Overview

overview

10

Static

static

3

797cd2ef5b...cs.dll

windows7-x64

10

797cd2ef5b...cs.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll

  • Size

    157KB

  • MD5

    797cd2ef5bc6b5b41f8508e8d3051120

  • SHA1

    09936774ed803a7b72b86baa4144d27d58dc9d4f

  • SHA256

    ba0b188e2d49247864e1c709aa9b1467f57a2c73b484418217c1ad678f8645bc

  • SHA512

    971c16668ecaec4f127d61ed3af210237c23c536a650789fe8ee0c6537e872899e39111618337073877eedbc0179b02fc3d0176eb970355d23e1c40959decef8

  • SSDEEP

    3072:IMr6N9WfdNAbzEJ069VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm18:IMqWfdNAPE+6yEYZ7DVQgsQLPzo18

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 5 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Program crash 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 5 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of UnmapMainImage
          PID:2108
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4488
          • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
            "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4528
            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:1496
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                7⤵
                  PID:4276
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 208
                    8⤵
                    • Program crash
                    PID:4144
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  7⤵
                  • Modifies Internet Explorer settings
                  PID:3480
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  7⤵
                  • Modifies Internet Explorer settings
                  PID:2624
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:5080
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 204
                  6⤵
                  • Program crash
                  PID:5060
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4360
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4360 CREDAT:17410 /prefetch:2
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3012
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                PID:60
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 812
            3⤵
            • Program crash
            PID:4976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080
        1⤵
          PID:1804
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4276 -ip 4276
          1⤵
            PID:1184
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8
            1⤵
              PID:1184
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2184 -ip 2184
              1⤵
                PID:1152

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                Filesize

                471B

                MD5

                3d6908c3ea7ced33d2696a9ef09f8961

                SHA1

                a7d4321bbf04cb7335522cfee2cd36edc2d19c80

                SHA256

                fc0c60c571c30a39ce618b280cdede4a1837d2be33dfe2a4a3413c92a731b6e5

                SHA512

                071c3fa58a08000ad898384fef6e5fcdcd080ed52b084ec80d19e45f9fb5119557a1dfb42ebba2b22d1c971baa5a852c756c7526010b6b487f3239c8f0df4af1

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                Filesize

                404B

                MD5

                278b8b499733e824fa562dce5b3f2d31

                SHA1

                33214ee31a177e2e3a276de4f32cb7496c831d46

                SHA256

                790a987651fa54d1bd6f43854e41acb20ea4f9f27521efdf1334a2594887030d

                SHA512

                61495d742a302ef568f00af7fa4f95960c2da7eeddba4016eb3e5b980cab71f5d671c12d5651595af6da81e1c06b67ee81fc0426976fc83035772d5fea5dab20

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\suggestions[1].en-US
                Filesize

                17KB

                MD5

                5a34cb996293fde2cb7a4ac89587393a

                SHA1

                3c96c993500690d1a77873cd62bc639b3a10653f

                SHA256

                c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                SHA512

                e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                Download Submit

              • C:\Windows\SysWOW64\rundll32mgr.exe
                Filesize

                122KB

                MD5

                c5255edf109342e3e1d1eb0990b2d094

                SHA1

                ba029b47b9b3a5ccccae3038d90382ec68a1dd44

                SHA256

                ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

                SHA512

                6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

                Download Submit

              • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                Filesize

                59KB

                MD5

                f2c8b7e238a07cce22920efb1c8645a6

                SHA1

                cd2af4b30add747e222f938206b78d7730fdf346

                SHA256

                6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

                SHA512

                c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

                Download Submit

              • memory/1496-66-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download

              • memory/1496-68-0x0000000000060000-0x0000000000061000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1496-69-0x0000000020010000-0x0000000020022000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2108-28-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/2108-12-0x0000000000400000-0x0000000000423000-memory.dmp

                Filesize

                140KB

                Download

              • memory/2184-6-0x00000000005F0000-0x00000000005F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2184-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2184-2-0x0000000010000000-0x000000001002B000-memory.dmp

                Filesize

                172KB

                Download

              • memory/2184-8-0x00000000774F2000-0x00000000774F3000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4488-55-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/4488-70-0x0000000000070000-0x0000000000071000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4488-72-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/4488-36-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download

              • memory/4488-46-0x00000000001E0000-0x00000000001E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4488-57-0x00000000774F2000-0x00000000774F3000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4528-56-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5080-65-0x0000000000C70000-0x0000000000C71000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5080-64-0x0000000000C90000-0x0000000000C91000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5096-15-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5096-18-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5096-19-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5096-24-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5096-13-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5096-14-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5096-25-0x00000000008B0000-0x00000000008B1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5096-16-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

                Download

              • memory/5096-7-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download