ramnit | 0dbafa34e753353ccb904bbb803d20eb4f3fae1b2fc8ab0bedffccf877d1f85c

Analysis

max time kernel
134s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 22:57

Target

0dbafa34e753353ccb904bbb803d20eb4f3fae1b2fc8ab0bedffccf877d1f85c.dll
Size

293KB
MD5

cd817cf8a3d8794839d9fc38c8a4dea0
SHA1

016fa5589cddb8d62e71213e295130d2ca55fa7d
SHA256

0dbafa34e753353ccb904bbb803d20eb4f3fae1b2fc8ab0bedffccf877d1f85c
SHA512

174ef1325e5072cdfff5e1103c2ed84ff6520bc9e8246e6f5b1ef8f2ca5344b366768f564e6f5cb9a885c34be1ff5cb641d2e786f2f8fd8561e9895c15d86d34
SSDEEP

6144:0Op8HpzSQOStKUzcQdRC3XIUg7XfY4sFcGsgvrMi3hd+/qJ02s:0Op8HpzoUz9C3XIUg7Xg4sFcBDixyqg

Score

10^/10

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
1528	rundll32mgr.exe

Loads dropped DLL 1 IoCs

pid	Process
1528	rundll32mgr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
528	1528	WerFault.exe	83

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 3856	4384	rundll32.exe	82
PID 4384 wrote to memory of 3856	4384	rundll32.exe	82
PID 4384 wrote to memory of 3856	4384	rundll32.exe	82
PID 3856 wrote to memory of 1528	3856	rundll32.exe	83
PID 3856 wrote to memory of 1528	3856	rundll32.exe	83
PID 3856 wrote to memory of 1528	3856	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0dbafa34e753353ccb904bbb803d20eb4f3fae1b2fc8ab0bedffccf877d1f85c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0dbafa34e753353ccb904bbb803d20eb4f3fae1b2fc8ab0bedffccf877d1f85c.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 416
      4⤵
      Program crash
      PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1528 -ip 1528
1⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\~TMA194.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
193KB

MD5
61ef2615f0db1f5c23621f220bd19b3c

SHA1
66c91325e227edb79ddff74ca6983209193526da

SHA256
30c21174dfec83924c8dcb175801cb28d244820b3d837150f8c4453b38c1bd53

SHA512
c9cb59c61c040b30cac4f58d8767680e1debd1a23ab791f6cd67ded2628dabafaa08b046bfa15baa5171fef971cd48e63e7922f5ff25faed0bcfbe065357cfe5

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
193KB

MD5
61ef2615f0db1f5c23621f220bd19b3c

SHA1
66c91325e227edb79ddff74ca6983209193526da

SHA256
30c21174dfec83924c8dcb175801cb28d244820b3d837150f8c4453b38c1bd53

SHA512
c9cb59c61c040b30cac4f58d8767680e1debd1a23ab791f6cd67ded2628dabafaa08b046bfa15baa5171fef971cd48e63e7922f5ff25faed0bcfbe065357cfe5

Download Submit
memory/1528-138-0x0000000000400000-0x000000000048D120-memory.dmp

Filesize
564KB

Download
memory/1528-139-0x0000000077140000-0x00000000772E3000-memory.dmp

Filesize
1.6MB

Download
memory/3856-137-0x0000000007000000-0x000000000704C000-memory.dmp

Filesize
304KB

Download