ramnit | 9ac30e8cd469b32168786c2448c8f196debfbb111a6def172f36b4d64787f93e

General

Target

9ac30e8cd469b32168786c2448c8f196debfbb111a6def172f36b4d64787f93e.dll
Size

388KB
MD5

20d11451f2c1dafb5023993e397f9a80
SHA1

5be6f1bece4a0422adb05f27e1c214feba093554
SHA256

9ac30e8cd469b32168786c2448c8f196debfbb111a6def172f36b4d64787f93e
SHA512

3307f8969cfc67ee66349e1db742bb890c374facb1757bf1b82c38b6f66bcd5ba9badcd232903dbecccf29cd71520cc30dbea0769b2d2b1e3a11c043ec686c80
SSDEEP

6144:uIrIshB5Esv4ULo6bVGTraIYteLLqsOQ9jUG9+45Vrr58/YVGqq0IjeF7KtB:frIshbtv4ULTZGPysOGL5Nd0lL0jI

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1552	rundll32Srv.exe
1608	DesktopLayer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122f0-56.dat	upx
behavioral1/files/0x000b0000000122f0-58.dat	upx
behavioral1/files/0x000b0000000122f0-60.dat	upx
behavioral1/files/0x000a0000000122f7-62.dat	upx
behavioral1/files/0x000a0000000122f7-65.dat	upx
behavioral1/memory/1552-64-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1608-69-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1504	rundll32.exe
1552	rundll32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFCB7.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
948	1504	WerFault.exe	28

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1504	1576	rundll32.exe	28
PID 1576 wrote to memory of 1504	1576	rundll32.exe	28
PID 1576 wrote to memory of 1504	1576	rundll32.exe	28
PID 1576 wrote to memory of 1504	1576	rundll32.exe	28
PID 1576 wrote to memory of 1504	1576	rundll32.exe	28
PID 1576 wrote to memory of 1504	1576	rundll32.exe	28
PID 1576 wrote to memory of 1504	1576	rundll32.exe	28
PID 1504 wrote to memory of 1552	1504	rundll32.exe	29
PID 1504 wrote to memory of 1552	1504	rundll32.exe	29
PID 1504 wrote to memory of 1552	1504	rundll32.exe	29
PID 1504 wrote to memory of 1552	1504	rundll32.exe	29
PID 1504 wrote to memory of 948	1504	rundll32.exe	30
PID 1504 wrote to memory of 948	1504	rundll32.exe	30
PID 1504 wrote to memory of 948	1504	rundll32.exe	30
PID 1504 wrote to memory of 948	1504	rundll32.exe	30
PID 1552 wrote to memory of 1608	1552	rundll32Srv.exe	31
PID 1552 wrote to memory of 1608	1552	rundll32Srv.exe	31
PID 1552 wrote to memory of 1608	1552	rundll32Srv.exe	31
PID 1552 wrote to memory of 1608	1552	rundll32Srv.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ac30e8cd469b32168786c2448c8f196debfbb111a6def172f36b4d64787f93e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ac30e8cd469b32168786c2448c8f196debfbb111a6def172f36b4d64787f93e.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      PID:1608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 232
    3⤵
    - Program crash
    PID:948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1504-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1504-67-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/1504-68-0x00000000001A0000-0x00000000001CE000-memory.dmp

Filesize
184KB

Download
memory/1552-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1608-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing