ramnit | 0563ca3086dfa6d074e4bafb98354cc48862b36ec401e3db3d1f92be5095de4e

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55286139f96615ce3229adc5dd78e7a0_NeikiAnalytics.dll
Size

157KB
MD5

55286139f96615ce3229adc5dd78e7a0
SHA1

06bfe781382c208d04930959308e8a450e935f66
SHA256

0563ca3086dfa6d074e4bafb98354cc48862b36ec401e3db3d1f92be5095de4e
SHA512

c85a70011bc3311f633350c93c33f2dfd3715d0a424d1b0125b93b2c9a6e5a94fce594e41453e2521babdb048783101914d51d86f9067bd978e0b3e82b98c05c
SSDEEP

3072:IMr6N9WfdNAbxBk69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1r:IMqWfdNANG6yEYZ7DVQgsQLPzo1r

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 6 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid process

4580 rundll32mgr.exe
4196 rundll32mgrmgr.exe
1056 WaterMark.exe
4224 WaterMark.exe
2428 WaterMarkmgr.exe
3932 WaterMark.exe

pid	process
4580	rundll32mgr.exe
4196	rundll32mgrmgr.exe
1056	WaterMark.exe
4224	WaterMark.exe
2428	WaterMarkmgr.exe
3932	WaterMark.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4580-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4580-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4580-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4224-50-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3932-76-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2428-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1056-66-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4224-65-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2428-64-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1056-49-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4196-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4580-31-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4580-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4580-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4580-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4224-87-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

rundll32mgr.exerundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe
File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 10 IoCs

Processes:

rundll32mgrmgr.exeWaterMarkmgr.exeWaterMark.exerundll32mgr.exeWaterMark.exeWaterMark.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px3CDA.tmp	rundll32mgrmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3D47.tmp	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3CCA.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1636 2076 WerFault.exe svchost.exe
2528 1084 WerFault.exe svchost.exe
2448 2976 WerFault.exe svchost.exe

pid	pid_target	process	target process
1636	2076	WerFault.exe	svchost.exe
2528	1084	WerFault.exe	svchost.exe
2448	2976	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1593512595"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1595700369"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109577"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1595856470"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423753084"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1593356908"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109577"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109577"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109577"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1593512595"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1595700369"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8A7E9D36-1DBC-11EF-9A94-7AB71B943571} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8A79B094-1DBC-11EF-9A94-7AB71B943571} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8A80D78E-1DBC-11EF-9A94-7AB71B943571} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1595700369"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109577"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1593356908"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8A7E7626-1DBC-11EF-9A94-7AB71B943571} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

WaterMark.exeWaterMark.exeWaterMark.exe

pid	process
4224	WaterMark.exe
4224	WaterMark.exe
1056	WaterMark.exe
1056	WaterMark.exe
4224	WaterMark.exe
4224	WaterMark.exe
1056	WaterMark.exe
1056	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
4224	WaterMark.exe
4224	WaterMark.exe
4224	WaterMark.exe
4224	WaterMark.exe
1056	WaterMark.exe
1056	WaterMark.exe
4224	WaterMark.exe
4224	WaterMark.exe
1056	WaterMark.exe
1056	WaterMark.exe
4224	WaterMark.exe
4224	WaterMark.exe
1056	WaterMark.exe
1056	WaterMark.exe
4224	WaterMark.exe
4224	WaterMark.exe
1056	WaterMark.exe
1056	WaterMark.exe
4224	WaterMark.exe
4224	WaterMark.exe
1056	WaterMark.exe
1056	WaterMark.exe
1056	WaterMark.exe
1056	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe
3932	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeWaterMark.exeWaterMark.exeWaterMark.exe

description	pid	process
Token: SeDebugPrivilege	4792	rundll32.exe
Token: SeDebugPrivilege	4224	WaterMark.exe
Token: SeDebugPrivilege	1056	WaterMark.exe
Token: SeDebugPrivilege	3932	WaterMark.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

4064 iexplore.exe
3580 iexplore.exe
4404 iexplore.exe
5116 iexplore.exe

pid	process
4064	iexplore.exe
3580	iexplore.exe
4404	iexplore.exe
5116	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
4404	iexplore.exe
4404	iexplore.exe
3580	iexplore.exe
3580	iexplore.exe
5116	iexplore.exe
5116	iexplore.exe
4064	iexplore.exe
4064	iexplore.exe
2224	IEXPLORE.EXE
2224	IEXPLORE.EXE
4052	IEXPLORE.EXE
4052	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
4212	IEXPLORE.EXE
4212	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE

Suspicious use of UnmapMainImage 6 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid process

4580 rundll32mgr.exe
4196 rundll32mgrmgr.exe
4224 WaterMark.exe
1056 WaterMark.exe
2428 WaterMarkmgr.exe
3932 WaterMark.exe

pid	process
4580	rundll32mgr.exe
4196	rundll32mgrmgr.exe
4224	WaterMark.exe
1056	WaterMark.exe
2428	WaterMarkmgr.exe
3932	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMark.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3760 wrote to memory of 4792	3760	rundll32.exe	rundll32.exe
PID 3760 wrote to memory of 4792	3760	rundll32.exe	rundll32.exe
PID 3760 wrote to memory of 4792	3760	rundll32.exe	rundll32.exe
PID 4792 wrote to memory of 4580	4792	rundll32.exe	rundll32mgr.exe
PID 4792 wrote to memory of 4580	4792	rundll32.exe	rundll32mgr.exe
PID 4792 wrote to memory of 4580	4792	rundll32.exe	rundll32mgr.exe
PID 4580 wrote to memory of 4196	4580	rundll32mgr.exe	rundll32mgrmgr.exe
PID 4580 wrote to memory of 4196	4580	rundll32mgr.exe	rundll32mgrmgr.exe
PID 4580 wrote to memory of 4196	4580	rundll32mgr.exe	rundll32mgrmgr.exe
PID 4580 wrote to memory of 1056	4580	rundll32mgr.exe	WaterMark.exe
PID 4580 wrote to memory of 1056	4580	rundll32mgr.exe	WaterMark.exe
PID 4580 wrote to memory of 1056	4580	rundll32mgr.exe	WaterMark.exe
PID 4196 wrote to memory of 4224	4196	rundll32mgrmgr.exe	WaterMark.exe
PID 4196 wrote to memory of 4224	4196	rundll32mgrmgr.exe	WaterMark.exe
PID 4196 wrote to memory of 4224	4196	rundll32mgrmgr.exe	WaterMark.exe
PID 1056 wrote to memory of 2428	1056	WaterMark.exe	WaterMarkmgr.exe
PID 1056 wrote to memory of 2428	1056	WaterMark.exe	WaterMarkmgr.exe
PID 1056 wrote to memory of 2428	1056	WaterMark.exe	WaterMarkmgr.exe
PID 2428 wrote to memory of 3932	2428	WaterMarkmgr.exe	WaterMark.exe
PID 2428 wrote to memory of 3932	2428	WaterMarkmgr.exe	WaterMark.exe
PID 2428 wrote to memory of 3932	2428	WaterMarkmgr.exe	WaterMark.exe
PID 4224 wrote to memory of 1084	4224	WaterMark.exe	svchost.exe
PID 4224 wrote to memory of 1084	4224	WaterMark.exe	svchost.exe
PID 4224 wrote to memory of 1084	4224	WaterMark.exe	svchost.exe
PID 4224 wrote to memory of 1084	4224	WaterMark.exe	svchost.exe
PID 4224 wrote to memory of 1084	4224	WaterMark.exe	svchost.exe
PID 4224 wrote to memory of 1084	4224	WaterMark.exe	svchost.exe
PID 4224 wrote to memory of 1084	4224	WaterMark.exe	svchost.exe
PID 4224 wrote to memory of 1084	4224	WaterMark.exe	svchost.exe
PID 4224 wrote to memory of 1084	4224	WaterMark.exe	svchost.exe
PID 1056 wrote to memory of 2076	1056	WaterMark.exe	svchost.exe
PID 1056 wrote to memory of 2076	1056	WaterMark.exe	svchost.exe
PID 1056 wrote to memory of 2076	1056	WaterMark.exe	svchost.exe
PID 1056 wrote to memory of 2076	1056	WaterMark.exe	svchost.exe
PID 1056 wrote to memory of 2076	1056	WaterMark.exe	svchost.exe
PID 1056 wrote to memory of 2076	1056	WaterMark.exe	svchost.exe
PID 1056 wrote to memory of 2076	1056	WaterMark.exe	svchost.exe
PID 1056 wrote to memory of 2076	1056	WaterMark.exe	svchost.exe
PID 1056 wrote to memory of 2076	1056	WaterMark.exe	svchost.exe
PID 3932 wrote to memory of 2976	3932	WaterMark.exe	svchost.exe
PID 3932 wrote to memory of 2976	3932	WaterMark.exe	svchost.exe
PID 3932 wrote to memory of 2976	3932	WaterMark.exe	svchost.exe
PID 3932 wrote to memory of 2976	3932	WaterMark.exe	svchost.exe
PID 3932 wrote to memory of 2976	3932	WaterMark.exe	svchost.exe
PID 3932 wrote to memory of 2976	3932	WaterMark.exe	svchost.exe
PID 3932 wrote to memory of 2976	3932	WaterMark.exe	svchost.exe
PID 3932 wrote to memory of 2976	3932	WaterMark.exe	svchost.exe
PID 3932 wrote to memory of 2976	3932	WaterMark.exe	svchost.exe
PID 4224 wrote to memory of 4064	4224	WaterMark.exe	iexplore.exe
PID 4224 wrote to memory of 4064	4224	WaterMark.exe	iexplore.exe
PID 1056 wrote to memory of 4404	1056	WaterMark.exe	iexplore.exe
PID 1056 wrote to memory of 4404	1056	WaterMark.exe	iexplore.exe
PID 4224 wrote to memory of 5116	4224	WaterMark.exe	iexplore.exe
PID 4224 wrote to memory of 5116	4224	WaterMark.exe	iexplore.exe
PID 1056 wrote to memory of 3580	1056	WaterMark.exe	iexplore.exe
PID 1056 wrote to memory of 3580	1056	WaterMark.exe	iexplore.exe
PID 3932 wrote to memory of 4364	3932	WaterMark.exe	iexplore.exe
PID 3932 wrote to memory of 4364	3932	WaterMark.exe	iexplore.exe
PID 3932 wrote to memory of 3668	3932	WaterMark.exe	iexplore.exe
PID 3932 wrote to memory of 3668	3932	WaterMark.exe	iexplore.exe
PID 4404 wrote to memory of 2224	4404	iexplore.exe	IEXPLORE.EXE
PID 4404 wrote to memory of 2224	4404	iexplore.exe	IEXPLORE.EXE
PID 4404 wrote to memory of 2224	4404	iexplore.exe	IEXPLORE.EXE
PID 3580 wrote to memory of 1556	3580	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\55286139f96615ce3229adc5dd78e7a0_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\55286139f96615ce3229adc5dd78e7a0_NeikiAnalytics.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 208
        7⤵
        Program crash
        
        PID:2528
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4064
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4064 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5116
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5116 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4212
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 204
        8⤵
        Program crash
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:4364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:3668
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 204
        6⤵
        Program crash
        
        PID:1636
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4404 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2224
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3580 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1084 -ip 1084
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2076 -ip 2076
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2976 -ip 2976
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a78885dc856faeb57c7549a4b25d6a6a

SHA1
62cd1234f65a694281b47fb54f6aeb300d023093

SHA256
d586a36a410c287a57fb08f3e0e137f7fa66a303aaa86396c72b81f6abad2c63

SHA512
f41c11f88c04a6f3c8fa528c199790ed701d4f5577820881d29d78f239d03171962942deaa8e53320d83784d77a013d243f84b8f4bcd47fb97e056a197f2093b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
604bdbe5ec3216ff81c5ea5eebee9409

SHA1
dd537556c48bc429d1a84a4cd913e8c6daed9786

SHA256
8afc4b5f97b4d0f26ea15b1bdfef550fee8268bc8d795e36575e2efe00040ad7

SHA512
73d35e3e3061fcc655806eea3b4a2db11bd58967916b0d028f4859e13d437b2714eb54526491e5d08939318ac69baefe8ae1c493653d11ae3f1059993985e8ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
900179d88ef3e7c4f57a4be543440336

SHA1
59ce44923d756432998b11f231f02bfd863cec01

SHA256
24ae649f33633f583c0c967e5c43c4d17ec19ca33278b23475a944b405190652

SHA512
98550aabfc63d881a358ccf49c98607e1ed9c1ac9f668f015cdc2e8f69f4b803119b4a2b2ac2dbf99f19b11cbfe77ce9961652684ca69e730ab1fd9b1aef516c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
ce2077316eb587fe56619fa0196d29ff

SHA1
75477e8e5a818a19d0c58f5d1381a8c4d9ea1069

SHA256
607a09e46065af433ee603d60ec2e8ef608f44a76768970cda05cee683b99194

SHA512
fb083b86dbf01bbb9c3060287d77ec1bd86232d2c62bbe6caace7ebaa066d11cc90b32e787b2bf2a63cd588182b892f2eeb2c2e510a835a363332dcf7d435d46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
15dbf4b681127df5b6477ef1a338e18f

SHA1
990dcf5027d3cc548f7e391dd8831b1e8be34718

SHA256
5940ef11ef8fb3cca1dc3039b8d848e0e40ebcfd63930554198320023fd19231

SHA512
07b5d059665bce8577cf33c0306d7adab69bab166da4af44c05f0adbb4f112562d0b6d9420f2af85afa9874cd777fe8689290b1215852e0abd4fa143f9dd95ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8A7E7626-1DBC-11EF-9A94-7AB71B943571}.dat

Filesize
3KB

MD5
2d9f00e91895700fb93e18b9f701942e

SHA1
c75e701f2dd23759c5d38c94aec17f1e0a8d3e56

SHA256
899e1da5a944c5dfa58993cbfc90070124290b01a57ddbae833fb0c2fac205db

SHA512
98e64986163600041859659366ae70163247021c0bba432f959296f3b8332f69f155de00d4f657e9158aeafa857a43837daa1ca2b5385359e8fcf721e03ee345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8A7E7626-1DBC-11EF-9A94-7AB71B943571}.dat

Filesize
5KB

MD5
00ce0bf1ccb0b0a1277a21395064f699

SHA1
ca68e9b13e33e0b74c15d3a65250c60b9191ffa5

SHA256
901fcefb37c9c90b3471deb62995a37bcf55e291e7be55fa33c4b6d654f27604

SHA512
7f3800847fba10f3c916d3e931cc71f394d00d98dd1bcd9a28261987a9f46fd3f90d895ed2ad8f79f977a434dcfb00299b71430a7c2a68d524f245506db6cd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8A7E9D36-1DBC-11EF-9A94-7AB71B943571}.dat

Filesize
5KB

MD5
574c396ed98f564bea7a0f04aa910de2

SHA1
720d74f12f41f722a96c958dc459bc4511e97aef

SHA256
1530eab3c28e90f1df1d2c06a529f8ecf070c13d162738ee4927c0ab22f1afdd

SHA512
f47268a58b16fcfe3407c84ae7111cbf5f8e439962c80aad874d65a5a59f32be1eae78839935c90243d79e225967bc00930804a8c0660952157306f12e1df848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC023.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TF1TYUIH\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
122KB

MD5
c5255edf109342e3e1d1eb0990b2d094

SHA1
ba029b47b9b3a5ccccae3038d90382ec68a1dd44

SHA256
ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

SHA512
6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
59KB

MD5
f2c8b7e238a07cce22920efb1c8645a6

SHA1
cd2af4b30add747e222f938206b78d7730fdf346

SHA256
6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

SHA512
c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

Download Submit
memory/1056-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1056-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-63-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2428-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2428-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3932-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4196-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4224-62-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/4224-80-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4224-87-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4224-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4580-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4580-19-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/4580-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4580-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4580-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4580-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4580-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4580-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4580-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-2-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/4792-4-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/4792-8-0x0000000077162000-0x0000000077163000-memory.dmp

Filesize
4KB

Download
memory/4792-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download