ramnit | 309142e355e0cf0a6106f771437d1c208879f8e80fc8fe735f49383811533d4c

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

309142e355e0cf0a6106f771437d1c208879f8e80fc8fe735f49383811533d4c.dll
Size

212KB
MD5

3c46895396c0b25473cfa2ee378977a8
SHA1

4cf46ca53d0e5b5039936833212e9ab24bcb9f0e
SHA256

309142e355e0cf0a6106f771437d1c208879f8e80fc8fe735f49383811533d4c
SHA512

b1351d9caff71a813af533f22a0351fe302b566be42b8a2635fd3586bfd1ce471914de0127dd32b0231c792ba0488e8e7cd1e12ef8af3cd78ba9f2b252109990
SSDEEP

6144:B4pq9C9X3xVHG8EnSEpawFWAf23j9WpxhjM:mp1xVHG8ESkDcAfcjKxq

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

3064 rundll32mgr.exe

pid	process
3064	rundll32mgr.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3064-137-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

rundll32mgr.exe

pid process

3064 rundll32mgr.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1292 3064 WerFault.exe rundll32mgr.exe

pid	process
3064	rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
1292	3064	WerFault.exe	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4808 wrote to memory of 4724	4808	rundll32.exe	rundll32.exe
PID 4808 wrote to memory of 4724	4808	rundll32.exe	rundll32.exe
PID 4808 wrote to memory of 4724	4808	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 3064	4724	rundll32.exe	rundll32mgr.exe
PID 4724 wrote to memory of 3064	4724	rundll32.exe	rundll32mgr.exe
PID 4724 wrote to memory of 3064	4724	rundll32.exe	rundll32mgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\309142e355e0cf0a6106f771437d1c208879f8e80fc8fe735f49383811533d4c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\309142e355e0cf0a6106f771437d1c208879f8e80fc8fe735f49383811533d4c.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 10192
      4⤵
      Program crash
      PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3064 -ip 3064
1⤵
PID:4992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~TM86E8.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
162KB

MD5
6c1e199ccc02acaf6e962eb75acb8c98

SHA1
742db8306bdbc1759d73eabd7914a93f94478cc7

SHA256
8408dc27c9c9a7b6ffa3fc2484284be71709d714f33a0b2e0ee51da03f7c7e0f

SHA512
6c8151370cc7264cab59d2c5cc03c2bc384a4cd44d2a58d431d3fca7ef2318b2aced1fa7fb21d6e4ca7fb25392912e5ef8592cfff9755ecc59b9af9fd1e14b3c

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
162KB

MD5
6c1e199ccc02acaf6e962eb75acb8c98

SHA1
742db8306bdbc1759d73eabd7914a93f94478cc7

SHA256
8408dc27c9c9a7b6ffa3fc2484284be71709d714f33a0b2e0ee51da03f7c7e0f

SHA512
6c8151370cc7264cab59d2c5cc03c2bc384a4cd44d2a58d431d3fca7ef2318b2aced1fa7fb21d6e4ca7fb25392912e5ef8592cfff9755ecc59b9af9fd1e14b3c

Download Submit
memory/3064-133-0x0000000000000000-mapping.dmp

Download
memory/3064-137-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3064-138-0x00000000020B0000-0x000000000211A000-memory.dmp

Filesize
424KB

Download
memory/3064-139-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4724-132-0x0000000000000000-mapping.dmp

Download