ramnit | 5ca1d0fd1f4e7d980a1d1a8675c701595713af9e4da79ee579caac48837d4687

Analysis

max time kernel
182s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 01:18

Target

09d431e14c3e3ae3b41d14c6db558f19.exe
Size

60KB
MD5

09d431e14c3e3ae3b41d14c6db558f19
SHA1

c4407b5bf198498beb8245747696cf01a0f818d4
SHA256

5ca1d0fd1f4e7d980a1d1a8675c701595713af9e4da79ee579caac48837d4687
SHA512

679268ecd71af9aa1648cf6acf72d56d00002393e9cf7859e101c1b3f233465c3ee892ca2c0374ebafb556775f4e36437a374ebd2d4d6818adfad51e242159f1
SSDEEP

1536:/h8Zc0c2TXH53F/y8fnFZTd6Ue6IWVvmfYC+zyl+U8/6OJeq:58Zc0hTH53F/y0nzTd6UjIWVvn+of

Score

10^/10

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Loads dropped DLL 1 IoCs

pid	Process
4628	09d431e14c3e3ae3b41d14c6db558f19.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4628-2-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4628-8-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4628-10-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4628-7-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4628-6-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4628-4-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4628-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1740	4628	WerFault.exe	39

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4628	09d431e14c3e3ae3b41d14c6db558f19.exe

C:\Users\Admin\AppData\Local\Temp\09d431e14c3e3ae3b41d14c6db558f19.exe
"C:\Users\Admin\AppData\Local\Temp\09d431e14c3e3ae3b41d14c6db558f19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
PID:4628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 580
  2⤵
  - Program crash
  PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4628 -ip 4628
1⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\~TMFD1D.tmp

Filesize
8KB

MD5
d6bf489d3cede23b18babc82fffbe88f

SHA1
07137ba7295d82635e08e8abc43e1e06a3465a5f

SHA256
338335891bf5070a3ac8c3e91ba53de2ccae9c1ee61f802cfa196e7fae6836c9

SHA512
11e59e9ad7392d94809e67ce4eb390e928b96c352f13e201b6c5491c2c7efc53317a361f88f47473d5a63fe149c96e7ac5a6eacea2adc536b2c7ce487eb7edc2

Download Submit
memory/4628-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4628-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4628-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4628-14-0x0000000077B32000-0x0000000077B34000-memory.dmp

Filesize
8KB

Download
memory/4628-15-0x0000000077B32000-0x0000000077B33000-memory.dmp

Filesize
4KB

Download
memory/4628-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4628-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4628-5-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4628-4-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4628-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download