Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 01:43

General

  • Target

    71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll

  • Size

    157KB

  • MD5

    71ec4ee6489f11b90aff02b4f8ff5640

  • SHA1

    c5d2cdc654c542233726d96371ee818be20da7d8

  • SHA256

    27e6e398dbcc7b229af5d505fbca7ce3e2c14386dd7128ff11dda99b53f66cf9

  • SHA512

    aade0187e380f12f21462b20f90d3e96f15dc6bd8de1392d422ef4542f0a61ffecd738d77a86f47d8c772129614724220cb704ad9cbfd152f3d603f765456f5d

  • SSDEEP

    3072:IMr6N9WfdNAbxBU69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1r:IMqWfdNANO6yEYZ7DVQgsQLPzo1r

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:1840
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2332
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2920
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
              • Modifies WinLogon for persistence
              • Drops file in System32 directory
              • Drops file in Program Files directory
              PID:2536
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

      Filesize

      132KB

      MD5

      f5ddccb93fad9297315ecf4e8c417d75

      SHA1

      176684aaf0f091d7ea485506959a7051182acb79

      SHA256

      65583ac321c8444b23d7cc1d416ad218ca154822b9e0ad956d0cf4e53d088fec

      SHA512

      ebed8df43eddd56a8b3b3f3128745c4c6359c44342774b184ff35c3ea25b1b07a391cf5d414614aad9ebcbfc08387f6ff92977fb959a1592d7a6d0ebb4e9ccc6

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

      Filesize

      128KB

      MD5

      ecd5e84257c8748ccaf49a6709960d29

      SHA1

      48e7d3d7ed67edffd837c247e830006d1afde4d2

      SHA256

      62280d339b9345bc8c5eb9c7ebc64f8da8ca50b2891ab8e24688fa7b238ecff4

      SHA512

      bb34f0cc5d37000c0cbae7d3514376609405770cdd3b2f3316ba34e9746d217039d278e223a799a3d2efdb325366c152634a2838d832faec7f94eae3caa8d767

    • C:\Windows\SysWOW64\rundll32mgrmgr.exe

      Filesize

      59KB

      MD5

      f2c8b7e238a07cce22920efb1c8645a6

      SHA1

      cd2af4b30add747e222f938206b78d7730fdf346

      SHA256

      6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

      SHA512

      c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

    • \Windows\SysWOW64\rundll32mgr.exe

      Filesize

      122KB

      MD5

      c5255edf109342e3e1d1eb0990b2d094

      SHA1

      ba029b47b9b3a5ccccae3038d90382ec68a1dd44

      SHA256

      ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

      SHA512

      6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

    • memory/2176-23-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2176-25-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2176-32-0x0000000000150000-0x0000000000151000-memory.dmp

      Filesize

      4KB

    • memory/2176-24-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2176-40-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2176-47-0x0000000000050000-0x0000000000073000-memory.dmp

      Filesize

      140KB

    • memory/2176-22-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2176-26-0x0000000000130000-0x0000000000153000-memory.dmp

      Filesize

      140KB

    • memory/2536-100-0x0000000020010000-0x0000000020022000-memory.dmp

      Filesize

      72KB

    • memory/2536-70-0x0000000020010000-0x0000000020022000-memory.dmp

      Filesize

      72KB

    • memory/2536-96-0x0000000020010000-0x0000000020022000-memory.dmp

      Filesize

      72KB

    • memory/2536-72-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

    • memory/2536-81-0x0000000020010000-0x0000000020022000-memory.dmp

      Filesize

      72KB

    • memory/2648-39-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2648-34-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2648-33-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2648-31-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

    • memory/2680-76-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

    • memory/2680-68-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2680-56-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

    • memory/2680-153-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2920-151-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2920-61-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2920-69-0x0000000020010000-0x0000000020022000-memory.dmp

      Filesize

      72KB

    • memory/2920-62-0x00000000771AF000-0x00000000771B0000-memory.dmp

      Filesize

      4KB

    • memory/2920-59-0x00000000001A0000-0x00000000001A1000-memory.dmp

      Filesize

      4KB

    • memory/3036-13-0x00000000771B0000-0x00000000771B1000-memory.dmp

      Filesize

      4KB

    • memory/3036-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

    • memory/3036-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

    • memory/3036-12-0x00000000001C0000-0x00000000001F3000-memory.dmp

      Filesize

      204KB

    • memory/3036-3-0x00000000001C0000-0x00000000001F3000-memory.dmp

      Filesize

      204KB

    • memory/3036-1-0x0000000010000000-0x000000001002B000-memory.dmp

      Filesize

      172KB