ramnit | a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277

General

Target

a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277.dll
Size

392KB
MD5

09b7588eeb9f9ffced2f205b1547c477
SHA1

44633ba9849b1f2f03bd08f0844bf11f0cd4a9d9
SHA256

a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277
SHA512

499d2501388ac14982dceac375804fc305170fd73482353b8e5810ca6e9670a28a3b25fb5365d2ff337fd74308195053bf7963e61ebff65878f6236cdaf6601b
SSDEEP

6144:JCIGPj038tAgFMldWNX+IxeQ37G28Ua1jflNiSGjVaNqzMDVZPdrNkUN:Cj038t/FMldW4IxeQ37JaplcsVRdm2

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
1524	rundll32mgr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000126af-56.dat	upx
behavioral1/files/0x000a0000000126af-59.dat	upx
behavioral1/files/0x000a0000000126af-57.dat	upx
behavioral1/memory/1524-63-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
2036	rundll32.exe
2036	rundll32.exe
1524	rundll32mgr.exe
1524	rundll32mgr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
268	2036	WerFault.exe	28
1160	1524	WerFault.exe	29

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2036	1740	rundll32.exe	28
PID 1740 wrote to memory of 2036	1740	rundll32.exe	28
PID 1740 wrote to memory of 2036	1740	rundll32.exe	28
PID 1740 wrote to memory of 2036	1740	rundll32.exe	28
PID 1740 wrote to memory of 2036	1740	rundll32.exe	28
PID 1740 wrote to memory of 2036	1740	rundll32.exe	28
PID 1740 wrote to memory of 2036	1740	rundll32.exe	28
PID 2036 wrote to memory of 1524	2036	rundll32.exe	29
PID 2036 wrote to memory of 1524	2036	rundll32.exe	29
PID 2036 wrote to memory of 1524	2036	rundll32.exe	29
PID 2036 wrote to memory of 1524	2036	rundll32.exe	29
PID 2036 wrote to memory of 268	2036	rundll32.exe	30
PID 2036 wrote to memory of 268	2036	rundll32.exe	30
PID 2036 wrote to memory of 268	2036	rundll32.exe	30
PID 2036 wrote to memory of 268	2036	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9596f49c22a20feefbc493aa904a1b8ff69ae5e103dfbcc76777d59d52b4277.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 104
      4⤵
      Program crash
      PID:1160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 228
    3⤵
    - Program crash
    PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
226KB

MD5
0443f220bbe647a9f012ef8be7826915

SHA1
a4d35c05941e01bfda5e6aebf8696bbe1cbe57eb

SHA256
943d8c1c80dda309f3b9b2af6d0cc311b00acabc0b9016c37359e5c20aa4ab90

SHA512
a09035c929aace492303ba04bc00add212569d1d6dc37f41b814ebb295cb749e0cb7543ceea79c8a39f31e8e14a6bbd9519fac34d42070ed031b911adfebebd9

Download Submit
\Users\Admin\AppData\Local\Temp\~TMA832.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TMA8CF.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
226KB

MD5
0443f220bbe647a9f012ef8be7826915

SHA1
a4d35c05941e01bfda5e6aebf8696bbe1cbe57eb

SHA256
943d8c1c80dda309f3b9b2af6d0cc311b00acabc0b9016c37359e5c20aa4ab90

SHA512
a09035c929aace492303ba04bc00add212569d1d6dc37f41b814ebb295cb749e0cb7543ceea79c8a39f31e8e14a6bbd9519fac34d42070ed031b911adfebebd9

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
226KB

MD5
0443f220bbe647a9f012ef8be7826915

SHA1
a4d35c05941e01bfda5e6aebf8696bbe1cbe57eb

SHA256
943d8c1c80dda309f3b9b2af6d0cc311b00acabc0b9016c37359e5c20aa4ab90

SHA512
a09035c929aace492303ba04bc00add212569d1d6dc37f41b814ebb295cb749e0cb7543ceea79c8a39f31e8e14a6bbd9519fac34d42070ed031b911adfebebd9

Download Submit
memory/1524-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1524-64-0x00000000779D0000-0x0000000077B50000-memory.dmp

Filesize
1.5MB

Download
memory/2036-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/2036-65-0x0000000010000000-0x0000000010067000-memory.dmp

Filesize
412KB

Download
memory/2036-66-0x00000000002B0000-0x0000000000367000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing