Overview

overview

10

Static

static

3

ef4818117a...cs.dll

windows7-x64

10

ef4818117a...cs.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 11:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef4818117a0a1fcf4eb92c0487dd2140_NeikiAnalytics.dll

  • Size

    200KB

  • MD5

    ef4818117a0a1fcf4eb92c0487dd2140

  • SHA1

    221cb972f1771ffb8da5a91f006feb170623bd46

  • SHA256

    546e6609ae734a7d8ea67b440a67aaa37c6347a8e6b8ed17e250771adbc54b0c

  • SHA512

    c72fce1eefaf73605406a882e1449936ea7e54f36626e8229537b700416c5dc491ed0bb4043e7d4799bb651b970353d8501ace76715c535d97455ccd8725ba1b

  • SSDEEP

    6144:wMqWfdNANa/AjNggWEv9XCrrupJywxS9KLFf:vqWfdNA0/uNKmSmfx6KV

Score
10/10
ramnitsalitybackdoorbankerevasionpersistencespywarestealertrojanupxworm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1044
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1060
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1104
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef4818117a0a1fcf4eb92c0487dd2140_NeikiAnalytics.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1956
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef4818117a0a1fcf4eb92c0487dd2140_NeikiAnalytics.dll,#1
              3⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1880
              • C:\Windows\SysWOW64\rundll32mgr.exe
                C:\Windows\SysWOW64\rundll32mgr.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Loads dropped DLL
                • Windows security modification
                • Checks whether UAC is enabled
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1652
                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of UnmapMainImage
                  • Suspicious use of WriteProcessMemory
                  PID:2388
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\system32\svchost.exe
                    6⤵
                    • Modifies WinLogon for persistence
                    • Drops file in System32 directory
                    • Drops file in Program Files directory
                    PID:2724
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\system32\svchost.exe
                    6⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1440
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1544

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
            Filesize

            342KB

            MD5

            0426690b5ec2170e21c451ea2a3ca744

            SHA1

            57e1eca5043824bfea02338d56528db42332b0b8

            SHA256

            4970926b6158242b5c61e06795837e212e17c4b83ebb315896fbc3294ab364d0

            SHA512

            9ff9971a6e29d1bc4383a95f7bdf591951acf957a462612b015d0ca9213b6a5f579fd427674c79f2ca844eab75d9af62531d5482480824c7acd606bb21b684e2

            Download Submit
          • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
            Filesize

            338KB

            MD5

            f66a6fda6e4ad88d9fd317020c0b9218

            SHA1

            226668f6e2b0e4fa512e97660cf5651d10339de7

            SHA256

            452d362d170387c30b80476dd1fe33735d84570d40b60048c7ecfe86aa59d726

            SHA512

            82fa5cd9754f3e53a16ce611b60e9d44af03f619d1cf75c2cb02172d32ca20afc782cb3feef4fdcb39cabbeb1972232ef81de2234a7cf51e9a3c0ead15b4c35e

            Download Submit
          • \Windows\SysWOW64\rundll32mgr.exe
            Filesize

            164KB

            MD5

            a3b1f1c4cd75bea10095e054f990bf1d

            SHA1

            15bf037b2166d2533e12bbec9f1d5f9a3ad8c81b

            SHA256

            a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee

            SHA512

            7457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94

            Download Submit
          • memory/1044-35-0x0000000001EA0000-0x0000000001EA2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1652-60-0x00000000003E0000-0x00000000003E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1652-15-0x0000000000400000-0x0000000000421000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1652-17-0x0000000000400000-0x0000000000421000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1652-78-0x00000000048B0000-0x00000000048E4000-memory.dmp
            Filesize

            208KB

            Download
          • memory/1652-22-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-84-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-19-0x0000000000400000-0x0000000000421000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1652-24-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-14-0x0000000000400000-0x0000000000421000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1652-29-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-33-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-25-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-31-0x00000000001A0000-0x00000000001A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1652-32-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-54-0x00000000003F0000-0x00000000003F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1652-27-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-30-0x0000000000400000-0x0000000000421000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1652-58-0x00000000003E0000-0x00000000003E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1652-34-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-59-0x00000000048B0000-0x00000000048E4000-memory.dmp
            Filesize

            208KB

            Download
          • memory/1652-16-0x0000000000400000-0x0000000000421000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1652-26-0x0000000002950000-0x00000000039DE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1652-20-0x0000000000400000-0x0000000000421000-memory.dmp
            Filesize

            132KB

            Download
          • memory/1880-3-0x0000000001CD0000-0x0000000001D04000-memory.dmp
            Filesize

            208KB

            Download
          • memory/1880-45-0x0000000001E10000-0x0000000001E11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1880-10-0x00000000001D0000-0x00000000001D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1880-12-0x0000000077830000-0x0000000077831000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1880-44-0x0000000001E00000-0x0000000001E02000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1880-11-0x00000000001E0000-0x00000000001E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1880-53-0x0000000001E10000-0x0000000001E11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1880-1-0x0000000010000000-0x0000000010035000-memory.dmp
            Filesize

            212KB

            Download
          • memory/1880-55-0x0000000001E00000-0x0000000001E02000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2388-79-0x0000000000400000-0x0000000000434000-memory.dmp
            Filesize

            208KB

            Download
          • memory/2388-89-0x0000000000210000-0x0000000000211000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2388-100-0x0000000000400000-0x0000000000421000-memory.dmp
            Filesize

            132KB

            Download
          • memory/2388-145-0x0000000000400000-0x0000000000421000-memory.dmp
            Filesize

            132KB

            Download
          • memory/2388-101-0x000000007782F000-0x0000000077830000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2724-114-0x0000000000090000-0x0000000000091000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2724-113-0x0000000000080000-0x0000000000081000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2724-112-0x00000000000A0000-0x00000000000A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2724-91-0x0000000020010000-0x0000000020022000-memory.dmp
            Filesize

            72KB

            Download