ramnit | 27e6e398dbcc7b229af5d505fbca7ce3e2c14386dd7128ff11dda99b53f66cf9

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll
Size

157KB
MD5

71ec4ee6489f11b90aff02b4f8ff5640
SHA1

c5d2cdc654c542233726d96371ee818be20da7d8
SHA256

27e6e398dbcc7b229af5d505fbca7ce3e2c14386dd7128ff11dda99b53f66cf9
SHA512

aade0187e380f12f21462b20f90d3e96f15dc6bd8de1392d422ef4542f0a61ffecd738d77a86f47d8c772129614724220cb704ad9cbfd152f3d603f765456f5d
SSDEEP

3072:IMr6N9WfdNAbxBU69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1r:IMqWfdNANO6yEYZ7DVQgsQLPzo1r

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 6 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid process

1156 rundll32mgr.exe
636 rundll32mgrmgr.exe
1552 WaterMark.exe
4496 WaterMark.exe
1656 WaterMarkmgr.exe
2956 WaterMark.exe

pid	process
1156	rundll32mgr.exe
636	rundll32mgrmgr.exe
1552	WaterMark.exe
4496	WaterMark.exe
1656	WaterMarkmgr.exe
2956	WaterMark.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1156-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1656-69-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2956-74-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1552-58-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1656-57-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1552-48-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4496-47-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1156-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/636-24-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/636-33-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1156-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1156-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1156-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1156-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1156-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4496-85-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

rundll32.exerundll32mgr.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe

Drops file in Program Files directory 10 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px46AE.tmp	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px468E.tmp	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px472B.tmp	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3716 4236 WerFault.exe svchost.exe
1292 2448 WerFault.exe svchost.exe
5036 1380 WerFault.exe svchost.exe

pid	pid_target	process	target process
3716	4236	WerFault.exe	svchost.exe
1292	2448	WerFault.exe	svchost.exe
5036	1380	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{389D0F62-1EEF-11EF-BCA5-E659512317F8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{389F71D9-1EEF-11EF-BCA5-E659512317F8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109884"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423884801"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "221964268"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "219151567"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109884"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "221964268"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "219151567"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "221964268"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{389F4AC9-1EEF-11EF-BCA5-E659512317F8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109884"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "222432985"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

WaterMark.exeWaterMark.exeWaterMark.exe

pid	process
1552	WaterMark.exe
1552	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
1552	WaterMark.exe
1552	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
1552	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
1552	WaterMark.exe
1552	WaterMark.exe
1552	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
1552	WaterMark.exe
1552	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
1552	WaterMark.exe
1552	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
4496	WaterMark.exe
1552	WaterMark.exe
1552	WaterMark.exe
1552	WaterMark.exe
1552	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe
2956	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeWaterMark.exeWaterMark.exeWaterMark.exe

description	pid	process
Token: SeDebugPrivilege	3708	rundll32.exe
Token: SeDebugPrivilege	1552	WaterMark.exe
Token: SeDebugPrivilege	4496	WaterMark.exe
Token: SeDebugPrivilege	2956	WaterMark.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

3308 iexplore.exe
4932 iexplore.exe
4068 iexplore.exe
1516 iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
3308	iexplore.exe
3308	iexplore.exe
1516	iexplore.exe
1516	iexplore.exe
4932	iexplore.exe
4932	iexplore.exe
4068	iexplore.exe
4068	iexplore.exe
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
4668	IEXPLORE.EXE
4668	IEXPLORE.EXE
904	IEXPLORE.EXE
904	IEXPLORE.EXE
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE
4668	IEXPLORE.EXE
4668	IEXPLORE.EXE

Suspicious use of UnmapMainImage 6 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exe

pid process

1156 rundll32mgr.exe
636 rundll32mgrmgr.exe
1552 WaterMark.exe
4496 WaterMark.exe
1656 WaterMarkmgr.exe
2956 WaterMark.exe

pid	process
1156	rundll32mgr.exe
636	rundll32mgrmgr.exe
1552	WaterMark.exe
4496	WaterMark.exe
1656	WaterMarkmgr.exe
2956	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMark.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1976 wrote to memory of 3708	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 3708	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 3708	1976	rundll32.exe	rundll32.exe
PID 3708 wrote to memory of 1156	3708	rundll32.exe	rundll32mgr.exe
PID 3708 wrote to memory of 1156	3708	rundll32.exe	rundll32mgr.exe
PID 3708 wrote to memory of 1156	3708	rundll32.exe	rundll32mgr.exe
PID 1156 wrote to memory of 636	1156	rundll32mgr.exe	rundll32mgrmgr.exe
PID 1156 wrote to memory of 636	1156	rundll32mgr.exe	rundll32mgrmgr.exe
PID 1156 wrote to memory of 636	1156	rundll32mgr.exe	rundll32mgrmgr.exe
PID 1156 wrote to memory of 1552	1156	rundll32mgr.exe	WaterMark.exe
PID 1156 wrote to memory of 1552	1156	rundll32mgr.exe	WaterMark.exe
PID 1156 wrote to memory of 1552	1156	rundll32mgr.exe	WaterMark.exe
PID 636 wrote to memory of 4496	636	rundll32mgrmgr.exe	WaterMark.exe
PID 636 wrote to memory of 4496	636	rundll32mgrmgr.exe	WaterMark.exe
PID 636 wrote to memory of 4496	636	rundll32mgrmgr.exe	WaterMark.exe
PID 1552 wrote to memory of 1656	1552	WaterMark.exe	WaterMarkmgr.exe
PID 1552 wrote to memory of 1656	1552	WaterMark.exe	WaterMarkmgr.exe
PID 1552 wrote to memory of 1656	1552	WaterMark.exe	WaterMarkmgr.exe
PID 1656 wrote to memory of 2956	1656	WaterMarkmgr.exe	WaterMark.exe
PID 1656 wrote to memory of 2956	1656	WaterMarkmgr.exe	WaterMark.exe
PID 1656 wrote to memory of 2956	1656	WaterMarkmgr.exe	WaterMark.exe
PID 1552 wrote to memory of 1380	1552	WaterMark.exe	svchost.exe
PID 1552 wrote to memory of 1380	1552	WaterMark.exe	svchost.exe
PID 1552 wrote to memory of 1380	1552	WaterMark.exe	svchost.exe
PID 1552 wrote to memory of 1380	1552	WaterMark.exe	svchost.exe
PID 1552 wrote to memory of 1380	1552	WaterMark.exe	svchost.exe
PID 1552 wrote to memory of 1380	1552	WaterMark.exe	svchost.exe
PID 1552 wrote to memory of 1380	1552	WaterMark.exe	svchost.exe
PID 1552 wrote to memory of 1380	1552	WaterMark.exe	svchost.exe
PID 1552 wrote to memory of 1380	1552	WaterMark.exe	svchost.exe
PID 4496 wrote to memory of 4236	4496	WaterMark.exe	svchost.exe
PID 4496 wrote to memory of 4236	4496	WaterMark.exe	svchost.exe
PID 4496 wrote to memory of 4236	4496	WaterMark.exe	svchost.exe
PID 4496 wrote to memory of 4236	4496	WaterMark.exe	svchost.exe
PID 4496 wrote to memory of 4236	4496	WaterMark.exe	svchost.exe
PID 4496 wrote to memory of 4236	4496	WaterMark.exe	svchost.exe
PID 4496 wrote to memory of 4236	4496	WaterMark.exe	svchost.exe
PID 4496 wrote to memory of 4236	4496	WaterMark.exe	svchost.exe
PID 4496 wrote to memory of 4236	4496	WaterMark.exe	svchost.exe
PID 2956 wrote to memory of 2448	2956	WaterMark.exe	svchost.exe
PID 2956 wrote to memory of 2448	2956	WaterMark.exe	svchost.exe
PID 2956 wrote to memory of 2448	2956	WaterMark.exe	svchost.exe
PID 2956 wrote to memory of 2448	2956	WaterMark.exe	svchost.exe
PID 2956 wrote to memory of 2448	2956	WaterMark.exe	svchost.exe
PID 2956 wrote to memory of 2448	2956	WaterMark.exe	svchost.exe
PID 2956 wrote to memory of 2448	2956	WaterMark.exe	svchost.exe
PID 2956 wrote to memory of 2448	2956	WaterMark.exe	svchost.exe
PID 2956 wrote to memory of 2448	2956	WaterMark.exe	svchost.exe
PID 1552 wrote to memory of 4932	1552	WaterMark.exe	iexplore.exe
PID 1552 wrote to memory of 4932	1552	WaterMark.exe	iexplore.exe
PID 4496 wrote to memory of 1516	4496	WaterMark.exe	iexplore.exe
PID 4496 wrote to memory of 1516	4496	WaterMark.exe	iexplore.exe
PID 4496 wrote to memory of 3308	4496	WaterMark.exe	iexplore.exe
PID 4496 wrote to memory of 3308	4496	WaterMark.exe	iexplore.exe
PID 1552 wrote to memory of 4068	1552	WaterMark.exe	iexplore.exe
PID 1552 wrote to memory of 4068	1552	WaterMark.exe	iexplore.exe
PID 2956 wrote to memory of 2536	2956	WaterMark.exe	iexplore.exe
PID 2956 wrote to memory of 2536	2956	WaterMark.exe	iexplore.exe
PID 2956 wrote to memory of 1556	2956	WaterMark.exe	iexplore.exe
PID 2956 wrote to memory of 1556	2956	WaterMark.exe	iexplore.exe
PID 3308 wrote to memory of 1736	3308	iexplore.exe	IEXPLORE.EXE
PID 3308 wrote to memory of 1736	3308	iexplore.exe	IEXPLORE.EXE
PID 3308 wrote to memory of 1736	3308	iexplore.exe	IEXPLORE.EXE
PID 1516 wrote to memory of 1856	1516	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 204
        7⤵
        Program crash
        
        PID:3716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3308 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1736
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 204
        8⤵
        Program crash
        
        PID:1292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:1556
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:1380
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 204
        6⤵
        Program crash
        
        PID:5036
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4932
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4668
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4068
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4068 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1380 -ip 1380
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2448 -ip 2448
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4236 -ip 4236
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
59KB

MD5
f2c8b7e238a07cce22920efb1c8645a6

SHA1
cd2af4b30add747e222f938206b78d7730fdf346

SHA256
6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

SHA512
c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
3d6908c3ea7ced33d2696a9ef09f8961

SHA1
a7d4321bbf04cb7335522cfee2cd36edc2d19c80

SHA256
fc0c60c571c30a39ce618b280cdede4a1837d2be33dfe2a4a3413c92a731b6e5

SHA512
071c3fa58a08000ad898384fef6e5fcdcd080ed52b084ec80d19e45f9fb5119557a1dfb42ebba2b22d1c971baa5a852c756c7526010b6b487f3239c8f0df4af1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
8ec002ec03a9f822223bbbbac3d98797

SHA1
fa3108bf80bb5447b8ee23b1ad6685758e2f180f

SHA256
eed59e9b01f9181130cc6ab415b643f0ff100d3f3dff32d702b1b37a6d94ee6a

SHA512
6b21f386571969327ed02f759579234f91f2e53f867b91d757e81917ff8abc17df18e52875827fb36799039ed1e3a0cb057062d12f090754cb003c045554c15c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
e7c66591af5fabfab2f2b6759361106f

SHA1
b878cb7a1c0b1936bdcb0ccaf835ebee29b4bf73

SHA256
5f795e0c52dfdb5b817f973d79ffd4942557f876122c3c453108db4ad26bf360

SHA512
4e5c7304b3c5387645c6c72d639c7e05079027c5e752fbe0fb44f594ef3cba77f5246c96f4cefd181fa8856621ac1a2d772c3d514c125fe5e797e65cfa03bbdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
b20d1f2b75799ec95360ba6909c9872c

SHA1
5ee47f416df13d03adb8cd5637fc948517c20f89

SHA256
9e6f8dfdba0cd7b3afb4de959b053f57d3e8a2c51c35bc098da6312c43e2bbb5

SHA512
3a95564afc43fd9c053489d42fd0bb8dcdde4ff3cf056d944d188fdb78905c82a80fd20833a0c99991969b7999e3e1b761f79f2f581136fc824b10a6e7a9c5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{389D0F62-1EEF-11EF-BCA5-E659512317F8}.dat

Filesize
4KB

MD5
b8ebf286f1b286068d9c3ecc295f125a

SHA1
3bc557bdb678a36d8e2bd3adef01568d5f3c589a

SHA256
e63510d0902c8de0b5799b179921671b91103b6da522fe13f01effdf52735c60

SHA512
d78c6dd6141f581545cc10e23d16930226dc65ff662eabf6750412ae39c5d931622bfa086241a3077f227ac0379821010277432449e4a3bdbecbe0b41910ec65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{389D0F62-1EEF-11EF-BCA5-E659512317F8}.dat

Filesize
3KB

MD5
a12016fb5f4f0bed9b7209c35d4f5f7d

SHA1
a018297de90f52496440f68149738482f7f9c4c2

SHA256
68d27edbde7102aa3c55b5cc4bc0f8558310731da37c4f40ab6f696cf1022edb

SHA512
3298d6d9061e6de199ecf2d717e484c0ef03185f037f9f39bddc0862c9975a89df6b96e0b5ea0a7a1fe039b3c071216acf08022fe5b8a3fe47d3f9d005121a24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{389F4AC9-1EEF-11EF-BCA5-E659512317F8}.dat

Filesize
5KB

MD5
56b904fa6f027379b0a3f1926027041f

SHA1
de25cf37e5327603b0fd52a90a9d2744166c518d

SHA256
689eab572a31a5cfde4ded3e7e4e5062b98f6b340130a5c16dff5534f4957a0e

SHA512
74b1d41cdd0d841a43a3b5d10c8c4a466b8e97b066bb84fe5c09cd99010818cac0243491e56a28a43b63f4c19862d52e6ad3fd4c79d27bada8e34ec24450bedd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{389F71D9-1EEF-11EF-BCA5-E659512317F8}.dat

Filesize
5KB

MD5
f2ad02fe19cffda2a13bce8d0f51147e

SHA1
7b1c36efa26e4ca9882c90650a93047b30803113

SHA256
f6606ee61f1757c567fcefe0228e12415fa7ff07c58ac9e5bb7550d33a38d1c4

SHA512
fdb7f4f8054aba62d3f16032c8a47694b47f15d59eba8ee63a4c82476c265d776e33c279ddb4c28cc73dd31025ccff86cb0da8b1d9812da773b2f722159504e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
122KB

MD5
c5255edf109342e3e1d1eb0990b2d094

SHA1
ba029b47b9b3a5ccccae3038d90382ec68a1dd44

SHA256
ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

SHA512
6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

Download Submit
memory/636-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/636-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1156-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1156-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1156-26-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1156-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1156-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1156-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1156-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1156-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1552-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-79-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1552-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1552-62-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1656-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1656-69-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2956-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-3-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/3708-5-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/3708-8-0x0000000076FA2000-0x0000000076FA3000-memory.dmp

Filesize
4KB

Download
memory/3708-4-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/4496-85-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4496-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download