Overview

overview

10

Static

static

3

76e8232052...cs.dll

windows7-x64

10

76e8232052...cs.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 04:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76e8232052319e0e71c7a5eb1a3131d0_NeikiAnalytics.dll

  • Size

    101KB

  • MD5

    76e8232052319e0e71c7a5eb1a3131d0

  • SHA1

    75ff32747108e372029514b3ab47750c10a431e2

  • SHA256

    fd1163d790ca745dd7c735282097581a7d76514f4c97925ad99dec624f1076f1

  • SHA512

    6d4f8447b2295584cbf068218414e5c2ffa91e3edbd63ac99a5baa2cb00dd3f70e4a4486d9bf365a196d9ba2abd94788248c0ccee2bc6fc53558f4221c1aa2ae

  • SSDEEP

    3072:2Mr6N9WfdNAbxBMx49a+Yii3FnkvY11o4:2MqWfdNAN19a+YB7X/

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\76e8232052319e0e71c7a5eb1a3131d0_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\76e8232052319e0e71c7a5eb1a3131d0_NeikiAnalytics.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3212
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3164
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 204
                6⤵
                • Program crash
                PID:1204
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1076
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3768
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2948
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1600
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3164 -ip 3164
      1⤵
        PID:3776
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
        1⤵
          PID:4632

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{593CA98A-1F05-11EF-B8C0-4A7C5F4B2F01}.dat
          Filesize

          5KB

          MD5

          6f19f61a07e74ead542115a265b87b54

          SHA1

          b431b640f74844b56df4ffd10ba9b45f57fca9bc

          SHA256

          f4a3feeee6ccf77a6aaac4e8cd543a655ed6e4dec08fbf258d14a202eac04f77

          SHA512

          4674982bb37401ade5258d1aedf33e4ce964af6d2704eb33b4d7498a77cbce56b3d20465e27c9b3ee3f0d222f0b4feac4e318b1aadc9041641cafd2042e4a7d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{593F0C37-1F05-11EF-B8C0-4A7C5F4B2F01}.dat
          Filesize

          5KB

          MD5

          40a42d071c3f43540d1fd6bd5dfc47aa

          SHA1

          9e189979a10cdd29bccc8d8f9e4fe0d0a2c03e23

          SHA256

          d4bb1242367e6fb87fb4820e6d70b1f790805743d249cabdaf1d78b8aa725d0f

          SHA512

          0f6b6c3b46f3da8b818c8073cfef865349f2111f2d64e5f3ccfbefc2e791a0b838dce581c94a941ad5a792890faad1237199f1e64ef8171f6d8730884531addb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6B96.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          65KB

          MD5

          849ef19ec0155d79d4fa5bfb5657b106

          SHA1

          eb7e7ff208ecb40d35755d8f36e31e2482166299

          SHA256

          8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

          SHA512

          30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

          Download Submit

        • memory/1284-8-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1872-6-0x0000000004580000-0x0000000004581000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1872-7-0x0000000077182000-0x0000000077183000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1872-5-0x0000000004470000-0x0000000004471000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1872-2-0x0000000010000000-0x000000001001C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3164-18-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3164-19-0x0000000000B90000-0x0000000000B91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3212-20-0x0000000002180000-0x0000000002181000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3212-21-0x0000000077182000-0x0000000077183000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3212-22-0x0000000077182000-0x0000000077183000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3212-15-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3212-25-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3212-26-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3212-17-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3212-14-0x0000000002070000-0x0000000002071000-memory.dmp

          Filesize

          4KB

          Download