Analysis
-
max time kernel
92s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe
Resource
win7-20240221-en
General
-
Target
2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe
-
Size
16.6MB
-
MD5
2a67d028ee55d09ae170ca5f80bfad88
-
SHA1
c750c775c8cec95a8a8d77bef756d62ab27362a9
-
SHA256
9a73ad14474c570c55a3af168363019001fdcff4c405b67234fcb50ccc7be53c
-
SHA512
9b6dbb7d78475469009b6ed41c1fa622c234fcbcaa309aeb0bbdc6748f6c8895439270047029d9a24efdc769ceff8ef475c36634172a806e6f0a87caff6db0e7
-
SSDEEP
196608:N5NU7cedoQaSWgmoVZPm6BqCOte0jlob/dXsauo4zyhPSBkhj04OUSwuBjDwgg5I:22SblqCXsauo4DBkluBjCUoQH
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 2 IoCs
resource yara_rule behavioral2/memory/3660-15-0x0000000000400000-0x0000000000432000-memory.dmp UPX behavioral2/memory/3660-16-0x0000000002070000-0x00000000020A2000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 3660 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe -
Loads dropped DLL 1 IoCs
pid Process 3660 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe -
resource yara_rule behavioral2/memory/3660-15-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3592 3660 WerFault.exe 85 -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\.roz 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\AppUserModelID = "aSc.TimeTables.AppID" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE,1" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file\shell 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file\shell\open\command 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\command 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\command 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\ddeexec 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\ddeexec 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE,2" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file\shell\open 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\ = "aScTimeTables Document" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE \"%1\"" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE /dde" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\roz.exe \"%1\"" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\ddeexec 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\ddeexec\ = "[open(\"%1\")]" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\DefaultIcon 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\ddeexec\ = "[print(\"%1\")]" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\command 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE /ddenoshow" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\.roz\ = "roz_auto_file" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE /ddenoshow" 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1512 wrote to memory of 3660 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 85 PID 1512 wrote to memory of 3660 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 85 PID 1512 wrote to memory of 3660 1512 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exeC:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 5363⤵
- Program crash
PID:3592
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3660 -ip 36601⤵PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157KB
MD52ad7467eeceedd64b8bd4f6e04c3cd49
SHA1d6c5d9878dc49ae9b531d61283609e207154a921
SHA2562aab17b2f18dfb70cd737b27b1a438ad8878889070a6e025b3684483054f60c9
SHA5127a647d4a8de90d11cd5afb82ace8354869af0893f28afcf9491d1d4de421315d9a394a5d3462d88c0eff6c5a7a4ed41897d8d0498b59b4b7428ddbb61786be2a
-
Filesize
285B
MD55373cc038901ac065eb8ddcd0718942d
SHA1c433db25363805f1cae4c11716d4d5c7673f72ea
SHA25675597c855e4374ed6a52d90f9ea1859dba04296af352997a4e517819d7ba2cee
SHA5126afe1bad196d27c646b469d8f79b96f7a75a2744cabe39fab1263432064bbca326fe9caf4b1ee27975a3a8e0d69ee9d2efcaf836953256fd3ff5ff7036ed5d87
-
Filesize
157B
MD5fbef79d0ae73c9fbf9d0b0e6e3a8711d
SHA1129e9ee03a0754453d995113bc3528d666e463e4
SHA2561ee6962594b3743b5f56129c27c08754d75759332ef30b4af968a6403f15b71b
SHA512c90cc0b6fb6f0ed1621a63ea7656c4a97378dbabf7e4d75dc2c7f5cdedee7c0d41618fb4e2e2606f9c51d884ab9b7e061bbd09ac75a8975f14ea491d89e6490c
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219