Overview

overview

10

Static

static

3

09af71a118...cs.dll

windows7-x64

10

09af71a118...cs.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09af71a1185fe18de6771e0cd23c2e00_NeikiAnalytics.dll

  • Size

    157KB

  • MD5

    09af71a1185fe18de6771e0cd23c2e00

  • SHA1

    19a887a8f5b7362997bb2d0534e3ec9c29fcde7a

  • SHA256

    d4206c080da5bf06e0532b8622b166426053eca0cca4b80db1fba5fc1e5b8531

  • SHA512

    e94ea7b2169827e58ce086633ea9f77e3bea5f62261189344669455adc3fc057c57dfab44db64459c0540c6a6a8ed32736ee2070d15f4ffe7d6dc6b53a155319

  • SSDEEP

    3072:IMr6N9WfdNAbxBU69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1O:IMqWfdNANO6yEYZ7DVQgsQLPzo1O

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\09af71a1185fe18de6771e0cd23c2e00_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\09af71a1185fe18de6771e0cd23c2e00_NeikiAnalytics.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of UnmapMainImage
            PID:2300
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Drops file in System32 directory
            • Drops file in Program Files directory
            PID:2540
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    132KB

    MD5

    9da6b0c5f187a569df017c86e33e711c

    SHA1

    316fb02293cfca55c62aa13f6f44dbff63e40ff1

    SHA256

    351095d22f8f26b9221b23ce5b2fbb83c8b1a19230bf446f286184ff630e372f

    SHA512

    6eebd2039b9e9840c2da3ff9c5d114559a5a024a36757e22ae29ec90f0d7c38ff09bd346a0cee32d4b750cb4e3770d9f4fcc3de40587181ccb4593de86a60ce6

    Download Submit
  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    128KB

    MD5

    a3af710f258dfb4f955da05805bb93ae

    SHA1

    28e774da87fa9ff3e4515c7e083106d9435df137

    SHA256

    350585f1db400dfdf5906a52222b3cafe3e5f3a7da49ea735f77bea2cd73bf54

    SHA512

    0d31932defbc31eca2f1353263512f1ef29290609c6cd683cf638a395b02050cd2cf277761fa07cd02a512b434ba6c8c64ebdafb6fa806257c21244cf914a453

    Download Submit
  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    122KB

    MD5

    c5255edf109342e3e1d1eb0990b2d094

    SHA1

    ba029b47b9b3a5ccccae3038d90382ec68a1dd44

    SHA256

    ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

    SHA512

    6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

    Download Submit
  • \Windows\SysWOW64\rundll32mgrmgr.exe
    Filesize

    59KB

    MD5

    f2c8b7e238a07cce22920efb1c8645a6

    SHA1

    cd2af4b30add747e222f938206b78d7730fdf346

    SHA256

    6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

    SHA512

    c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

    Download Submit
  • memory/1624-110-0x0000000020010000-0x000000002001B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1624-100-0x0000000020010000-0x000000002001B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2300-92-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2300-95-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2512-22-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2512-28-0x0000000000140000-0x0000000000141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2512-12-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/2512-41-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2512-23-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2512-24-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2512-25-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2512-26-0x0000000000120000-0x0000000000143000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2512-44-0x0000000000050000-0x0000000000073000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2540-69-0x0000000020010000-0x0000000020022000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-62-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2540-75-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2540-77-0x0000000000090000-0x0000000000091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2540-60-0x0000000020010000-0x0000000020022000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-76-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2540-74-0x0000000020010000-0x0000000020022000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-81-0x0000000020010000-0x0000000020022000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2644-33-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2644-27-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2644-34-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2644-39-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2700-10-0x0000000000100000-0x0000000000101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-1-0x0000000010000000-0x000000001002B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/2700-3-0x00000000001E0000-0x0000000000213000-memory.dmp
    Filesize

    204KB

    Download
  • memory/2700-11-0x0000000000110000-0x0000000000111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-13-0x0000000077650000-0x0000000077651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3052-57-0x000000007764F000-0x0000000077650000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3052-98-0x0000000000060000-0x0000000000061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3052-56-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/3052-121-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/3052-55-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/3052-54-0x0000000000830000-0x0000000000831000-memory.dmp
    Filesize

    4KB

    Download