Malware Analysis Report

2025-08-06 01:41

Sample ID 241005-am6t1syfkc
Target 952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN
SHA256 952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecd
Tags
discovery ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecd

Threat Level: Known bad

The file 952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN was found to be: Known bad.

Malicious Activity Summary

discovery ramnit banker spyware stealer trojan upx worm

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 00:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 00:20

Reported

2024-10-05 00:22

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN.dll,#1

Network

N/A

Files

memory/2376-0-0x0000000010000000-0x000000001005A000-memory.dmp

memory/2376-1-0x0000000010000000-0x000000001005A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 00:20

Reported

2024-10-05 00:22

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\952b976758c83fa247f417fb3195277c1522222a92a897a7f8ed66d74bde7ecdN.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4200 -ip 4200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 10176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 10184

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/5040-0-0x0000000010000000-0x000000001005A000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 d3d9e83859d00c69a12e334852e0e40e
SHA1 88b6d73a9a92b96f017417e346781aa62e412112
SHA256 3b50ec5daef877dabead21459e6e6dd8de74ea4fbdaf1163768e0376b4060887
SHA512 3f565d70caa9139068468cb296f15a05d5921d01362f04bb2996007683bf8816dbc6338283acba22d8349c1214c98bddb476fef3878b97f555acd46ac8754fe2

memory/4200-5-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Windows\SysWOW64\rundll32mgrmgr.exe

MD5 8abf6898662a995642dd979ff1fe5eef
SHA1 08aeda19120993801a6f3a8aa2b73b559ed361ad
SHA256 8aa6d0613c1ad6326d92678bc90dd10be1fba7a5b5f9d7a4a6fac6a42baf94cb
SHA512 a1e88bde3478d8a0c74824998b13e1fdf4484eec444540352076acc43675ecd2daed86e719b3889e7e8ce2104b2b7259a237b42d474acbca8f7e7fb3f37a3313

memory/4352-9-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4200-11-0x0000000002080000-0x00000000020DC000-memory.dmp

memory/4200-15-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4352-12-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~TMB73B.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/4200-21-0x0000000002080000-0x00000000020DC000-memory.dmp