Analysis
-
max time kernel
115s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2024, 00:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe
Resource
win7-20240221-en
General
-
Target
2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe
-
Size
240KB
-
MD5
4ac5f59bf52689d7e4049c58976073c0
-
SHA1
29de74bf95deedb2a8880494c0b0e1ac710cc57f
-
SHA256
d1ae2bf536d98cd937e819a098bb6eb7ba2af009dd5724563a6c03233e22885e
-
SHA512
a81bd7f818a974b8b405d0e4d7c95111461400d53e8820cc5ba4a2b80519be4514635255bf819660c931810d0e4c26e81f2fadae7a63aae91d1547e519d68d36
-
SSDEEP
6144:TY6Aw1tj3vHMeC6uZy1RfzNf69UGC5p76KXxGj6:2w1FRC5y1RfzNGU9B6KB
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral2/files/0x000800000002334d-3.dat UPX behavioral2/memory/432-4-0x0000000000400000-0x000000000042E000-memory.dmp UPX behavioral2/memory/432-9-0x0000000000400000-0x000000000042E000-memory.dmp UPX behavioral2/memory/3488-15-0x0000000000400000-0x000000000042E000-memory.dmp UPX behavioral2/memory/3488-16-0x0000000000400000-0x000000000042E000-memory.dmp UPX behavioral2/memory/4912-19-0x0000000000D10000-0x0000000000D53000-memory.dmp UPX -
Executes dropped EXE 2 IoCs
pid Process 432 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe 3488 DesktopLayer.exe -
resource yara_rule behavioral2/files/0x000800000002334d-3.dat upx behavioral2/memory/432-4-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/432-9-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3488-15-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3488-16-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px705D.tmp 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 960 4912 WerFault.exe 91 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31097401" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1194258671" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31097401" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1277539129" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418523498" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1194258671" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{72AD8A3C-EE2C-11EE-9846-628714877227} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31097401" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3488 DesktopLayer.exe 3488 DesktopLayer.exe 3488 DesktopLayer.exe 3488 DesktopLayer.exe 3488 DesktopLayer.exe 3488 DesktopLayer.exe 3488 DesktopLayer.exe 3488 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3944 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3944 iexplore.exe 3944 iexplore.exe 212 IEXPLORE.EXE 212 IEXPLORE.EXE 212 IEXPLORE.EXE 212 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4912 wrote to memory of 432 4912 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe 92 PID 4912 wrote to memory of 432 4912 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe 92 PID 4912 wrote to memory of 432 4912 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe 92 PID 432 wrote to memory of 3488 432 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe 93 PID 432 wrote to memory of 3488 432 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe 93 PID 432 wrote to memory of 3488 432 2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe 93 PID 3488 wrote to memory of 3944 3488 DesktopLayer.exe 95 PID 3488 wrote to memory of 3944 3488 DesktopLayer.exe 95 PID 3944 wrote to memory of 212 3944 iexplore.exe 97 PID 3944 wrote to memory of 212 3944 iexplore.exe 97 PID 3944 wrote to memory of 212 3944 iexplore.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnit.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exeC:\Users\Admin\AppData\Local\Temp\2024-03-30_4ac5f59bf52689d7e4049c58976073c0_mafia_ramnitSrv.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3944 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:212
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 4962⤵
- Program crash
PID:960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4912 -ip 49121⤵PID:3816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4372 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:81⤵PID:5064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD583b49b2e7134c3062b8085920426bfb3
SHA1b4cf85a34739004f8c250efa1c3b021c19830c85
SHA2561cd035d5b63a191de0e8853548025d785dcd928e3049dec5642009391f5befcc
SHA512a7d8db600b83ae679a8b03a677259b5746d883bfd131f09859447c0400835536297b3ed6419a44e961aff996dc5536b55d340399ebacca3be3ba4b8b19781d4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD53c2d836f3b970ffd159449e622defacf
SHA1d9e8ef57535a08a3d7216af00444577b997090f7
SHA256b79407a74548fd3906d927d6b62916c0e742efe456d9c5555e86d8f4a20af829
SHA5121613464ee51104679d0c1d6135e40efeca8c5765eda05625dada76d1b7c5b1481113ad9ef998aeab5611a3b8ff55c87fd3ffae74319acab25e468c01057a6fdf
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a