ramnit | 8d395b42850b5491949047d0800c22666e378bd3590f9740dcfcbd2a4b161794

Analysis

max time kernel
139s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d395b42850b5491949047d0800c22666e378bd3590f9740dcfcbd2a4b161794.dll
Size

696KB
MD5

3b0a0d3c7ae4ff73067e40596af89f70
SHA1

1b2b1b8db3297e0dd50ceb74470fb50a34684cc2
SHA256

8d395b42850b5491949047d0800c22666e378bd3590f9740dcfcbd2a4b161794
SHA512

09cbf0d3af93ad681f139092abf97bc7da77026f8334bbe712cc0d9441e9af2c1d9122cf03e93ee0c62eb345fa97293846cdce3bd49383ed5346bb0646537711
SSDEEP

12288:XehnaNPpSVZmNxRCwnwm3W3OHIIf5Ut/LbZ/QHBtSY12wpUYUMPik/w:Xeh0PpS6NxNnwYeOHXeZ/Z/EBtlprakI

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1180	rundll32mgr.exe
604	rundll32mgrmgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1180-67-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1180-70-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/604-75-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1180-77-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1180-78-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
1768	rundll32.exe
1768	rundll32.exe
1180	rundll32mgr.exe
1180	rundll32mgr.exe
1180	rundll32mgr.exe
604	rundll32mgrmgr.exe
604	rundll32mgrmgr.exe
1180	rundll32mgr.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	1768	WerFault.exe	28

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1180	rundll32mgr.exe
604	rundll32mgrmgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1768	828	rundll32.exe	28
PID 828 wrote to memory of 1768	828	rundll32.exe	28
PID 828 wrote to memory of 1768	828	rundll32.exe	28
PID 828 wrote to memory of 1768	828	rundll32.exe	28
PID 828 wrote to memory of 1768	828	rundll32.exe	28
PID 828 wrote to memory of 1768	828	rundll32.exe	28
PID 828 wrote to memory of 1768	828	rundll32.exe	28
PID 1768 wrote to memory of 1180	1768	rundll32.exe	29
PID 1768 wrote to memory of 1180	1768	rundll32.exe	29
PID 1768 wrote to memory of 1180	1768	rundll32.exe	29
PID 1768 wrote to memory of 1180	1768	rundll32.exe	29
PID 1180 wrote to memory of 604	1180	rundll32mgr.exe	31
PID 1180 wrote to memory of 604	1180	rundll32mgr.exe	31
PID 1180 wrote to memory of 604	1180	rundll32mgr.exe	31
PID 1180 wrote to memory of 604	1180	rundll32mgr.exe	31
PID 1768 wrote to memory of 1000	1768	rundll32.exe	30
PID 1768 wrote to memory of 1000	1768	rundll32.exe	30
PID 1768 wrote to memory of 1000	1768	rundll32.exe	30
PID 1768 wrote to memory of 1000	1768	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8d395b42850b5491949047d0800c22666e378bd3590f9740dcfcbd2a4b161794.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8d395b42850b5491949047d0800c22666e378bd3590f9740dcfcbd2a4b161794.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of UnmapMainImage
      PID:604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 228
    3⤵
    - Program crash
    PID:1000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
309KB

MD5
d524c613d28ab5264acf742d746914e9

SHA1
c36f7b3b28549bbc611f9cfa33a365ed966d8137

SHA256
c378f8ffe12a93b2f217f78b2e0b86c2a766290f95ea3ffc9b7248103e91ca7a

SHA512
ddc6da5952d14413aaa04e9ae3b9fb49acb18818db67f6b71cd7942d3e52a6eeda9e1b7c910484ce55885b871163fbeea4d254c9d9ad63efe2ecbb526c833064

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
153KB

MD5
b5f135ec53a36d2eeefd6b4461ec2920

SHA1
0f90f0fb7978d6c9f9412ef5940306b710f570dd

SHA256
9249722e370b4171b3506e2acb5215b7be98fc95ea797aeb47da945d6f128902

SHA512
5efbc1c46f7d3799097db91d67221e15c5fa74d3a5eba43759457438b24960378d1515c0427a4e89c6a1a8fa073b9905869c2a99559d3f7f7613e25533eb46e6

Download Submit
\Users\Admin\AppData\Local\Temp\~TM54C5.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM54E5.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM54F5.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Users\Admin\AppData\Local\Temp\~TM5534.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
309KB

MD5
d524c613d28ab5264acf742d746914e9

SHA1
c36f7b3b28549bbc611f9cfa33a365ed966d8137

SHA256
c378f8ffe12a93b2f217f78b2e0b86c2a766290f95ea3ffc9b7248103e91ca7a

SHA512
ddc6da5952d14413aaa04e9ae3b9fb49acb18818db67f6b71cd7942d3e52a6eeda9e1b7c910484ce55885b871163fbeea4d254c9d9ad63efe2ecbb526c833064

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
309KB

MD5
d524c613d28ab5264acf742d746914e9

SHA1
c36f7b3b28549bbc611f9cfa33a365ed966d8137

SHA256
c378f8ffe12a93b2f217f78b2e0b86c2a766290f95ea3ffc9b7248103e91ca7a

SHA512
ddc6da5952d14413aaa04e9ae3b9fb49acb18818db67f6b71cd7942d3e52a6eeda9e1b7c910484ce55885b871163fbeea4d254c9d9ad63efe2ecbb526c833064

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
153KB

MD5
b5f135ec53a36d2eeefd6b4461ec2920

SHA1
0f90f0fb7978d6c9f9412ef5940306b710f570dd

SHA256
9249722e370b4171b3506e2acb5215b7be98fc95ea797aeb47da945d6f128902

SHA512
5efbc1c46f7d3799097db91d67221e15c5fa74d3a5eba43759457438b24960378d1515c0427a4e89c6a1a8fa073b9905869c2a99559d3f7f7613e25533eb46e6

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
153KB

MD5
b5f135ec53a36d2eeefd6b4461ec2920

SHA1
0f90f0fb7978d6c9f9412ef5940306b710f570dd

SHA256
9249722e370b4171b3506e2acb5215b7be98fc95ea797aeb47da945d6f128902

SHA512
5efbc1c46f7d3799097db91d67221e15c5fa74d3a5eba43759457438b24960378d1515c0427a4e89c6a1a8fa073b9905869c2a99559d3f7f7613e25533eb46e6

Download Submit
memory/604-76-0x0000000002170000-0x000000000223E000-memory.dmp

Filesize
824KB

Download
memory/604-75-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/604-73-0x0000000077B40000-0x0000000077CC0000-memory.dmp

Filesize
1.5MB

Download
memory/1180-79-0x0000000077B40000-0x0000000077CC0000-memory.dmp

Filesize
1.5MB

Download
memory/1180-78-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1180-70-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1180-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1180-74-0x0000000000490000-0x000000000055E000-memory.dmp

Filesize
824KB

Download
memory/1180-81-0x0000000077B40000-0x0000000077CC0000-memory.dmp

Filesize
1.5MB

Download
memory/1180-80-0x0000000077B40000-0x0000000077CC0000-memory.dmp

Filesize
1.5MB

Download
memory/1180-77-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1768-55-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/1768-58-0x0000000000710000-0x000000000079B000-memory.dmp

Filesize
556KB

Download
memory/1768-56-0x0000000010000000-0x00000000100B0000-memory.dmp

Filesize
704KB

Download
memory/1768-82-0x0000000000710000-0x000000000079B000-memory.dmp

Filesize
556KB

Download
memory/1768-83-0x0000000010000000-0x00000000100B0000-memory.dmp

Filesize
704KB

Download