Overview

overview

10

Static

static

3

7ae73e9377...cs.dll

windows7-x64

10

7ae73e9377...cs.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ae73e937719ef5543838d19cb2cb410_NeikiAnalytics.dll

  • Size

    101KB

  • MD5

    7ae73e937719ef5543838d19cb2cb410

  • SHA1

    8b9f2a12ff21b8083fd54a88f1225b451aca9cbd

  • SHA256

    46fccb29f5b11a1f24ccaddbf434e82258e58637b26cc7d6c7da39e1cb348ac7

  • SHA512

    bdaabefaa3e2e57d15e3395c93d0ce451f4f3b1fdcc3cedf5d6b45747476c227ac0c75a00f09d1fe8dc4df6263aa92dd66fe9d51a19b689eb7d2f35a1fd8155f

  • SSDEEP

    1536:hcMr6N99X0fdNAbxBEA0HoHuqmCbEVwh4hlp1KB3yvi94MOXX9Wo/n:2Mr6N9WfdNAbxBEAZHglVwEDnvG/OcQn

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ae73e937719ef5543838d19cb2cb410_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ae73e937719ef5543838d19cb2cb410_NeikiAnalytics.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1308
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 208
                6⤵
                • Program crash
                PID:4152
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:396
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:396 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4332
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2868
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1308 -ip 1308
      1⤵
        PID:4684

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        c41ab5352ba79baac9ac093dd7eb2500

        SHA1

        1ffb0e70f86845daba211aeda43cad539d34ffd3

        SHA256

        558e13bb7aa293569457e9703d2db37e8365e2ab670b2c3484ada9336ed24895

        SHA512

        ccebe3f11039e14d39d4102652669fd372d179778bf73fae0659dd01da569bbf850b273cd3a4e13dc77b3fd4fb4d84d01525ac3a0dcb23b297c733da10bc2ff0

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        fd0af9ae1e45a5cabaa56eaab8f9adb6

        SHA1

        b0e141e088090914809437dba9d744e757782514

        SHA256

        b47e3656839a3bdf5ddd2c262030464e4a7c8f0518fbee89ec64b3e9e2df8245

        SHA512

        a0888dffccafec00958091721744f21ae26e57d1511a54ea775dc67ed05a2ddde2e83542df315e0049cd16ed05c65e1067a60fb0329225211fbfd798accd9bc7

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        c309ba51f60f9de7a3ec1c68f240ba26

        SHA1

        ff4a5cd325267b0dac0d9c7452ea92d5ab7df3eb

        SHA256

        56ae9d531d4ead17f034f8454fe28d04a562c56b2682b3f30f986550f69c6999

        SHA512

        83de47bbc3b09473fc944989433ac818085c942d172efdf876bc71ba415af08380cb61cf27e8cd8443fd640574b1f1bc62dbbdb37faa2aa39b47a4731ced5f57

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CDE1CF0D-1B27-11EF-A2D1-F25A6F8D7CFB}.dat
        Filesize

        4KB

        MD5

        ee93002bacf66ae9b6409e2f9faa2107

        SHA1

        62afeb9351dfe8cb8cf7066e80dc35a3383b37c9

        SHA256

        eb55740b1b617569915f0b0ba20facc16efff52322d59264a04f99d2a285d4d1

        SHA512

        779c4ae99015f7a031486867f97ad07a3488bd230ef283eddb83694180a1efccd6e1ec862b93d8331b203e447ac38ba4744c08d8cc6f4971e260ed1e5376963b

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CDE430C0-1B27-11EF-A2D1-F25A6F8D7CFB}.dat
        Filesize

        5KB

        MD5

        dd312b21ca001fbeea6983fe778caec9

        SHA1

        b172115f4903acb33da4641755e8df88c2c37e1e

        SHA256

        fe5737f07d9c6ed36f36f93b8f4a8bece96055ce2ace3be0bd5830660077abe3

        SHA512

        67968d97527aa184de971f3c80656ceea100c35cf9e8bceb92442295fd45cb6f4ad6c3279ca12f8e0809dd7e296ab4e29ce920829c0a063e5c578ec67ebd7291

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC004.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I3C6LG3F\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit
      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        65KB

        MD5

        849ef19ec0155d79d4fa5bfb5657b106

        SHA1

        eb7e7ff208ecb40d35755d8f36e31e2482166299

        SHA256

        8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

        SHA512

        30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

        Download Submit
      • memory/1088-5-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1308-18-0x0000000000950000-0x0000000000951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1308-19-0x0000000000930000-0x0000000000931000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2280-4-0x0000000010000000-0x000000001001C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/2280-6-0x0000000076F02000-0x0000000076F03000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2280-7-0x00000000042E0000-0x00000000042E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2280-8-0x00000000043B0000-0x00000000043B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2796-14-0x00000000006E0000-0x00000000006E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2796-25-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2796-24-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2796-21-0x0000000076F02000-0x0000000076F03000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2796-20-0x00000000006F0000-0x00000000006F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2796-15-0x0000000000650000-0x0000000000671000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2796-16-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download