ramnit | 6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6c

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 21:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6c.exe
Size

132KB
MD5

027d1367d1a18a1cbdd676a6e29aaa0f
SHA1

29b121128a64b961851cebb856edd919903dae78
SHA256

6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6c
SHA512

a96fb9641159039e3bd0091d837290bea7af791f37d85d6ab5df665cf56983620d536338d18d8708c4a3af195ce19f5820040b5404315c23ef25ec35db940953
SSDEEP

3072:F3vO/OHJlTsPKrbJiirDADf0M7arMlPoKNs4/ro:NvLHJ5sPkbgirDgfN75bs

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2136	6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6cmgr.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2136-139-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
2136	6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6cmgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2732	2136	WerFault.exe	79

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2136	4736	6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6c.exe	79
PID 4736 wrote to memory of 2136	4736	6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6c.exe	79
PID 4736 wrote to memory of 2136	4736	6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6c.exe	79

C:\Users\Admin\AppData\Local\Temp\6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6c.exe
"C:\Users\Admin\AppData\Local\Temp\6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6cmgr.exe
  C:\Users\Admin\AppData\Local\Temp\6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6cmgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 10180
    3⤵
    - Program crash
    PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2136 -ip 2136
1⤵
PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6cmgr.exe

Filesize
94KB

MD5
8b5f2036288762602f2916929b1ab9d8

SHA1
351a0157960c3b009a9814a6e8b7f788ba798988

SHA256
55751df54d8d54e5bb8edab83bd57fd599b2e9aa313233d6aa084cde167e6951

SHA512
41a45bd5ff492cf2a01ad156f763854b1d5371d1a41cee4cad977c4ff25a561c1b3fbb067463e2b7278ac6878af139ff7fd695bed1f5883516a70031e9758bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6630737cf87c0b4726a6e566bafc468ae98ba7838c664b383328a203e3a00d6cmgr.exe

Filesize
94KB

MD5
8b5f2036288762602f2916929b1ab9d8

SHA1
351a0157960c3b009a9814a6e8b7f788ba798988

SHA256
55751df54d8d54e5bb8edab83bd57fd599b2e9aa313233d6aa084cde167e6951

SHA512
41a45bd5ff492cf2a01ad156f763854b1d5371d1a41cee4cad977c4ff25a561c1b3fbb067463e2b7278ac6878af139ff7fd695bed1f5883516a70031e9758bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM6ECC.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/2136-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-138-0x0000000002070000-0x00000000020B4000-memory.dmp

Filesize
272KB

Download
memory/2136-139-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-140-0x00000000776E0000-0x0000000077883000-memory.dmp

Filesize
1.6MB

Download
memory/4736-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download