ramnit | 262f600f054469aa68cdb1fa554f1320eefcff6fbfd548485ff819a8a9cf34aa

Analysis

max time kernel
172s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 16:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.041264e79633ca14999ae2dbf75aec96_JC.exe
Size

196KB
MD5

041264e79633ca14999ae2dbf75aec96
SHA1

885ae66fbe2e2d622a3a14c46d7fc69afede269e
SHA256

262f600f054469aa68cdb1fa554f1320eefcff6fbfd548485ff819a8a9cf34aa
SHA512

fe265d34570f2b201f3b2d08afb0b8f8871d8dbf5ddefa770c7eed637e35c6796a3c61f54c4824e58c1b0a8c720c43f7b4aee25ddb96569994603169235e66e4
SSDEEP

3072:zgZSlI/HUOjSiToj7CEqfqg2p0VWPIKYZN8NGYtR3wJe7nRW2Lr2:Uv/HFjSdfCZ4pYFiLb3qe7RZ2

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
5072	NEAS.041264e79633ca14999ae2dbf75aec96_JCmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
1576	NEAS.041264e79633ca14999ae2dbf75aec96_JC.exe
5072	NEAS.041264e79633ca14999ae2dbf75aec96_JCmgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1576-8-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/5072-19-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4516	1576	WerFault.exe	82
2096	5072	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 5072	1576	NEAS.041264e79633ca14999ae2dbf75aec96_JC.exe	84
PID 1576 wrote to memory of 5072	1576	NEAS.041264e79633ca14999ae2dbf75aec96_JC.exe	84
PID 1576 wrote to memory of 5072	1576	NEAS.041264e79633ca14999ae2dbf75aec96_JC.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.041264e79633ca14999ae2dbf75aec96_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.041264e79633ca14999ae2dbf75aec96_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\NEAS.041264e79633ca14999ae2dbf75aec96_JCmgr.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.041264e79633ca14999ae2dbf75aec96_JCmgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 10168
    3⤵
    - Program crash
    PID:2096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 10180
  2⤵
  - Program crash
  PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5072 -ip 5072
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1576 -ip 1576
1⤵
PID:4336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.041264e79633ca14999ae2dbf75aec96_JCmgr.exe

Filesize
97KB

MD5
c1e022fb8b630cc6006ed3bc5090d22a

SHA1
6b42622aa21217aa3fa1e752ea169b2e261f4607

SHA256
030adac9b9db1dfc25823756c9afd98f2d71f03330bff39e38e02b1eb8c37a9b

SHA512
21f4d0882417a00047523ce2104ae2b5c50ce2c8328fe54668f683c4845631a1a1f02f862c0676485efa4f3606c8b8491c2a12005dd3d8fcf90a5aee071c7558

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.041264e79633ca14999ae2dbf75aec96_JCmgr.exe

Filesize
97KB

MD5
c1e022fb8b630cc6006ed3bc5090d22a

SHA1
6b42622aa21217aa3fa1e752ea169b2e261f4607

SHA256
030adac9b9db1dfc25823756c9afd98f2d71f03330bff39e38e02b1eb8c37a9b

SHA512
21f4d0882417a00047523ce2104ae2b5c50ce2c8328fe54668f683c4845631a1a1f02f862c0676485efa4f3606c8b8491c2a12005dd3d8fcf90a5aee071c7558

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TMDAEF.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TMDAFE.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/1576-13-0x00000000021A0000-0x00000000021FF000-memory.dmp

Filesize
380KB

Download
memory/1576-8-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1576-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1576-15-0x0000000077E12000-0x0000000077E13000-memory.dmp

Filesize
4KB

Download
memory/1576-16-0x0000000077E12000-0x0000000077E14000-memory.dmp

Filesize
8KB

Download
memory/5072-5-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5072-14-0x0000000001F20000-0x0000000001F66000-memory.dmp

Filesize
280KB

Download
memory/5072-17-0x0000000077E12000-0x0000000077E14000-memory.dmp

Filesize
8KB

Download
memory/5072-18-0x0000000077E12000-0x0000000077E13000-memory.dmp

Filesize
4KB

Download
memory/5072-19-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download