ramnit | 7c9faa959a37c8f3f177bb662a8cebc0913acec3d627e494589a3d60fc25eca8

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01824d04ef90f7a4d6883dcc395be5bd.dll
Size

160KB
MD5

01824d04ef90f7a4d6883dcc395be5bd
SHA1

18d273ed0eb24ca96dda9c8e30c58d0bfcbea57b
SHA256

7c9faa959a37c8f3f177bb662a8cebc0913acec3d627e494589a3d60fc25eca8
SHA512

6428cde96eaa831e85b6a2aab6486718f1eac35ae5fa473a59644a9280971680d2af08da3ff8d35dc15c52bcbf9d8277b9ac3bd1f6399cfd88ed2eab4e25f152
SSDEEP

3072:XxrFrIR1jqk0gpa1eLZyDfL9PK/BEmmkVITI90Oipgo1nRaZdRN:hrFcXqUs1eLZ+fRyyYVoIyOORaZdRN

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
4512	rundll32mgr.exe

Loads dropped DLL 1 IoCs

pid	Process
4512	rundll32mgr.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4512-8-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/4512-11-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/4512-13-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/4512-14-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/4512-9-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/4512-5-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/4512-6-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4164	4512	WerFault.exe
5840	1380	WerFault.exe	19

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4512	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 1380	4108	rundll32.exe	19
PID 4108 wrote to memory of 1380	4108	rundll32.exe	19
PID 4108 wrote to memory of 1380	4108	rundll32.exe	19
PID 1380 wrote to memory of 4512	1380	rundll32.exe	28
PID 1380 wrote to memory of 4512	1380	rundll32.exe	28
PID 1380 wrote to memory of 4512	1380	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01824d04ef90f7a4d6883dcc395be5bd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\01824d04ef90f7a4d6883dcc395be5bd.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 668
    3⤵
    - Program crash
    PID:5840
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of UnmapMainImage
    PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 348
1⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4512 -ip 4512
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1380 -ip 1380
1⤵
PID:3604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-0-0x0000000004800000-0x0000000004828000-memory.dmp

Filesize
160KB

Download
memory/1380-22-0x0000000004800000-0x0000000004828000-memory.dmp

Filesize
160KB

Download
memory/4512-13-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4512-19-0x0000000077C92000-0x0000000077C93000-memory.dmp

Filesize
4KB

Download
memory/4512-18-0x0000000077C92000-0x0000000077C94000-memory.dmp

Filesize
8KB

Download
memory/4512-20-0x0000000077C92000-0x0000000077C94000-memory.dmp

Filesize
8KB

Download
memory/4512-11-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4512-14-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4512-9-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4512-10-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/4512-5-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4512-6-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4512-8-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download