ramnit | 6ecffd6a456590a09d56eaec47b09c7f25efced4f72aaeda547cab04e2ba57d7

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a0d22d34c9fd9632d9891d52ebdb1f.exe
Size

106KB
MD5

00a0d22d34c9fd9632d9891d52ebdb1f
SHA1

89b1afb9e1c6d587becef451ba69cf1e5690da63
SHA256

6ecffd6a456590a09d56eaec47b09c7f25efced4f72aaeda547cab04e2ba57d7
SHA512

2148f2d085a2f81f8894b7ea65f26f0774768a863ea193e13079d9a01a91176db75890e8de423501ac884df221dbc7a358c68dd394d94d1f0779a593e8bc9465
SSDEEP

1536:y+FDoK6yniY1u7Nn2JFkC2styJjCKICFjC7EWisS+5mlatSfkZ:y+FDfK71QkbstyJjCKICpC72s/mlaX

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Loads dropped DLL 1 IoCs

pid	Process
4900	00a0d22d34c9fd9632d9891d52ebdb1f.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4900-2-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4900-7-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4900-9-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4900-8-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4900-5-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4900-11-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4900-4-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5012	4900	WerFault.exe	87

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4900	00a0d22d34c9fd9632d9891d52ebdb1f.exe

C:\Users\Admin\AppData\Local\Temp\00a0d22d34c9fd9632d9891d52ebdb1f.exe
"C:\Users\Admin\AppData\Local\Temp\00a0d22d34c9fd9632d9891d52ebdb1f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
PID:4900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 388
  2⤵
  - Program crash
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4900 -ip 4900
1⤵
PID:4448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~TM7465.tmp

Filesize
500KB

MD5
c0d7b25f603dc88f55544136c4d5ad9a

SHA1
609003e5fcb142b7e7bc804b55e20218686789c4

SHA256
27b4ef8cea7cf07ffd34b569f1cee61e1b3d439bf43f216d476ab47f82087a01

SHA512
45e3eee7f0a1ff1b5c87266f163faf4931c5658362c1cad97fd77279208efc5ae780bc94242f02c20e830e6a785777a2fa1c679d11d22f4aa462926333a177b5

Download Submit
memory/4900-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4900-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4900-6-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4900-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4900-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4900-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4900-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4900-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4900-17-0x0000000077082000-0x0000000077084000-memory.dmp

Filesize
8KB

Download
memory/4900-16-0x0000000077082000-0x0000000077083000-memory.dmp

Filesize
4KB

Download
memory/4900-15-0x0000000077082000-0x0000000077084000-memory.dmp

Filesize
8KB

Download
memory/4900-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4900-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download