ramnit | 1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d

Analysis

max time kernel
67s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 20:07

Target

1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d.dll
Size

699KB
MD5

6709cc3bb411041f94ef37893a42c75d
SHA1

c80cf20de826434d709f524032c5f8287a3a111a
SHA256

1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d
SHA512

dee11a33e5661334f263a4acdabcf52a8333e27dbe55b8fb567cbaf4532a8afe22749b04003610f7db4e6f6d97a7af93a0e3d14616bd1bb1db5c81ae1933b38a
SSDEEP

12288:3zb9rMfc+CKUQyUmjtc4euuzPrs9pGp8hunWoopooK9kwP20:3zb1MlCKUQyUmjtczu6Prs9pgWoopoo7

Score

10^/10

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2764	rundll32Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0007000000022f45-134.dat	upx
behavioral2/files/0x0007000000022f45-135.dat	upx
behavioral2/memory/2764-137-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1184	2764	WerFault.exe	81

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1920	4760	rundll32.exe	80
PID 4760 wrote to memory of 1920	4760	rundll32.exe	80
PID 4760 wrote to memory of 1920	4760	rundll32.exe	80
PID 1920 wrote to memory of 2764	1920	rundll32.exe	81
PID 1920 wrote to memory of 2764	1920	rundll32.exe	81
PID 1920 wrote to memory of 2764	1920	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:2764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 272
      4⤵
      Program crash
      PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2764 -ip 2764
1⤵
PID:2928

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
42KB

MD5
49073a31e6bf259b1a33d15808d4cba9

SHA1
fb149303da7ee1da5b36b6e27f7c9d2244a6b983

SHA256
16a36360e050860a4c6e37d69fbab941e3c93a1cd9ab8d17837029b3e7110ffa

SHA512
9a369bc1cfcaeaf39919a90c2ef5ad01fa31a555dc05ed91065ee373212e1fe50d6ca43d8ec37f147206cdf366e6c5f473d7fb5545b5e6c46c907d7e1d4af38d

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
42KB

MD5
49073a31e6bf259b1a33d15808d4cba9

SHA1
fb149303da7ee1da5b36b6e27f7c9d2244a6b983

SHA256
16a36360e050860a4c6e37d69fbab941e3c93a1cd9ab8d17837029b3e7110ffa

SHA512
9a369bc1cfcaeaf39919a90c2ef5ad01fa31a555dc05ed91065ee373212e1fe50d6ca43d8ec37f147206cdf366e6c5f473d7fb5545b5e6c46c907d7e1d4af38d

Download Submit
memory/1920-136-0x0000000005000000-0x00000000050B4000-memory.dmp

Filesize
720KB

Download
memory/2764-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download