ramnit | 31c3e801b2cadf6b05b081de51105f749ab712e78acd30ebd5d65037da8c1f2d

Analysis

max time kernel
135s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 17:30

Target

039a8a17cb0c6fda93a7fcd2c6df25b0_NeikiAnalytics.dll
Size

38KB
MD5

039a8a17cb0c6fda93a7fcd2c6df25b0
SHA1

21ff3a6c8ed3c9d994052ff5f8527d8a0773eb57
SHA256

31c3e801b2cadf6b05b081de51105f749ab712e78acd30ebd5d65037da8c1f2d
SHA512

59d379d1655536f88afbb1a7c9e95b7e46dcffd68874befeffa7fdb6602421121bf5d38765ff79162d7c067002ae97d0f3cfadc5604d7406e06246d0c047f581
SSDEEP

768:Bs+/gMsLIn/wIj2labk+1IsceGSnkmJ0Yblr583CJrVV7AsXU76m2s2AVV:WD8w22laSR0V+3CJrVnXczJ2

Score

10^/10

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3196 2576 WerFault.exe rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	rundll32.exe

pid	pid_target	process	target process
3196	2576	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2208 wrote to memory of 2576	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2576	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2576	2208	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\039a8a17cb0c6fda93a7fcd2c6df25b0_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\039a8a17cb0c6fda93a7fcd2c6df25b0_NeikiAnalytics.dll,#1
2⤵
- Drops file in System32 directory
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 604
3⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2576 -ip 2576
1⤵
PID:3552

memory/2576-1-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download