ramnit | 0c219d4923fa09043a62196ee996282ed3b1583008714e3e6e2764c1cb9bab39

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5346be90e99c5d8579a0efbd28419260.exe
Size

369KB
MD5

5346be90e99c5d8579a0efbd28419260
SHA1

6008a18bb59c354f94c5bf466877653ee0823b7e
SHA256

0c219d4923fa09043a62196ee996282ed3b1583008714e3e6e2764c1cb9bab39
SHA512

86c8ab8f43341090551bc0be5112dc794529e4f678212eb78901ba0c93455b9492b18a408381698aff262a74946ad37df0d46c53e2e81effe9bab8d9ecf52ed5
SSDEEP

6144:FOTeHI8HiL7+f57HIeqoz5XdUP3K/JZl5qQ/AmNCbidtRtJyOHs7:MeoGiLa2EUP3WlUQbC2dpHs7

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2500	NEAS.5346be90e99c5d8579a0efbd28419260mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2500	NEAS.5346be90e99c5d8579a0efbd28419260mgr.exe
1444	NEAS.5346be90e99c5d8579a0efbd28419260.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1444-21-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2500-22-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3092	1444	WerFault.exe	84
3396	2500	WerFault.exe	86

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2500	1444	NEAS.5346be90e99c5d8579a0efbd28419260.exe	86
PID 1444 wrote to memory of 2500	1444	NEAS.5346be90e99c5d8579a0efbd28419260.exe	86
PID 1444 wrote to memory of 2500	1444	NEAS.5346be90e99c5d8579a0efbd28419260.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.5346be90e99c5d8579a0efbd28419260.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5346be90e99c5d8579a0efbd28419260.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\NEAS.5346be90e99c5d8579a0efbd28419260mgr.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5346be90e99c5d8579a0efbd28419260mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 540
    3⤵
    - Program crash
    PID:3396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 548
  2⤵
  - Program crash
  PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1444 -ip 1444
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2500 -ip 2500
1⤵
PID:2944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.5346be90e99c5d8579a0efbd28419260mgr.exe

Filesize
183KB

MD5
40633681066127b575fccd6cf223772e

SHA1
5871ea626980c9561bea5aaf538bd36df4f9bedb

SHA256
0011e81710b503f33f820d6e69e233f520bfb4e1641389623b2a03e44d4eedf4

SHA512
a49a3862ad954c34b098d7e2e684e8a86ec8945b3bfd48926ec64ab3b566b3429b4990f77b7a60fecc6d85b2747adb4c8e48a8eea34875ecb336bfe518a1561c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5346be90e99c5d8579a0efbd28419260mgr.exe

Filesize
183KB

MD5
40633681066127b575fccd6cf223772e

SHA1
5871ea626980c9561bea5aaf538bd36df4f9bedb

SHA256
0011e81710b503f33f820d6e69e233f520bfb4e1641389623b2a03e44d4eedf4

SHA512
a49a3862ad954c34b098d7e2e684e8a86ec8945b3bfd48926ec64ab3b566b3429b4990f77b7a60fecc6d85b2747adb4c8e48a8eea34875ecb336bfe518a1561c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM8A1F.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM8A20.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/1444-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1444-19-0x0000000077D22000-0x0000000077D24000-memory.dmp

Filesize
8KB

Download
memory/1444-8-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/1444-23-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/1444-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1444-21-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1444-20-0x0000000077D22000-0x0000000077D23000-memory.dmp

Filesize
4KB

Download
memory/1444-18-0x0000000077D22000-0x0000000077D23000-memory.dmp

Filesize
4KB

Download
memory/2500-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2500-15-0x0000000077D22000-0x0000000077D23000-memory.dmp

Filesize
4KB

Download
memory/2500-4-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2500-14-0x0000000077D22000-0x0000000077D24000-memory.dmp

Filesize
8KB

Download
memory/2500-22-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2500-9-0x0000000001F70000-0x0000000001FA1000-memory.dmp

Filesize
196KB

Download
memory/2500-24-0x0000000001F70000-0x0000000001FA1000-memory.dmp

Filesize
196KB

Download