Malware Analysis Report

2024-10-19 13:22

Sample ID 240611-a2yrysxcjf
Target 2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.exe
SHA256 397a06a8dfebd9cecab74cf9563017042fbf04050a8f368b2b2ac644643d35c1
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

397a06a8dfebd9cecab74cf9563017042fbf04050a8f368b2b2ac644643d35c1

Threat Level: Known bad

The file 2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 00:43

Reported

2024-06-11 00:45

Platform

win7-20240220-en

Max time kernel

133s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{932CA241-278B-11EF-9FEE-EA42E82B8F01} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424228457" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1668 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1668 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1668 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1668 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2784 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2784 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2784 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2784 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1668-1-0x0000000074630000-0x00000000746A8000-memory.dmp

memory/1668-2-0x00000000745B0000-0x0000000074628000-memory.dmp

\Windows\SysWOW64\rundll32mgr.exe

MD5 5a4990694e4324c26ace7339664fc4b6
SHA1 e1d54ebd9223f127ee7a5cb00f1be151bb49548b
SHA256 99e40a3654d832bb4090fdb7f6eb62abece0109d88c87651835b74af4bcb197d
SHA512 7f41f0312325f0c09c7b444e237538e38f5e4578111e3f4277b266a1f107791a5ec1a670c6911befe8a3286ff521471cc67c2eac07f3d3dcd29b4081f07a3450

memory/1668-4-0x0000000074630000-0x00000000746A8000-memory.dmp

memory/1668-5-0x0000000000170000-0x0000000000189000-memory.dmp

memory/2784-13-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2784-12-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2784-18-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1668-16-0x0000000074630000-0x00000000746B0000-memory.dmp

memory/2784-25-0x0000000000401000-0x0000000000410000-memory.dmp

memory/2784-21-0x0000000000050000-0x0000000000051000-memory.dmp

memory/2784-24-0x0000000000410000-0x0000000000419000-memory.dmp

memory/2784-23-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2784-22-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2784-19-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2784-15-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2784-14-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2784-17-0x00000000002D0000-0x00000000002D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2A5E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2B30.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c2e55cea6a73a85c7eb90fca4460021
SHA1 0ca54d54ec8155745ebf43d746880dad838f7fb3
SHA256 8640d689218efb2eb4573a8f1c7b0757fc3dc0fa0de49af75f0a53b6f4752ad7
SHA512 41a45d4e75f65c57916616d49f6fe7775e679903842cd34ed7734565db97fbf9a326ece3a8dd80dd4ce697051f677d5f23c0ca473573b4513cbc0fe46c2dc753

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87eefc28107f63d860c54dbbdc6e369b
SHA1 e5a80f9c7138bbd6a7158b5af6ccd72df5344474
SHA256 9b41918a548108a139c387d3849aaa8973870ae22e18aba0547de53424e8a729
SHA512 1d2f16e19bc3d9da91346a1539dc11c1576ea7a1c37dd1322c2fba3d914a17f6217c4317f43e363c7da591823a30d67b1ab1819d1d10a860fbf2b35e96bb15dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aeda25841a3a5493204581fb19327458
SHA1 0cded5c43fd3b57367d75d29f8dccbe3355fa5de
SHA256 1245a036ac6499bfe06516004b35d15b9e38ecb8e9afac92b2f416916167a190
SHA512 36afbad829dff941c809614dc4c4884a85ecd7adc9dd4f564893d542e8f788b3a7f69834fc5553896a27f4b9f0e124d83d9a8553cfbe7a3955b00e15033b8308

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3082e81fb753b8e29feced3898ed38c
SHA1 d65a3725041e0b0d7cbb42128d90587f1cf9b11d
SHA256 8b1f03f220e3de56657c669145af55d9bb2f6b02cbbbc61bb7b63011750fd9c9
SHA512 c2c9c8f21d22aa1a3086bbbd63f16fc835564b0475c8448cca463b801fd02c4db31e77b4e5f66b3e59741ee60528707d4e84244c0b94fef2a66d06844a53abbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 392507646027eb0543cf23706650778d
SHA1 38629496b8476794ecb5a1eb5f1398ca131ec2e2
SHA256 5cb4be28018020d6603850b1067ec77d673e7d162134d2c324e9495ec6e90b1b
SHA512 b445c6dce2795b5edfb6232822199b35652043d025a3c0b9fc8ee3f6903c03259b95b76a357d5140dcd71d5e8e05f531767256226341e8c1f479999cb5b5141a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f312a4d3480e3363e91f2af2e072d919
SHA1 538a532f69769f012c66600326cccfc7659cce81
SHA256 c6474d0812a735e314bf24acc148a60b5b95d6e7d6902a6b8b5d540b654e44db
SHA512 be85d26b3ab5e78109c82883b64b0fee2ce73cf1e99ff955b1e914dd2a2a9bbb4f0907d9b089098e19e8adbebda52f623cccaa76531a56c9e26177787d5809b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e556b1f46c55e9f794ae59e5dbe294a6
SHA1 1dde072271779851cb592d8f419050e9a50e45e0
SHA256 553020760f31b0cea862fa7d343865c67760b9e8aed2e8003eab9b5fb4c0474c
SHA512 0a81c52927ab10f5902524a8a45e2881401a984d12936275f3bd4596961dcbd440974ccd5fde8f71f706632db6b89cdb4a513bf1e3015164af66f3249b778d73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7862b2e913bd2616334657027bd80218
SHA1 ec6fbed5ebff7323e70c5ad19131a231148d05b9
SHA256 ae3ab2424f88a42cf5b39b435cb0b9950159f72871a143296a7b68504b8751b8
SHA512 24fa2e757c7777643b5996b4b690c573974fe1e3359728de14f6f77af24782d580e16b3cbe8ab1afa9a19de49f16b44e54db3daa68085ede9d9bf584d8456811

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60843e59ac6f4e26f30932ceacbb314d
SHA1 ddcf8ec145ab9de250d9197a9d43a599bdc977c2
SHA256 8a3a6dfe07bc4d0bf3bae3465f7c26de699bbf8bcc6a99a3b2ba7c16ea91adcd
SHA512 d30e90cccdb3f825e7c7a1bd658bab03a817b4788dc4bc352b3f1d4cc8b78b1042d4daa249d6ca6029bb50e596923745f2f9347576cfe8284d1dd529f1f80e91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d70cfb14a44f3609b101fbe041c70ca
SHA1 d96e0a2224c709c5bdde174dd67277a714e32855
SHA256 4b88f562ea79afa2226356ad7e3d03af7aa3e9e720ac39e2b9a5f426105cd72e
SHA512 ca698b41806b07a9fbe40289907ee5d85d8733e7efecba7c1a7f24508b00b4ab6db3d043425a4eb1b4e494a5c01f5234603b63f577008401b93b438c62b94938

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3377ddc56c021607a2f8f7e2ddd52bd2
SHA1 6fd98823bc3ca80db29194b72dfe6b0ff36a05dc
SHA256 727e89538eb144648fc1e3221cc01de5a21531e51898c709a63ca4b7e18fb645
SHA512 8af10d6b3d8d75dcc4dc17b648256ee894010ce6aab27d64bb89cecdb795eefd8d7d1fc114141b98329a6b8095bdbf011525109a4411221f48f36e9854e6599a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f06a4719b837ea8857182b94790e10ea
SHA1 bad2b0033d20f5c95dade7241822be524013bd61
SHA256 434745d6185b2190401e58ef4a4c598582c8c16129cdf275a3849f214e0a0f9d
SHA512 53b282e5d087928878bcfe4800c78833e4b026a95bf56e44c24de6bc8608a95c4185e19f2076a9f3f4fb1166ca77bfb6af0dff766c3a8ae0d4a925ffe9e13205

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f864f2f23c6bc136ab47787690e0b258
SHA1 bda60bcc4819252cfd68b63cb2a3e059037c07f8
SHA256 3a39d3cad6ffdedc8284d70ae35babee61c92f323c45d7b6658a7214b88f2140
SHA512 b1241871e0f6aa5a846f5de93cbfd92299501b7d483120fd42adbe9ae243627265f6fa9877d179df7b646a2b573d1a604ef78bfe428315bd078fdeeaf7648c98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ca3a73318a87bf566b2e99a0d4a83e1
SHA1 817d31dff056b0de3be670ae72f4cc64f8d80782
SHA256 6c97e33d75db80248d8f601c22a87163592fb11455a3e03e02ea2de4e44ebb4a
SHA512 e87a5e5e5e58cde4e798d71e5f4a8cda5ae9236056efc0725cd2aab66beb908321deadf99d20589bd555228b453207d805d191f8557ce7e547e0f8a0ae0469a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5352f4a100f86287e310e272103c63f0
SHA1 37a7f351dfa27fdc65814a10b88a8fa5dd24e618
SHA256 712d3247b90c11f54f16a3a37033d4550e391122c39d8888b162b27c17afca70
SHA512 33641cf0431dd2cfe20980de55f01cacece0c3732a79078c838de4de8626e525167cfbc143a64536eb43373928bef5ca0dcb88859579fc5eee1a2e8ec9afc775

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d4c829409bb0c680b2fe26ed4e7cf58
SHA1 fe3a608fa137d89f2a1885929775fe592f8bfdb7
SHA256 0ba0e55f7755021cd6b1d6c4594f2e305cf8010d94eb9c3cfbbac8bb1f554fb6
SHA512 21a747980e27bb610d0b3e87aad39ee2ce88428d260f8864511805d7039b5e75b9479a3a331993791a58d51f4d8952f4f0cb32f746926e8ef5bf8a5fc4295004

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bba77c4105f5ffb93f3612683c738d63
SHA1 bf0d435b1f374573c5c2549a5b478983d194f742
SHA256 52ab07b49731559a8f2501770220126ea244f975ce0b228edc892087524c4732
SHA512 b0df2e4209d33ac92ed6455bc447f3fff0fd2fbdee83a4ff6bb0d72578ed8d127d18c877f54b168c10d4d63a6942d209ba162fb3c2460ed4290ae9530d2e5772

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6eecfec18d73e1c2b287ac7e61304ce
SHA1 4d34fc2460318bda7cdec7227e6b7d8e916ec248
SHA256 09a6882b87a9546a750ac5309631f16a6bc262fedea3d92df96d3adaf21e354f
SHA512 ed9a3c448c337998a862e622f8f5e9a14c6981db7dcb4349c920a25f912fedca872ccc4796e0e51a09d83d11a3369617af70fa9b97d93fe6fe390ea9cad5e474

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6914814282cd406c6b4030d9415f8e2a
SHA1 a03ebe5d4e9742301f9f9862509eb69fc1f3fed7
SHA256 a3a21296f9ad39bbf43ca19415215e98711674d6a48f4870a98976e9f473f527
SHA512 2c31fce401d8f3963c4f8b288fc462f8799677ccc05288ea61106372f2655aa2f05eca629ed8f7fcc0b84b13ab62b32a8dd9d3307a9542de3b20a708a7525bb7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 00:43

Reported

2024-06-11 00:45

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112088" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1768327500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112088" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1769889822" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1768327500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94F11255-278B-11EF-9A94-7AB71B943571} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112088" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424831567" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112088" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1769889822" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3360-1-0x0000000074B50000-0x0000000074BC8000-memory.dmp

memory/800-5-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 5a4990694e4324c26ace7339664fc4b6
SHA1 e1d54ebd9223f127ee7a5cb00f1be151bb49548b
SHA256 99e40a3654d832bb4090fdb7f6eb62abece0109d88c87651835b74af4bcb197d
SHA512 7f41f0312325f0c09c7b444e237538e38f5e4578111e3f4277b266a1f107791a5ec1a670c6911befe8a3286ff521471cc67c2eac07f3d3dcd29b4081f07a3450

memory/800-6-0x0000000000400000-0x000000000041A000-memory.dmp

memory/800-7-0x0000000000400000-0x000000000041A000-memory.dmp

memory/800-8-0x0000000000400000-0x000000000041A000-memory.dmp

memory/800-14-0x0000000000400000-0x000000000041A000-memory.dmp

memory/800-13-0x0000000000400000-0x000000000041A000-memory.dmp

memory/800-12-0x0000000000400000-0x000000000041A000-memory.dmp

memory/800-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/800-9-0x0000000000400000-0x000000000041A000-memory.dmp

memory/800-18-0x0000000077162000-0x0000000077163000-memory.dmp

memory/800-17-0x0000000000400000-0x000000000041A000-memory.dmp

memory/800-15-0x0000000000060000-0x0000000000061000-memory.dmp

memory/800-16-0x0000000000400000-0x000000000041A000-memory.dmp

memory/800-21-0x0000000000400000-0x0000000000419000-memory.dmp

memory/800-20-0x0000000077162000-0x0000000077163000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 ba5c07e84aaf8703c7f383a82d696ce7
SHA1 f51fbe8032555f84974ed041a09cc6211d8ee0af
SHA256 088079d3c0c9b9117e2427529a2e6ddd19bd694d1180dabf72cb80dfad1fbad3
SHA512 987db2bb8c1a95f754c724f5921152a3e1f6a4ca7b7c79f7b927eca93e9251e73eb91d8a972c094061a8dbfb6ad82e5133ed64ffb7d9c9de946b705f4081d31f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 a4f5c8ea9306fa6948cb9b551a56acff
SHA1 47b78df377ce3c58077483431bdb7a5c331cc66b
SHA256 963e3b6662b50229c064a89a878611bb99c86897ce794d249b8c261f7434d499
SHA512 90c1d1834facd71f3aad073ca82ab214ad102408bf5fa71a17292bc91ef6f8ec8a153b92a91be34ab1999a327c8eded993f9d158610ac94bb2cf32ec246000d3

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB258.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TF1TYUIH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee