ramnit | 5ec9b31b14d03a3997e1533ccaf5d0be69155d7fa7d3035ffe7aeae3553e93f0

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 06:48

Target

1e5cd86251c2c61ee1cf479963b8acb8_JaffaCakes118.dll
Size

247KB
MD5

1e5cd86251c2c61ee1cf479963b8acb8
SHA1

8962fa64240eaf4705766a55dd2a775993daf268
SHA256

5ec9b31b14d03a3997e1533ccaf5d0be69155d7fa7d3035ffe7aeae3553e93f0
SHA512

60e96b374238a81c9dac7c06850fb176faf58963825079b01a235880e7132a3b8499232cce77efe9ac2ff6208a05d63e449a0912c2f7a1bdbd11619020ca6953
SSDEEP

6144:CvCpkQAN1ZZd8SnRK5OK42YXBiiRX7MSkECHMjC3llvc:rpwNPZd8SnMwvJRrqECHt3c

Score

10^/10

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

4608 rundll32mgr.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32mgr.exe

pid process

4608 rundll32mgr.exe
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral2/memory/4608-6-0x0000000000400000-0x0000000000451000-memory.dmp upx
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2508 912 WerFault.exe rundll32.exe
3696 4608 WerFault.exe rundll32mgr.exe

pid	process
4608	rundll32mgr.exe

pid	process
4608	rundll32mgr.exe

resource	yara_rule
behavioral2/memory/4608-6-0x0000000000400000-0x0000000000451000-memory.dmp	upx

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
2508	912	WerFault.exe	rundll32.exe
3696	4608	WerFault.exe	rundll32mgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4904 wrote to memory of 912	4904	rundll32.exe	rundll32.exe
PID 4904 wrote to memory of 912	4904	rundll32.exe	rundll32.exe
PID 4904 wrote to memory of 912	4904	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 4608	912	rundll32.exe	rundll32mgr.exe
PID 912 wrote to memory of 4608	912	rundll32.exe	rundll32mgr.exe
PID 912 wrote to memory of 4608	912	rundll32.exe	rundll32mgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e5cd86251c2c61ee1cf479963b8acb8_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 528
4⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 640
3⤵
- Program crash
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 912 -ip 912
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4608 -ip 4608
1⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\~TM442D.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
144KB

MD5
609c9eadac4c1cc48b5f89be6c36e276

SHA1
f047b565fdb73d5b75ffaed7b2faa335e82b3514

SHA256
e982967b3a8613149cd29d659a4b4aa6241ef8e4f124458785220e76e8b18325

SHA512
246dab455d7b7661126e79bb9b1b2aee2fee26790b8fde0779d529cfceb295b9df2fb5aca2da1ab3d52f22b4157a46ea8b164e7aa02e842aca2cd27076d85fb5

Download Submit
memory/912-0-0x0000000060510000-0x0000000060553000-memory.dmp

Filesize
268KB

Download
memory/912-10-0x0000000060510000-0x0000000060553000-memory.dmp

Filesize
268KB

Download
memory/4608-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download