Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 02:25

General

  • Target

    2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll

  • Size

    157KB

  • MD5

    2dd679cfde3da100f00bb847f8f14b00

  • SHA1

    2c38960b235d278311536ed7d023cbf30e022117

  • SHA256

    54ca0786d43bab6d703663c08a1cd05af8a44898f1a1b2a8884ea6b65284b880

  • SHA512

    797680843853477faef775f9d82505d15ff17987f23526b6c7495aca17062dae46a1f7e68af3cb625bb2daa21878ef19632e87b40bbba4bfd1c05bae2e1c82b0

  • SSDEEP

    3072:IMr6N9WfdNAbxBk69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1G:IMqWfdNANG6yEYZ7DVQgsQLPzo1G

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2276
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of UnmapMainImage
            PID:1744
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
            "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:1880
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                7⤵
                • Modifies WinLogon for persistence
                • Drops file in System32 directory
                • Drops file in Program Files directory
                PID:1608
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1336
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1520
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1468

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

      Filesize

      257KB

      MD5

      356571db7e393dbe5e9c628ee43612ab

      SHA1

      b04771d0317e87b68c5e6171dacaa564f566896a

      SHA256

      472212a183c238dfd89e62797af0dff4ffa810f05f6f09979f0fff6f0ef37916

      SHA512

      2f7a3d1a0564006fd6702a7f52a8ffb7487aefa41ddb58ac654dc7248e55a4196b71374336bde53dbd1fd13fcbb48b471a07f9460462763455633ef9eda00a26

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

      Filesize

      253KB

      MD5

      208f63874ee14e8d4305561a889eebed

      SHA1

      c6b5a8a8db953f9d33d5ca873849c6f9a72eeaa1

      SHA256

      faa12f453b6fb385d6d602d3db121aa10b9f7664fd2a2c403f46087c1ba35a9a

      SHA512

      d98ae5a611635eb2a0e8c7aa1c129238e703841323580102ac001da3313ee2d91a7b2f959b5146ac8859d5d4de116848d842477dbbf5b0c5c50ac67445b4a9b1

    • \Windows\SysWOW64\rundll32mgr.exe

      Filesize

      122KB

      MD5

      c5255edf109342e3e1d1eb0990b2d094

      SHA1

      ba029b47b9b3a5ccccae3038d90382ec68a1dd44

      SHA256

      ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

      SHA512

      6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

    • \Windows\SysWOW64\rundll32mgrmgr.exe

      Filesize

      59KB

      MD5

      f2c8b7e238a07cce22920efb1c8645a6

      SHA1

      cd2af4b30add747e222f938206b78d7730fdf346

      SHA256

      6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

      SHA512

      c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

    • memory/1520-89-0x0000000020010000-0x0000000020022000-memory.dmp

      Filesize

      72KB

    • memory/1520-91-0x00000000000C0000-0x00000000000C1000-memory.dmp

      Filesize

      4KB

    • memory/1608-114-0x0000000020010000-0x0000000020022000-memory.dmp

      Filesize

      72KB

    • memory/1608-110-0x0000000020010000-0x0000000020022000-memory.dmp

      Filesize

      72KB

    • memory/1616-10-0x0000000000100000-0x0000000000101000-memory.dmp

      Filesize

      4KB

    • memory/1616-1-0x0000000010000000-0x000000001002B000-memory.dmp

      Filesize

      172KB

    • memory/1616-180-0x00000000001D0000-0x00000000001D2000-memory.dmp

      Filesize

      8KB

    • memory/1616-12-0x0000000000110000-0x0000000000111000-memory.dmp

      Filesize

      4KB

    • memory/1616-11-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

      Filesize

      4KB

    • memory/1616-3-0x00000000001D0000-0x0000000000203000-memory.dmp

      Filesize

      204KB

    • memory/1640-32-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/1640-21-0x00000000001B0000-0x00000000001D3000-memory.dmp

      Filesize

      140KB

    • memory/1640-39-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/1640-38-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

    • memory/1640-20-0x00000000001B0000-0x00000000001D3000-memory.dmp

      Filesize

      140KB

    • memory/1640-26-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/1640-31-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/1640-25-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/1640-24-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/1640-23-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/1744-135-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/1744-128-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/1880-86-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/2276-40-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2276-37-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

    • memory/2616-72-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

    • memory/2616-78-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2764-55-0x0000000000120000-0x0000000000143000-memory.dmp

      Filesize

      140KB

    • memory/2764-52-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/2764-183-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2764-79-0x0000000000050000-0x0000000000051000-memory.dmp

      Filesize

      4KB