ramnit | d620e2cd5772dcf7c0183f67e02517363c0adc6662f1412ada362c446f4dee2c

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:30

Target

d620e2cd5772dcf7c0183f67e02517363c0adc6662f1412ada362c446f4dee2c.dll
Size

68KB
MD5

6ac6ec6d1181f9c5d1fd5918672c908a
SHA1

5b4de7de19c9c2ecaa64ec19f6a8addb7e1ffd14
SHA256

d620e2cd5772dcf7c0183f67e02517363c0adc6662f1412ada362c446f4dee2c
SHA512

1895855bce51d9cc595f8a337a95c6bc3271bc9d55267ad9122b5ce9515bb93313ff42d1cbd7a979c3c8552becdd73d2c617f1a4d021a1f73b3899b44a8943ac
SSDEEP

1536:MLNd/Pk7btaoX7DypKr0wNkYIUSS9eyBhs0iZs3+:GNhY5aora80mkYI7ysXs3

Score

10^/10

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Drops startup file 1 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltgkfmwf.exe	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1696 4920 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1696	4920	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4164 wrote to memory of 4920	4164	rundll32.exe	rundll32.exe
PID 4164 wrote to memory of 4920	4164	rundll32.exe	rundll32.exe
PID 4164 wrote to memory of 4920	4164	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d620e2cd5772dcf7c0183f67e02517363c0adc6662f1412ada362c446f4dee2c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d620e2cd5772dcf7c0183f67e02517363c0adc6662f1412ada362c446f4dee2c.dll,#1
2⤵
- Drops startup file
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 636
3⤵
- Program crash
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4920 -ip 4920
1⤵
PID:3000

memory/4920-0-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download