floxif | e634d790bcb9cf00820223a6782a171aceea378ffbdf7896d55664c70e9030b2

Analysis

max time kernel
148s
max time network
132s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe
Size

386KB
MD5

4a836e3e0b5335f5f5ff95dbc9c0e725
SHA1

8da017453494417c54c25cb361e973f0e0302956
SHA256

e634d790bcb9cf00820223a6782a171aceea378ffbdf7896d55664c70e9030b2
SHA512

af16f038c8ff25d7b2b0a8a6fd5cc90350f0d35585b7fe382c617856e110f9b6ed3a0f27993fb6308eeaf60172615e05cd30df34c7e67162eea72bfaee9d472c
SSDEEP

6144:LGiuvY3oDJfaqaWRzAmJ5N3UMf3VYjnrQ6O6agZCPUgidwvRC4Kmn3:LGiuvY3+fv9NAmZ3UMtYQ69ZNPUnfn3

Score

10^/10

floxif ramnit backdoor banker discovery persistence privilege_escalation spyware stealer trojan upx worm

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0008000000018d68-14.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000018d68-14.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe

Loads dropped DLL 16 IoCs

pid	Process
2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe
2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
1984	msinfo32.exe
2704	IEXPLORE.EXE
1592	IEXPLORE.EXE
2904	Process not Found
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2120	msinfo32.exe
2120	msinfo32.exe
2120	msinfo32.exe
2120	msinfo32.exe
2120	msinfo32.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened (read-only)	\??\e:	msinfo32.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120ff-12.dat	upx
behavioral1/memory/2056-11-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x0008000000018d68-14.dat	upx
behavioral1/memory/2056-16-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1984-20-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2056-23-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-25-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-51-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-52-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1984-124-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1984-394-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-407-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-511-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-514-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-517-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-520-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-525-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-528-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	msinfo32.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	msinfo32.exe
File created	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	msinfo32.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll	msinfo32.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	msinfo32.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File created	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	msinfo32.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	msinfo32.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F381DFC1-A58F-11EF-9EA5-F2BBDB1F0DCB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F3844121-A58F-11EF-9EA5-F2BBDB1F0DCB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438084227"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2120	msinfo32.exe
2120	msinfo32.exe
2120	msinfo32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2120	msinfo32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
Token: SeDebugPrivilege	1984	msinfo32.exe
Token: SeDebugPrivilege	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
Token: SeDebugPrivilege	2704	IEXPLORE.EXE
Token: SeDebugPrivilege	1592	IEXPLORE.EXE
Token: SeDebugPrivilege	2120	msinfo32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2864	iexplore.exe
2128	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2864	iexplore.exe
2864	iexplore.exe
2128	iexplore.exe
2128	iexplore.exe
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2056	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	31
PID 2344 wrote to memory of 2056	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	31
PID 2344 wrote to memory of 2056	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	31
PID 2344 wrote to memory of 2056	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	31
PID 2344 wrote to memory of 1984	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	32
PID 2344 wrote to memory of 1984	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	32
PID 2344 wrote to memory of 1984	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	32
PID 2344 wrote to memory of 1984	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	32
PID 2056 wrote to memory of 2864	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	33
PID 2056 wrote to memory of 2864	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	33
PID 2056 wrote to memory of 2864	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	33
PID 2056 wrote to memory of 2864	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	33
PID 2056 wrote to memory of 2128	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	34
PID 2056 wrote to memory of 2128	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	34
PID 2056 wrote to memory of 2128	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	34
PID 2056 wrote to memory of 2128	2056	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	34
PID 2864 wrote to memory of 2704	2864	iexplore.exe	36
PID 2864 wrote to memory of 2704	2864	iexplore.exe	36
PID 2864 wrote to memory of 2704	2864	iexplore.exe	36
PID 2864 wrote to memory of 2704	2864	iexplore.exe	36
PID 2128 wrote to memory of 1592	2128	iexplore.exe	37
PID 2128 wrote to memory of 1592	2128	iexplore.exe	37
PID 2128 wrote to memory of 1592	2128	iexplore.exe	37
PID 2128 wrote to memory of 1592	2128	iexplore.exe	37
PID 2344 wrote to memory of 2120	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	41
PID 2344 wrote to memory of 2120	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	41
PID 2344 wrote to memory of 2120	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	41
PID 2344 wrote to memory of 2120	2344	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	41

C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2704
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1592
- C:\Windows\SysWOW64\msinfo32.exe
  /nfo C:\Users\Admin\AppData\Local\Temp\seagull.nfo
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\SysWOW64\msinfo32.exe
  C:\Users\Admin\AppData\Local\Temp\SysInfo.nfo
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
e1642dc76371ce476d991a3ddad75455

SHA1
e7355aa2a63a506191a9a1cb6252215545a2a5cd

SHA256
3d7401c7fba77ae573c6e52b9cc5c3227d227f176657dbf38ce85b1700d18056

SHA512
47c03ec41b80e3f422458109113011fa6e2aadaa1d168f7e7355b485472a77ce4a59d65542f522ebabdd925c422fd4de6b65ea5f10ecb7ad643f0d31b5ed5405

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f527ebb66c8263992d5a3c74d1ae8298

SHA1
2ba5c7fb3cbde0b7172d2926ee12caccbca5453a

SHA256
1dcabca0f3aebc9a873dd68d47026965ad6981c22440192c6b64710114d2b5d1

SHA512
d693040787b3e7ce493c4e5d677e33998db298ec5ad228fc0ce109905c511b58b37fa72e5d3dd87f8203d855a9f48eeb0c6038cc9800b50416db6ecc2732383b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a82253064dc73223e93c3f4fafaa3aaa

SHA1
40acbb7f3b79a5b5f3c9f825847221a3aa5bb2aa

SHA256
d6b70110e4d14680754e67c573e077c88bf79fab6e317bd2b2311af927a25036

SHA512
2aed76f27e426bb502295ff13a9355694b8470e2ffa706c51294031151f8017afaea0064c1ca71c3d9e33b137a833e0413b91ca803e80ba71d98aeabac0a6f8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
429dd723f0095fb310ad54e380a7c28b

SHA1
a5b98daf72dae70bd66348ef54cc579862027464

SHA256
e9ec243b53ad3a356b74e0ab141f8e02ec980d416b919a38dbe7bf922ef18e7d

SHA512
ed5bea3d6d5c9885b7d23a10d3415cd97c879578c0542794eeb9eb31ce35a5e73927f5505ddec3e312f0b0b67fd904bc56ea7dcf7a7fc0084d6f9fc91180570d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53544e5b0e2a7f10f902a513d24a795f

SHA1
ababd70446b3315a95f66e24f0b4c94939e9ba10

SHA256
7cafacd9fae6cf6ce3dcf7086ca67e75ac194a946a907ab7663f821b30596d47

SHA512
1c3f31f938019a01fe6af04e66fc90086e23337e792d91e4921c6fc9f48322fb7763a8d8876503531f5a4fb2b2a5c1361e8a4ae2eb9c3f1c765fd7946b42d36d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2d36ac9e69cccecb5cebc2f8826dccc

SHA1
c17740669ea747923397e01b4186c5e12e4755d1

SHA256
c6f414daab28ce570395aa333ddd0b8e76df6b2cd016c6d596eff8e394cc44de

SHA512
1c8d64dfe2fdf9f4aa4ea316da1c476429ad52e30d538abe46ec1de636f063b83448a4806ae2ecc3e44279d5221b808a5370325a11881a5346b553b96d0df833

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
074ae4575e5fa0c2adea17bd7bb8f485

SHA1
850e577c079d86653689ca82145fd68af81751b3

SHA256
99d4585bdb2c7e04a83f7fc4dd6a7b52f082efa061b2025e8f0c2cc9016b78eb

SHA512
b9e2c56114e10bd261fc7ad901ab0b571b16c1825ed1c66b01d2f90b9506004939a92ba85a94bba58d50f0dd10a5ed06d26faf4b4a044cb0ecbd1563b4335d44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fb4814d1b5e4aa0a3614c3987a1de9e

SHA1
8cd027d588584e074ab8f7c235fc698121d8ae5a

SHA256
a986a487cba40222e048820eff6ff2e8b76c49116e7888b62045ad784def1b63

SHA512
997a8a969fcd6974b46463418506b3e603c613e162cb185f38dc1930b189a3af1e42094205cedf5b31a256fc1741e780491d16de8c2ba4cb4db56c4b9eae0dae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e11d7a04277954aa6eea5d018fd0c28

SHA1
2bf44bc764f8bea066cda75fd99d477cb9770478

SHA256
f760dd22c38e018e845156c1e2eb2b4865751979ff7f24c15208b59527f1a357

SHA512
83fdd9821e315f53cba411e1e43fc25a91b32decd199e217679e53530f2adfae2b4e18373d81e534d16f670e0d699384682c6224e0b811f40e835cc642dcdf57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d543d870af1a702756c97cec022242dc

SHA1
b498529d6305cdb3b745aa6e3c91694ca39ca986

SHA256
7dc6df1f70a2a69ed06a7e8ead170e12fe3f1125100a0a54cb1c2acb60a06f99

SHA512
54ae08690adb392f1061cf57ae09153f5416bb38da13ce49e2f86d4b1319e86b38e7c2ac215640237779469c9dfab55b83895a1325d85686feabb25584b07f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F381DFC1-A58F-11EF-9EA5-F2BBDB1F0DCB}.dat

Filesize
5KB

MD5
3d911589a90abb8a5924db86a9cebbb6

SHA1
edef4db75de2f60d29e9092af14edfac1b083720

SHA256
5f062f7c3d9d78fea84368e9505b485bb558b19ded189999139076b91b2aa3df

SHA512
ec97c6aa9a469e9de9676a84c0bde25bdc8241c07901839c79e4f75779ab200ebc750bdcb9e33e2910bb95c0d09c281d7d268760fb28f81aa740283760dc4063

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe

Filesize
177KB

MD5
5c65d0f7ed0cf850e4e9cc219233d133

SHA1
093b25fe1598dbce3c9cb3aaf7da89f9e6fa321c

SHA256
c25c2eaf1dd5165bf46a36d9420d7fe718cb866831b91f22f55561fed08c7f4a

SHA512
2d404c860e037bc7b7e400ff2369de91599f15780d82364f119b356706aa3140499816c00a2bf99ba443206788ab0da527b16c3057372f803c5c112c2eae5d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDC6C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.nfo

Filesize
367KB

MD5
aadeb94839de80aeee9a1c9fac317565

SHA1
dbc7228bca26b3f711bbfc62689401f1f0438e29

SHA256
d261fba8a9ed9ecd2a92218cf31250073e0fa7f1fe703f7848f3e0c6f68dd288

SHA512
501b2f06159dac6f616c66709436233f9a360ffe5ff34ac88899c91645f9fd6dce624623b388b56932d71e0c80b76225f2de12fc0b70be5eea475d5dc7b8a2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDD3B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\seagull.nfo

Filesize
352KB

MD5
8aaa3cb8c06735d720d50aef105ee935

SHA1
7efe869177b79d71b46d3f835ff601fefdecaa2e

SHA256
b406d72a6b434a11c1ba08bc0f3cb107dc7d85fe75c038f8ab0f3f6d4bab4c3b

SHA512
cd3f9e3fa47b728bcc62d7172ce633cec946754588b804436d56364dfe73cb93e02235b5f0cc95ffbb09ca839aea0c1e9ccb255ad102c7450aad71c4e6193e4f

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
8e284ca94a3abab2f796dc81df474c37

SHA1
1cfd6f74fe6882156f7fb961c57e03f97ea2afcb

SHA256
cd4f2de23e396d1c80e8fab07186d30a2f0ce1f8c9dff6003404e22a6cc33158

SHA512
c892a6c7f5cb04082ff7998d782582431e3c7694d5bb1549492fdb57ed0b96f3c6937345f747ff2854ed24f464dda6e8cd1df72af3c2fdf252ace94703d971ae

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
f40c997982de335052fef7388adc7ba2

SHA1
af491222fa05763a3771bb71db5d02fd32f51786

SHA256
b0a8ae0a8abbe89a3090eaa35aa4fbc1b999675b735dceaeb1e6d58c0641ecc6

SHA512
c58544648cbf6f834804dd88aec5ec116a24e52d6bea5b1d25d10a9badc04532137c9a83315a17c906b946831f49ec848c855c77d8767e190ab72af371314ece

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
8ac06da2390f6bfa87f3a5a9cc7cfb85

SHA1
8ec57e5d6478ce2e49df00f476cd99cabc05c923

SHA256
2d5cd443a62d4b971d0ba61873e48e5ed80722f153e943602a1df41627376a02

SHA512
164f6497871bceaaa8c726892a1332be07eb61e225f1458d5b1f6940ff0d95a13ebc5f533842c7a7c30afb43a664d77f4b72e9950de846d9ae0d2a4f56c387c7

Download Submit
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

Filesize
340KB

MD5
7fd7de6522d709f0932aa399ab189fe4

SHA1
b05e0c0db725f9288c96874212ddbb61a7c30a52

SHA256
3efd9fb92973765a75cdc7eb829887550c0240d7abfe93e92a802cb1f48b712c

SHA512
4d7a75c6b0032a4cfc3dad8308cf3c0e2b7d641ac01a352dcdd5a7fcbe663f93182fb2c1fd8efaa869f8dafc412acdae52aca44af42824c0a990984b3a720cd5

Download Submit
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

Filesize
340KB

MD5
4a2b5a458e0a78970e13227c9c11762c

SHA1
870d9c22bb955cdef3ba69ca3572b3052cb3108a

SHA256
f72fcb9496a5790952f7961032f03f488a0291937f95b5eac93d09bbc02c53c6

SHA512
d01399c4e404a825a7ed2648788c4386d776548a12d9d7a8b0f00b3517a3242bb22486a76b21f10e8a01db0b8325c6614ef261838b4cd50ae92cd29c347504ce

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/1984-20-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1984-124-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1984-394-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2056-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-22-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/2056-24-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2056-16-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2056-51-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-52-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2056-21-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2120-520-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-407-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-525-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-528-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-511-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-514-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-517-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2344-9-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2344-10-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2344-0-0x0000000000110000-0x0000000000175000-memory.dmp

Filesize
404KB

Download
memory/2344-50-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2344-529-0x0000000000110000-0x0000000000175000-memory.dmp

Filesize
404KB

Download