ramnit | 54d5ee4a19ec454c2850b177ed974f5d3b6ffcbecd0f1622e7cf331e67047c5a

General

Target

3a92779f3987f2a870dccf69e02a30b1.dll
Size

232KB
MD5

3a92779f3987f2a870dccf69e02a30b1
SHA1

886caff0edd127e2c8fd8740cbfd8dd7bd22dfca
SHA256

54d5ee4a19ec454c2850b177ed974f5d3b6ffcbecd0f1622e7cf331e67047c5a
SHA512

296af926ef017543cf2bc77b1d716189b93348e09c6154d259457a27294f08a7aef0c9099073cd7d29f2c7f438f75690022dc030120002b432264a64f9a9aa59
SSDEEP

3072:MiJQeQYiE6Zp0Glt9bnYNd/KG0DdFcXRrB5XUsI1FhCBA++KdVTyb+6VmC:RJQpTlt9L4BP05OBteIn+KvySC

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2036	rundll32mgr.exe

Loads dropped DLL 4 IoCs

pid	Process
1520	rundll32.exe
1520	rundll32.exe
2036	rundll32mgr.exe
2036	rundll32mgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-9-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2036-21-0x0000000000400000-0x0000000000451000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2756	2036	WerFault.exe	22

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1520	1032	rundll32.exe	17
PID 1032 wrote to memory of 1520	1032	rundll32.exe	17
PID 1032 wrote to memory of 1520	1032	rundll32.exe	17
PID 1032 wrote to memory of 1520	1032	rundll32.exe	17
PID 1032 wrote to memory of 1520	1032	rundll32.exe	17
PID 1032 wrote to memory of 1520	1032	rundll32.exe	17
PID 1032 wrote to memory of 1520	1032	rundll32.exe	17
PID 1520 wrote to memory of 2036	1520	rundll32.exe	22
PID 1520 wrote to memory of 2036	1520	rundll32.exe	22
PID 1520 wrote to memory of 2036	1520	rundll32.exe	22
PID 1520 wrote to memory of 2036	1520	rundll32.exe	22

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a92779f3987f2a870dccf69e02a30b1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a92779f3987f2a870dccf69e02a30b1.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 148
      4⤵
      Program crash
      PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
7KB

MD5
77d75f90dd6b0f95f92ab05bc7008b84

SHA1
c4f15be7726774cba2ba77714c2428a690e8d6da

SHA256
c5e255de692f8a4b84dcafdfc2d415224485e05c274801b39dbd080903ec6322

SHA512
ec342fb5e7a75d9d5a05dd90c0622fed2c54b8b33860a10502713cd8c2984300670dcf24d127870b45d1c203a74e9b24f3cd8e110db0c279bb9b487d72d4d262

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
5KB

MD5
71911a18ee43a3c4be08e1bf24700edd

SHA1
d80cfc78fe21df024561f0977ecf7d5cb2cf7f65

SHA256
67165dd038464d4723dc07f27da5332f25760102c21c5f02be4fc38dfec7588a

SHA512
b7334c27eb2d90eba9294143d7999958a52cef29ce75eda5cc742ec00d8b95f9788d9edd1b80255b623ed9cd70bb8e0cd03f6f95d6515a521547db44272f5cf9

Download Submit
\Users\Admin\AppData\Local\Temp\~TM86A.tmp

Filesize
136KB

MD5
190b06f353e1c734daf47efa56ffbfdb

SHA1
2b0d45994dd2a24977c08fe340b0778529b9c316

SHA256
dd2886a1bf38098ccfed1423f1cd456dd1cbd9207afb4c06504772f533135828

SHA512
ad8e259d63fc38a3e4eeb9c4b1519aeacd34f3f99dfca5a5012e34f28983609ac60772539eea1ecc026b668dd983ec5287d061a8467d6a80a23ca8477326697b

Download Submit
\Users\Admin\AppData\Local\Temp\~TM88A.tmp

Filesize
138KB

MD5
77a6be98ada2375a5c6bda15ab2d23f9

SHA1
82646fd8bf5cf24c88ed3bacd631f3ff0014c9c7

SHA256
e2508bc64a85fd2c395df4e1bd7bd2fe11f05e52a79d81c5b93663d9491d966a

SHA512
7f2c9c303085d7ab2f42a4030bb00a23229dd467190030e5c97f69b42f74736ae4682dbafd17a7b0a642c90f2a9f73a64028087daab02867d9277388351c9572

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
3KB

MD5
772cfaf7b5ca73cadb03511d748fd8a8

SHA1
82b25d866964ea8326b017a6bd724951b7bbd1a8

SHA256
387def94dc65f97d12340929342cb57e28109dc03bbe0da586e0f48c545679a1

SHA512
ef7c41165e13e3e71b0fce464f618c61f504f72cb67921b5aa9887b7643b43f7625f62c51f3f1b98662397e66372cd6908e2d120785bb7436baa3c9042c6d0b5

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
144KB

MD5
609c9eadac4c1cc48b5f89be6c36e276

SHA1
f047b565fdb73d5b75ffaed7b2faa335e82b3514

SHA256
e982967b3a8613149cd29d659a4b4aa6241ef8e4f124458785220e76e8b18325

SHA512
246dab455d7b7661126e79bb9b1b2aee2fee26790b8fde0779d529cfceb295b9df2fb5aca2da1ab3d52f22b4157a46ea8b164e7aa02e842aca2cd27076d85fb5

Download Submit
memory/1520-1-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download
memory/2036-11-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/2036-20-0x00000000755E0000-0x00000000756F0000-memory.dmp

Filesize
1.1MB

Download
memory/2036-21-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2036-22-0x00000000755E0000-0x00000000756F0000-memory.dmp

Filesize
1.1MB

Download
memory/2036-17-0x00000000771B0000-0x00000000771B2000-memory.dmp

Filesize
8KB

Download
memory/2036-16-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/2036-15-0x00000000771AF000-0x00000000771B1000-memory.dmp

Filesize
8KB

Download
memory/2036-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing