ramnit | 6057d87753daee3c71eb8c0d3cb8582ea88d6e56f02864019db9fd7af3fb4a9f | Triage

Analysis

max time kernel
898s
max time network
903s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 11:54

Sharing

Report Analysis Logs

General

Target

noname.dll
Size

38KB
MD5

651defc532f0e72be60621696aa97972
SHA1

43176a96322202fc8fd8901c213fde820d005871
SHA256

6057d87753daee3c71eb8c0d3cb8582ea88d6e56f02864019db9fd7af3fb4a9f
SHA512

ce847863f83c21489cddb6faebfc6753903ad55235c82768664fbfd01acfeb2745f6a2dda5b6e9ca2e3292c4b020c13d9b1df148211bd6557267ac23e174bc1b

Score

10^/10

ramnit banker spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1092 wrote to memory of 1836	1092	rundll32.exe	rundll32.exe
PID 1092 wrote to memory of 1836	1092	rundll32.exe	rundll32.exe
PID 1092 wrote to memory of 1836	1092	rundll32.exe	rundll32.exe
PID 1092 wrote to memory of 1836	1092	rundll32.exe	rundll32.exe
PID 1092 wrote to memory of 1836	1092	rundll32.exe	rundll32.exe
PID 1092 wrote to memory of 1836	1092	rundll32.exe	rundll32.exe
PID 1092 wrote to memory of 1836	1092	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\noname.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\noname.dll,#1
2⤵
- Drops file in System32 directory
PID:1836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1836-54-0x0000000000000000-mapping.dmp

Download
memory/1836-55-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download