Analysis
-
max time kernel
77s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 20:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe
Resource
win7-20240508-en
General
-
Target
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe
-
Size
697KB
-
MD5
fba7c313a3de5376d7f45673fa295201
-
SHA1
e2cf25f5c21731f2cc4867779224886cab613776
-
SHA256
f1dcae6fb160b9c5f3db9685d737cd214e43efb5ef372b8f078c67facd736319
-
SHA512
8b68cfbbfb5d1d6297b9acbd9953ea4b4c59de2cda732fb468b2082fea7a9582e0ddd6440fcc26bdb50abb3b70f8a8cbad2457487706a3efddd0944182ed3fc8
-
SSDEEP
12288:9PXUatYLLZlrKoyu8w0v2pZzBjuSA9sHsS+3kJsw4xuqLi7Ktf:9PXntsKruq2bNuSh+UJsw4xuqgKt
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral2/memory/368-11-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/368-16-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/368-17-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/368-14-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/368-13-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/368-9-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/368-8-0x0000000000400000-0x000000000041A000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exepid process 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe -
Processes:
resource yara_rule behavioral2/memory/368-11-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/368-16-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/368-20-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/368-17-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/368-14-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/368-13-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/368-9-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/368-8-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/368-7-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3236 2280 WerFault.exe 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424385822" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F2001AB0-28F9-11EF-A084-527CD1CC5F27} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exepid process 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exedescription pid process Token: SeDebugPrivilege 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4452 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4452 iexplore.exe 4452 iexplore.exe 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE 1056 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exepid process 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exeiexplore.exedescription pid process target process PID 2280 wrote to memory of 368 2280 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe PID 2280 wrote to memory of 368 2280 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe PID 2280 wrote to memory of 368 2280 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe PID 368 wrote to memory of 4452 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe iexplore.exe PID 368 wrote to memory of 4452 368 2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe iexplore.exe PID 4452 wrote to memory of 1056 4452 iexplore.exe IEXPLORE.EXE PID 4452 wrote to memory of 1056 4452 iexplore.exe IEXPLORE.EXE PID 4452 wrote to memory of 1056 4452 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnit.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exeC:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4452 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 6122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2280 -ip 22801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_fba7c313a3de5376d7f45673fa295201_mafia_ramnitmgr.exeFilesize
112KB
MD5795f2a9209e88f0a2d693c7ad06915b1
SHA1ab5bf0ed7e83e913fac8981f5047824840c4a859
SHA256e01112d41987115913c0599fd01921fb4ff1eab86a5b5c8e19514fdad8ec5148
SHA512fc5faddb8ce01c7d1b74f971ae0ae7f161285d93a426e3436d4395153bf553a61d981a16cf59c788d924a85b6a339aa405a2119168288bd35d6712f1efabd2b0
-
memory/368-20-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/368-18-0x0000000077712000-0x0000000077713000-memory.dmpFilesize
4KB
-
memory/368-7-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/368-11-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/368-17-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/368-16-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/368-5-0x0000000000401000-0x0000000000402000-memory.dmpFilesize
4KB
-
memory/368-6-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/368-15-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/368-14-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/368-13-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/368-12-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/368-9-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/368-8-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2280-4-0x0000000000110000-0x00000000001C4000-memory.dmpFilesize
720KB
-
memory/2280-21-0x0000000000110000-0x00000000001C4000-memory.dmpFilesize
720KB