Analysis Overview
SHA256
9a73ad14474c570c55a3af168363019001fdcff4c405b67234fcb50ccc7be53c
Threat Level: Known bad
The file 2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit was found to be: Known bad.
Malicious Activity Summary
Ramnit
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-29 08:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 08:24
Reported
2024-03-29 08:27
Platform
win7-20240221-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Ramnit
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\AppUserModelID = "aSc.TimeTables.AppID" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\command | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE /ddenoshow" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\roz_auto_file\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\roz.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\ = "aScTimeTables Document" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.roz | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\roz_auto_file\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\ddeexec\ = "[print(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\roz_auto_file\shell | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE /dde" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE,2" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE /ddenoshow" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\command | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.roz\ = "roz_auto_file" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\roz_auto_file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\ddeexec\ = "[open(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE,1" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\roz_auto_file | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe |
| PID 2332 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe |
| PID 2332 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe |
| PID 2332 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe"
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 180
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.asctt.com | udp |
| DE | 136.243.172.216:80 | www.asctt.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe
| MD5 | 2ad7467eeceedd64b8bd4f6e04c3cd49 |
| SHA1 | d6c5d9878dc49ae9b531d61283609e207154a921 |
| SHA256 | 2aab17b2f18dfb70cd737b27b1a438ad8878889070a6e025b3684483054f60c9 |
| SHA512 | 7a647d4a8de90d11cd5afb82ace8354869af0893f28afcf9491d1d4de421315d9a394a5d3462d88c0eff6c5a7a4ed41897d8d0498b59b4b7428ddbb61786be2a |
C:\Users\Admin\AppData\Local\Temp\tterror.log
| MD5 | 46ab49e8a2f4ebd2ee9e5ff4e647f992 |
| SHA1 | e7460a7511a6a9b63821450f20a841a2cc7bff09 |
| SHA256 | 7d0dc4ba29916c569392b7334ada2b71ea1736dd4262f476c5efff1433ef58a1 |
| SHA512 | bbc7507f239c6e47455015425ad78685b0b272a8eb8d02c8f4456fcf0af81e5c57f58dbf9b70e0f94993a11a01de7962b6ce3838280bd494d6ca5afac0ada342 |
\Users\Admin\AppData\Local\Temp\~TM5DD9.tmp
| MD5 | d124f55b9393c976963407dff51ffa79 |
| SHA1 | 2c7bbedd79791bfb866898c85b504186db610b5d |
| SHA256 | ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef |
| SHA512 | 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06 |
memory/2332-19-0x0000000000400000-0x00000000014DB000-memory.dmp
memory/2332-20-0x0000000000250000-0x0000000000282000-memory.dmp
memory/2192-21-0x0000000000400000-0x0000000000432000-memory.dmp
\Users\Admin\AppData\Local\Temp\~TM5DF9.tmp
| MD5 | 9b98d47916ead4f69ef51b56b0c2323c |
| SHA1 | 290a80b4ded0efc0fd00816f373fcea81a521330 |
| SHA256 | 96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b |
| SHA512 | 68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94 |
memory/2192-24-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2192-27-0x0000000077190000-0x00000000772A0000-memory.dmp
memory/2192-26-0x0000000000220000-0x0000000000252000-memory.dmp
memory/2332-40-0x0000000005680000-0x000000000675B000-memory.dmp
memory/2332-41-0x0000000005680000-0x000000000675B000-memory.dmp
memory/2192-42-0x0000000000220000-0x0000000000252000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 08:24
Reported
2024-03-29 08:27
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
138s
Command Line
Signatures
Ramnit
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\.roz | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\AppUserModelID = "aSc.TimeTables.AppID" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE,1" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file\shell | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\command | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE,2" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\ = "aScTimeTables Document" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE /dde" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\roz.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\ddeexec | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open\ddeexec\ = "[open(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\ddeexec\ = "[print(\"%1\")]" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\command | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE /ddenoshow" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\roz_auto_file | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\.roz\ = "roz_auto_file" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Roz.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~1.EXE /ddenoshow" | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1512 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe |
| PID 1512 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe |
| PID 1512 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnit.exe"
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3660 -ip 3660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 536
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.asctt.com | udp |
| DE | 136.243.172.216:80 | www.asctt.com | tcp |
| US | 8.8.8.8:53 | 216.172.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\2024-03-29_2a67d028ee55d09ae170ca5f80bfad88_mafia_ramnitmgr.exe
| MD5 | 2ad7467eeceedd64b8bd4f6e04c3cd49 |
| SHA1 | d6c5d9878dc49ae9b531d61283609e207154a921 |
| SHA256 | 2aab17b2f18dfb70cd737b27b1a438ad8878889070a6e025b3684483054f60c9 |
| SHA512 | 7a647d4a8de90d11cd5afb82ace8354869af0893f28afcf9491d1d4de421315d9a394a5d3462d88c0eff6c5a7a4ed41897d8d0498b59b4b7428ddbb61786be2a |
C:\Users\Admin\AppData\Local\Temp\tterror.log
| MD5 | fbef79d0ae73c9fbf9d0b0e6e3a8711d |
| SHA1 | 129e9ee03a0754453d995113bc3528d666e463e4 |
| SHA256 | 1ee6962594b3743b5f56129c27c08754d75759332ef30b4af968a6403f15b71b |
| SHA512 | c90cc0b6fb6f0ed1621a63ea7656c4a97378dbabf7e4d75dc2c7f5cdedee7c0d41618fb4e2e2606f9c51d884ab9b7e061bbd09ac75a8975f14ea491d89e6490c |
C:\Users\Admin\AppData\Local\Temp\~TM4249.tmp
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
memory/1512-14-0x0000000000400000-0x00000000014DB000-memory.dmp
memory/3660-15-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3660-16-0x0000000002070000-0x00000000020A2000-memory.dmp
memory/3660-17-0x0000000077092000-0x0000000077094000-memory.dmp
memory/3660-18-0x0000000077092000-0x0000000077093000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tterror.log
| MD5 | 5373cc038901ac065eb8ddcd0718942d |
| SHA1 | c433db25363805f1cae4c11716d4d5c7673f72ea |
| SHA256 | 75597c855e4374ed6a52d90f9ea1859dba04296af352997a4e517819d7ba2cee |
| SHA512 | 6afe1bad196d27c646b469d8f79b96f7a75a2744cabe39fab1263432064bbca326fe9caf4b1ee27975a3a8e0d69ee9d2efcaf836953256fd3ff5ff7036ed5d87 |