ec3ddb756accd1c0b7c57ed6af8ed
SHA512

6dd1fac095165fada5e007dd919278de31546643cb4e7d9c66f2056cc8fe23a5e140d35d2e17b02ed8b8542ab20c851a13b43bf1fc99017f1b20c9abf7f7618c
SSDEEP

98304:nx+y15ZDif5PYXVGx4QjLwAcSjpyZGarJZzDfonvbkZDw3KAGxxmXxZBKFVlX:bbDif5wEx5jBfwGuYUxmxG

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
UPX dump on OEP (original entry point) 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/1960-11-0x0000000000400000-0x0000000000432000-memory.dmp UPX
behavioral1/memory/1960-17-0x0000000000400000-0x0000000000432000-memory.dmp UPX
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exesetup.exesetup.tmpwicreset.exe

pid process

1960 2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
1424 setup.exe
2540 setup.tmp
2472 wicreset.exe

resource	yara_rule
behavioral1/memory/1960-11-0x0000000000400000-0x0000000000432000-memory.dmp	UPX
behavioral1/memory/1960-17-0x0000000000400000-0x0000000000432000-memory.dmp	UPX

pid	process
1960	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
1424	setup.exe
2540	setup.tmp
2472	wicreset.exe

Loads dropped DLL 9 IoCs

Processes:

2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exesetup.exesetup.tmp

pid	process
1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe
1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe
1960	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
1960	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe
1424	setup.exe
2540	setup.tmp
2540	setup.tmp
2540	setup.tmp

UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/1960-11-0x0000000000400000-0x0000000000432000-memory.dmp upx
behavioral1/memory/1960-17-0x0000000000400000-0x0000000000432000-memory.dmp upx
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

resource	yara_rule
behavioral1/memory/1960-11-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1960-17-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\WicReset\is-1F117.tmp	setup.tmp
File created	C:\Program Files (x86)\WicReset\is-80IOR.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\WicReset\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\WicReset\wicreset.exe	setup.tmp
File created	C:\Program Files (x86)\WicReset\unins000.dat	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3020 1960 WerFault.exe 2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

setup.tmp

pid process

2540 setup.tmp
2540 setup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setup.tmp

pid process

2540 setup.tmp
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exewicreset.exe

pid process

1988 2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe
1988 2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe
2472 wicreset.exe
2472 wicreset.exe

pid	pid_target	process	target process
3020	1960	WerFault.exe	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe

pid	process
2540	setup.tmp
2540	setup.tmp

pid	process
2540	setup.tmp

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exesetup.exesetup.tmp

description	pid	process	target process
PID 1988 wrote to memory of 1960	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
PID 1988 wrote to memory of 1960	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
PID 1988 wrote to memory of 1960	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
PID 1988 wrote to memory of 1960	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
PID 1988 wrote to memory of 1424	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	setup.exe
PID 1988 wrote to memory of 1424	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	setup.exe
PID 1988 wrote to memory of 1424	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	setup.exe
PID 1988 wrote to memory of 1424	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	setup.exe
PID 1988 wrote to memory of 1424	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	setup.exe
PID 1988 wrote to memory of 1424	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	setup.exe
PID 1988 wrote to memory of 1424	1988	2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe	setup.exe
PID 1424 wrote to memory of 2540	1424	setup.exe	setup.tmp
PID 1424 wrote to memory of 2540	1424	setup.exe	setup.tmp
PID 1424 wrote to memory of 2540	1424	setup.exe	setup.tmp
PID 1424 wrote to memory of 2540	1424	setup.exe	setup.tmp
PID 1424 wrote to memory of 2540	1424	setup.exe	setup.tmp
PID 1424 wrote to memory of 2540	1424	setup.exe	setup.tmp
PID 1424 wrote to memory of 2540	1424	setup.exe	setup.tmp
PID 2540 wrote to memory of 2472	2540	setup.tmp	wicreset.exe
PID 2540 wrote to memory of 2472	2540	setup.tmp	wicreset.exe
PID 2540 wrote to memory of 2472	2540	setup.tmp	wicreset.exe
PID 2540 wrote to memory of 2472	2540	setup.tmp	wicreset.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnit.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
C:\Users\Admin\AppData\Local\Temp\2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 180
3⤵
- Program crash
PID:3020

C:\Users\Admin\AppData\Roaming\wicreset\temp\setup.exe
"C:\Users\Admin\AppData\Roaming\wicreset\temp/setup.exe" /VERYSILENT
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\is-4COPI.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4COPI.tmp\setup.tmp" /SL5="$20382,2664001,121344,C:\Users\Admin\AppData\Roaming\wicreset\temp\setup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2540

C:\Program Files (x86)\WicReset\wicreset.exe
"C:\Program Files (x86)\WicReset\wicreset.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-06-30_61a91fd5c7263dee33d275e148c2ac21_magniber_poet-rat_ramnitmgr.exe
Filesize
157KB

MD5
2ad7467eeceedd64b8bd4f6e04c3cd49

SHA1
d6c5d9878dc49ae9b531d61283609e207154a921

SHA256
2aab17b2f18dfb70cd737b27b1a438ad8878889070a6e025b3684483054f60c9

SHA512
7a647d4a8de90d11cd5afb82ace8354869af0893f28afcf9491d1d4de421315d9a394a5d3462d88c0eff6c5a7a4ed41897d8d0498b59b4b7428ddbb61786be2a

Download Submit
C:\Users\Admin\AppData\Roaming\wicreset\application.log
Filesize
137B

MD5
a68f94ff9cb515783f2edb764421179b

SHA1
8b3b7aab2587d7c42452e324a19f1001a322cb8b

SHA256
2cf99d3bef266852423a81c880ec224c6603b7195ffc7a7ac8727d0abbe54263

SHA512
79a5df30f3c303977e35f480c4588743dffb1582e953b39799838184f57b87dfaa73241697166ff4336ba5200778f24b29b8c04b1293a4d173b516fc1091b918

Download Submit
\Program Files (x86)\WicReset\unins000.exe
Filesize
1.2MB

MD5
58e7080d8b85ef01176f748beac723da

SHA1
04ce918ba3ac88ceadc4635e6401bf40d5ffb71a

SHA256
95eb04331863353260f569ab50e86e5cbefe72022914ff1a15e9747af5552c06

SHA512
1b69d208c3a7000a1118f4164a0b34adc7814536c366fe7131bf74dea3f2c0a27d18bfc4084498f81ce467e6e75730b82173917d2acf1ba2fa0bb9a002788579

Download Submit
\Program Files (x86)\WicReset\wicreset.exe
Filesize
7.1MB

MD5
e0b28c2c8f2da461107a3f7ce4926db1

SHA1
1227f2244e1b6e2bef80255995f542487b36af8f

SHA256
40a3a679821a785f315b7cc954463712dc63dae2f4a2642f3bd50214b8dc1960

SHA512
158d36e5449aa0f6dd6fcd91207fa287bec9de91b2b071073ac22ed4c378f3c9b799780aa6492322d6664d8d37e3ca1be1a41b6669ef1fb22908a03b004e12e3

Download Submit
\Users\Admin\AppData\Local\Temp\is-4COPI.tmp\setup.tmp
Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
\Users\Admin\AppData\Local\Temp\~TM10C3.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM10D3.tmp
Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Users\Admin\AppData\Roaming\wicreset\temp\setup.exe
Filesize
2.9MB

MD5
a3bf50d833f10e1f976fa5e72997f45f

SHA1
9c3ca9415074eb1be0bee075fe914dea110a5b0f

SHA256
483f2613f51e072fd645b047ae9311c6b6605a466ef81e05ffc0c04cb6e9f191

SHA512
8a1046adbee34609a1a41d7427f6d4d4c928e82284b81b455c966f0a4a9a83e39b595a18c89b871447b2a0516c176b1fa9fee3354536aca6a0bfa6ecc156fe4e

Download Submit
memory/1424-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1424-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1424-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1960-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1960-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1988-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1988-34-0x0000000001060000-0x000000000178E000-memory.dmp

Filesize
7.2MB

Download
memory/1988-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1988-8-0x0000000001060000-0x000000000178E000-memory.dmp

Filesize
7.2MB

Download
memory/2540-55-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download