Overview

overview

10

Static

static

3

55286139f9...cs.dll

windows7-x64

10

55286139f9...cs.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29-05-2024 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55286139f96615ce3229adc5dd78e7a0_NeikiAnalytics.dll

  • Size

    157KB

  • MD5

    55286139f96615ce3229adc5dd78e7a0

  • SHA1

    06bfe781382c208d04930959308e8a450e935f66

  • SHA256

    0563ca3086dfa6d074e4bafb98354cc48862b36ec401e3db3d1f92be5095de4e

  • SHA512

    c85a70011bc3311f633350c93c33f2dfd3715d0a424d1b0125b93b2c9a6e5a94fce594e41453e2521babdb048783101914d51d86f9067bd978e0b3e82b98c05c

  • SSDEEP

    3072:IMr6N9WfdNAbxBk69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1r:IMqWfdNANG6yEYZ7DVQgsQLPzo1r

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\55286139f96615ce3229adc5dd78e7a0_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\55286139f96615ce3229adc5dd78e7a0_NeikiAnalytics.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Drops file in System32 directory
              • Drops file in Program Files directory
              PID:2480
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1940
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of UnmapMainImage
          PID:1696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
    Filesize

    132KB

    MD5

    7566547fef2e8ffed3281c9f501309e6

    SHA1

    0f49fd6811865481a0f32c288c2688acee423e10

    SHA256

    6e604f0d8511d11d19960680b5279955791edd0db1452923ba95ba9abf4c1dbf

    SHA512

    f06cd5db5e169d54389e27b0e66af59e6b21520f683b9f065a24e7282994892ffdc6af9567a90f3906d0bd9302a36c99fe69bf2268b9c5a797d3b580362eddd1

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
    Filesize

    128KB

    MD5

    c3d10fe73df0d5e0c4a3f2880147c55f

    SHA1

    6f81bbeee6175a11764a09b5fd069594870bdc1d

    SHA256

    195e7a3bc9934ea390fd156d30df57065d4ba665c3b3035334bab5d5ba57a545

    SHA512

    cc2f915cfe285248fcb17bd315a31a143f0845b516af96408c63ae07483b0ec4fa471bdcca64d194cd43193fdc9e387528a77b76675e59d80b4d325849173e50

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    122KB

    MD5

    c5255edf109342e3e1d1eb0990b2d094

    SHA1

    ba029b47b9b3a5ccccae3038d90382ec68a1dd44

    SHA256

    ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

    SHA512

    6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

    Download Submit

  • \Windows\SysWOW64\rundll32mgrmgr.exe
    Filesize

    59KB

    MD5

    f2c8b7e238a07cce22920efb1c8645a6

    SHA1

    cd2af4b30add747e222f938206b78d7730fdf346

    SHA256

    6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

    SHA512

    c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

    Download Submit

  • memory/1696-101-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1884-12-0x0000000077990000-0x0000000077991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1884-1-0x0000000010000000-0x000000001002B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1884-3-0x0000000000300000-0x0000000000333000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1884-11-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1884-10-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-116-0x0000000020010000-0x000000002001B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1940-106-0x0000000020010000-0x000000002001B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2196-37-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2196-28-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2196-20-0x0000000000120000-0x0000000000143000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2196-21-0x0000000000120000-0x0000000000143000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2196-23-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2196-24-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2196-36-0x0000000000140000-0x0000000000141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-25-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2196-26-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2196-27-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2480-67-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-65-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2480-75-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2480-88-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-87-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-86-0x00000000000B0000-0x00000000000B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-80-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2480-84-0x0000000020010000-0x0000000020022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2868-62-0x000000007798F000-0x0000000077990000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2868-61-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2868-56-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2868-104-0x0000000000060000-0x0000000000061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2868-127-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2868-60-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-35-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3068-45-0x0000000000050000-0x0000000000073000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3068-42-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download