ramnit | 6b2de25a7b639d59cfd168474218d5b71256e02fe8557a525d18c1a15e42adbc

Analysis

max time kernel
130s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 07:43

Target

93190f7f739937ff6b61041f69e3c680_NeikiAnalytics.dll
Size

39KB
MD5

93190f7f739937ff6b61041f69e3c680
SHA1

24b716246e5ff40d769e0017ffd4f4878e96e7c8
SHA256

6b2de25a7b639d59cfd168474218d5b71256e02fe8557a525d18c1a15e42adbc
SHA512

65a10cac977fef53aede47469163b38a3c647513287627a3c044fcf8cc564bb5b35dc274577e900d25326b5259813f6d1386bc9ea78b9b1fb632c032cb2a30d8
SSDEEP

768:Bs+RgMsmiIDftyPP+1H17jIydwYrlRm5TrTJyCO6zsMm5nnv1+Vn:WkiIDftyEhzm5TrTQ/FdZnvAl

Score

10^/10

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4788 2004 WerFault.exe rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	rundll32.exe

pid	pid_target	process	target process
4788	2004	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1020 wrote to memory of 2004	1020	rundll32.exe	rundll32.exe
PID 1020 wrote to memory of 2004	1020	rundll32.exe	rundll32.exe
PID 1020 wrote to memory of 2004	1020	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\93190f7f739937ff6b61041f69e3c680_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\93190f7f739937ff6b61041f69e3c680_NeikiAnalytics.dll,#1
  2⤵
  - Drops file in System32 directory
  PID:2004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 616
    3⤵
    - Program crash
    PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2004 -ip 2004
1⤵
PID:940

memory/2004-0-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download