Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 20:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe
Resource
win7-20240508-en
General
-
Target
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe
-
Size
697KB
-
MD5
fba7c313a3de5376d7f45673fa295201
-
SHA1
e2cf25f5c21731f2cc4867779224886cab613776
-
SHA256
f1dcae6fb160b9c5f3db9685d737cd214e43efb5ef372b8f078c67facd736319
-
SHA512
8b68cfbbfb5d1d6297b9acbd9953ea4b4c59de2cda732fb468b2082fea7a9582e0ddd6440fcc26bdb50abb3b70f8a8cbad2457487706a3efddd0944182ed3fc8
-
SSDEEP
12288:9PXUatYLLZlrKoyu8w0v2pZzBjuSA9sHsS+3kJsw4xuqLi7Ktf:9PXntsKruq2bNuSh+UJsw4xuqgKt
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1808-16-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral1/memory/1808-17-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral1/memory/1808-24-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral1/memory/1808-19-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral1/memory/1808-15-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral1/memory/1808-14-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral1/memory/1808-13-0x0000000000400000-0x000000000041A000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exepid process 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exepid process 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe -
Processes:
resource yara_rule behavioral1/memory/1808-12-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/1808-16-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/1808-17-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/1808-24-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/1808-23-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral1/memory/1808-19-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/1808-15-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/1808-14-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/1808-13-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2428 2020 WerFault.exe 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F16B2791-28F9-11EF-AB84-52AF0AAB4D51} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424385833" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exepid process 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exedescription pid process Token: SeDebugPrivilege 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 3044 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 3044 iexplore.exe 3044 iexplore.exe 2840 IEXPLORE.EXE 2840 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exepid process 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exeiexplore.exedescription pid process target process PID 2020 wrote to memory of 1808 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe PID 2020 wrote to memory of 1808 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe PID 2020 wrote to memory of 1808 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe PID 2020 wrote to memory of 1808 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe PID 1808 wrote to memory of 3044 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe iexplore.exe PID 1808 wrote to memory of 3044 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe iexplore.exe PID 1808 wrote to memory of 3044 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe iexplore.exe PID 1808 wrote to memory of 3044 1808 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe iexplore.exe PID 2020 wrote to memory of 2428 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe WerFault.exe PID 2020 wrote to memory of 2428 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe WerFault.exe PID 2020 wrote to memory of 2428 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe WerFault.exe PID 2020 wrote to memory of 2428 2020 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe WerFault.exe PID 3044 wrote to memory of 2840 3044 iexplore.exe IEXPLORE.EXE PID 3044 wrote to memory of 2840 3044 iexplore.exe IEXPLORE.EXE PID 3044 wrote to memory of 2840 3044 iexplore.exe IEXPLORE.EXE PID 3044 wrote to memory of 2840 3044 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exeC:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 2042⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exeFilesize
112KB
MD5795f2a9209e88f0a2d693c7ad06915b1
SHA1ab5bf0ed7e83e913fac8981f5047824840c4a859
SHA256e01112d41987115913c0599fd01921fb4ff1eab86a5b5c8e19514fdad8ec5148
SHA512fc5faddb8ce01c7d1b74f971ae0ae7f161285d93a426e3436d4395153bf553a61d981a16cf59c788d924a85b6a339aa405a2119168288bd35d6712f1efabd2b0
-
memory/1808-19-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1808-17-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1808-13-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1808-14-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1808-24-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1808-16-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1808-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1808-21-0x000000007713F000-0x0000000077140000-memory.dmpFilesize
4KB
-
memory/1808-12-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1808-23-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1808-20-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1808-15-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1808-18-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2020-1-0x0000000000A50000-0x0000000000B04000-memory.dmpFilesize
720KB
-
memory/2020-9-0x00000000000A0000-0x00000000000B2000-memory.dmpFilesize
72KB
-
memory/2020-10-0x00000000000A0000-0x00000000000B2000-memory.dmpFilesize
72KB