ramnit | b0e45d876cc2fc0a765751b702fdc17d2ad988ddd952a6d89488b6a990f66688

Analysis

max time kernel
31s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 12:06

Target

b0e45d876cc2fc0a765751b702fdc17d2ad988ddd952a6d89488b6a990f66688.dll
Size

343KB
MD5

6e031acf4ce416b67dea18edbbd88461
SHA1

f5ca5ff56727f3d200a1d2b3b4ae3df687d798ad
SHA256

b0e45d876cc2fc0a765751b702fdc17d2ad988ddd952a6d89488b6a990f66688
SHA512

9f98747f074f5b5dde22b5f2791d15f80e6a891f60f68a6a00d7c04ced4feb7344eb7ab98269d7786fadfad19a76bca18d703b9ce75a522f832801ff74d1b519
SSDEEP

6144:xFrjLy96lDP1j0k+d7k23B2dz5LR84dSlFVTSETWhdcbzyqoN9jM0eYxtPri:xFhP+d7d3wHR84MyEFbzyTNpM92t

Score

10^/10

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
1772	rundll32Srv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/memory/1772-63-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1948-62-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1948	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1744	1948	WerFault.exe	28

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1948	1960	rundll32.exe	28
PID 1960 wrote to memory of 1948	1960	rundll32.exe	28
PID 1960 wrote to memory of 1948	1960	rundll32.exe	28
PID 1960 wrote to memory of 1948	1960	rundll32.exe	28
PID 1960 wrote to memory of 1948	1960	rundll32.exe	28
PID 1960 wrote to memory of 1948	1960	rundll32.exe	28
PID 1960 wrote to memory of 1948	1960	rundll32.exe	28
PID 1948 wrote to memory of 1772	1948	rundll32.exe	29
PID 1948 wrote to memory of 1772	1948	rundll32.exe	29
PID 1948 wrote to memory of 1772	1948	rundll32.exe	29
PID 1948 wrote to memory of 1772	1948	rundll32.exe	29
PID 1948 wrote to memory of 1744	1948	rundll32.exe	30
PID 1948 wrote to memory of 1744	1948	rundll32.exe	30
PID 1948 wrote to memory of 1744	1948	rundll32.exe	30
PID 1948 wrote to memory of 1744	1948	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0e45d876cc2fc0a765751b702fdc17d2ad988ddd952a6d89488b6a990f66688.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0e45d876cc2fc0a765751b702fdc17d2ad988ddd952a6d89488b6a990f66688.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    PID:1772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 240
    3⤵
    - Program crash
    PID:1744

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1772-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1948-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1948-61-0x0000000066E00000-0x0000000066E5C000-memory.dmp

Filesize
368KB

Download
memory/1948-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1948-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download