Analysis
-
max time kernel
135s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
28-12-2024 15:22
General
-
Target
2024-12-28_97b6e4b6822ea362918b206709dbc1f0_mafia_ramnit.exe
-
Size
475KB
-
MD5
97b6e4b6822ea362918b206709dbc1f0
-
SHA1
13893c0843868e1955c9257740d2d5630046fd71
-
SHA256
a15208b831ae32566f259844d82abc3a500b2a2c002b9b2e74e749c0db4d78b1
-
SHA512
d8f2fbe1a62486b22146307214425bd6a34790101d54e17fd4b6ae96e746cd9730d1435e1513b143c1aa64073bdd952c88b09601da20d5a81573223284a930b2
-
SSDEEP
12288:DQt0D52k1e7rtT1n+mMJOE9vWN0VTTbM/M:qW1e9TRN8OEc0H
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 52 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: MapViewOfSection 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-12-28_97b6e4b6822ea362918b206709dbc1f0_mafia_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-28_97b6e4b6822ea362918b206709dbc1f0_mafia_ramnit.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-12-28_97b6e4b6822ea362918b206709dbc1f0_mafia_ramnitmgr.exeC:\Users\Admin\AppData\Local\Temp\2024-12-28_97b6e4b6822ea362918b206709dbc1f0_mafia_ramnitmgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2796 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD54070c6f5df848ed9656d4ad41aad2e96
SHA1da4fef32dc64bf0205f2894c9e66e30bcea29148
SHA25647ce8fb016d35be873f95ffeb5388e660ae12f333e6ef159eba28d4e7b205653
SHA512abbb17141039eef555ad3d5ca6061da2564820b830bf6a584261a67ba609b503e85242273acee081ec7b7f8499192ffd88a68016453b95ca64d839fbe15f3678
-
Filesize
342B
MD510b7827c15d8d04baa3f19b422fa3fd3
SHA110095a102643cc7d2494cda2859de27734ac817c
SHA256e8723843100e9a71a16bc2cccf7ce21c66b9246ad8f5857291534f83e5aa2cf4
SHA512e2023d589c858db5c3f519bdd55a6e9de268a95ed93a6cac3dbfab03fedc29bf12f9aa2ec6d67beb3848b4159a3d427f7e21355b8ca07465d66c670ff976fbf4
-
Filesize
342B
MD5db89f1cb0bae92239c53ab9a6f990b61
SHA11014812158269b909a5aaf9c7600082f9234a326
SHA256758ace07b908131b590d545841b3077f53f6d9d065d84af5bac8c8cfc1791982
SHA512c1363f0ebb02dd7fbdd61a3beb4a005cd0cda20dc3e4227a1c2bba9b40f9dc6ae7f8f86459aab43da1dd83bbcab47b5bf0b21f52ea833d3966001ecb97cce3e2
-
Filesize
342B
MD5e0700c8c7e852d110161611201c7b780
SHA1ff1c5dca98e77abbd2e1c3aa866f8be7fcbd3cc3
SHA256a9cbdb546dd186df8ed9b8e285e762762ce872af96f126a3dccd59c4f5f4c7a2
SHA5122d6bd85a1640e2bcabe2d5792bb8ca9dfdcb533a04ec3ec283f332cd16de3871445f6bcabcf476f3d4a32745455425093029ea8a3202c589ee3ee1a0d6ece683
-
Filesize
342B
MD5688d2f888c7abb76c565fd1d49e985a5
SHA12e5e5be00ca5445c1aa1eb601ed6fe2e995d76e1
SHA2564b1a0ed70bae0fe4838ee8e00a45ca5519907caf1d8110e2e38cc10028c0ccc5
SHA512f7f7f5653e78539e1f930f342dc9451255a9cc62a5e36cf4d301f4e09a1948620b0dde8f26eaf9e64b8bd15bf5ed7a6cda9991d038c22e7df4ac129cc5ae496d
-
Filesize
342B
MD522f006fab08dbde74dee1ab25b4b5edd
SHA1d1369e653ea8c87f8a73f751d48044978b682bc5
SHA25609a33be46b60ff6f4a1b24286850f83dcc400a2dc7494e8377e868d32ac16753
SHA512bb78ec2b3c2a47641c179794e53e56e51374c718a029aaac0f899ed95735957c2f6519a4180e8e323785d95c5a0db14fd93a6a4752c7650e5ff0cff8b2ba824f
-
Filesize
342B
MD5dfbd1b85c0f059d0f77072f18f83615b
SHA10f2d7abe3ab3ee11c3f40798817dc40169592265
SHA25638c85bdb4b8206a07bcf092e6ecb8f14f73a19f569ebaea8456823bfc6f5799a
SHA5127a005b876d4d99595dfd89410379b4faa0912a1a9cb35413274e2bc4d50f4b23c129caf645b98d6e884fdbf129db2f7d1a9e82863b22a0c277df9a77e700d5d1
-
Filesize
342B
MD5ada7684fa01197932b640416d49b7a5c
SHA1b3711f7700864fadaeec9b6762b20bb35f070154
SHA2561bf398a00c7ee1c0d5d693a5a0c046601047523a10debfc42fcf99fcea8ad276
SHA512ddd435d88db49bd917036c78167ee638834013a7ee73114f25d919767a14a90485e2450a8cbbb011ef7df180d8bea464a8dd7fb63701f8e98dfe9d35e2c1935c
-
Filesize
342B
MD52f8a1606a6b5e32731cd005d859d3c8f
SHA171a9cc0801f6308dce01792550df8ccf383dcbb6
SHA25688e1dd1e64698cd0ae7d0a6f1bc4ae9d3bf7ccd0d58ee8d5dc1097863d33c9f6
SHA5126bd97269b5103b33613e6b30512b2a79d1c00fa9882c1cc6463ef154e79945aa1721c7ba4099343437f815948cefe3eebd708c8093a2ac67c292f1807fc4d210
-
Filesize
342B
MD50d6a7e4ab11e032650e506b3e0757950
SHA1795f9f344637910e0018708524c8d4fc99d28f87
SHA256c2442b73d226b8d648b5fa27fa72a3844e6c0c8b2d65e09de3a7cdb97c85e4f0
SHA5128496636223aae5e5e750938f9824852ad014288ef1ed9d03d6fd7675065164c69b5732bf085b92a07b4babef12adb64ec61b55e3bb5b7c6a39a970e187d735db
-
Filesize
342B
MD5febdff1ef431036cd9be7e6409aeba61
SHA176a321db022154dcb17bfd6ac5a61b3e3d186cf7
SHA256b55e1d0f7bd75c9363ffc195db176697333672ba5d72108a9233c5e43f2c63e5
SHA51229d207f40e638b4e2b30dfa9a48a5ed2a02de5efe2de1e2188d7caa3128654ca0e56899a79ce101d53aea1ad15d233da43d343d92cbd8d25a7fa7bfa4f184ca2
-
Filesize
342B
MD5dd54666f6096abb9fc023d1ed0bb7f82
SHA1f54d5a08afa0fa860a587a39f646fa9fc48d5e24
SHA25692a033797cb7340c6cc3ee4efd5f87e3a1e132af509981f9ff84430a5589e05b
SHA512042837ba2e093fe8b0133922bf090904538ef7169ad1420879b4f7cbc84c730248b3767e7cb2ef46d19b758a37c592c166548216aefb1f9a3d671ea249f5aed1
-
Filesize
342B
MD5c32ed6799950b1a9f6e7a47a04a7f8da
SHA1588d6d9be97026ff33ec7c501434b2133f43199b
SHA256b34381deea5d63b9f57929b3a1b622e97f9de2cc0509fced968b8d5ec6bc7893
SHA512d16936b5e0a0d6ba44e47e451de4f4142a70910aa52a275c46d95252288b6d846052e40a3bcbacdebb645691a77965fc63195724ab46bf14c19138c736e59973
-
Filesize
342B
MD5515ee056aadf7c0ba4b51ed82ea59cc5
SHA19440adf08dcc01672325b79376a85709bfe9d0a8
SHA256b9de8ff2fa33948b1d07f7b02f46b8351497f969c67e58e369f6b1263cabf714
SHA5126e09a52b66ba86153e5402cfc0023873c77b0c4b689adc2af30b76e2b777c44d57d5be17d4620547e84c22e33e2442a6541ce909456708d56c6eb47ffc4d4f7d
-
Filesize
342B
MD5ce22aafd04ee279f2b560f04a55b6dfd
SHA17fd3df36a9033ce93018859d57a6b0653c3d5297
SHA256fdd002c0b7eb9bf221eea72c8a87e99e24b8cec4f1c030112a06198f9e3dc89d
SHA512dd5fb6b18f249c2a620d4dbab0666c37ded3e6eb588b06878d53255bc2950bcb6a97e96abe142db61ea360f97dc8b0a0831073933366bf1592ae4680f86df143
-
Filesize
342B
MD5e233d6f09661b1978c584d82107506c6
SHA14f9f4458e61e3e22d0da24d5bbba66ff165b3226
SHA256fa832561567f97fe4957a30482f529bfc045cbd8eaa523839cb9c6aa3df3e032
SHA51279797a21f7ad56892bdfb0ae331414f5e02d07a86b86d295ac6a52c65101c9bb5244486c79fe65083252a698825272810d5b4cb5773215338f9b97324f4e7c5b
-
Filesize
342B
MD525468b839c7c6704cb5210645442a110
SHA11d944f47696cc8a92085f5810c27188f8b6b0500
SHA2561dbbd9512e332c5ceba21260fc9b9750d8a0d8ba408a53437849d05cffb8faf6
SHA512c28311e6fa7161fc59565575d7ba84a8825c1cb1deb5c6140c79eb3bf014a8f8b7589874f1b040a62e4e871428e73322dedd41ce1d803a504990776bc99aa517
-
Filesize
342B
MD585189cf2c9538c585850301d8e57234e
SHA1869d1ce6fd2a341fb750ca703249059826f96d82
SHA2568893c03bf467e7234dd078690e8006e94d2d59daf1d391eabde5dee2cd6594ce
SHA5124f4076bfc1ef8fdd479d1b92d592aba719561781334a53c57fe62c737224ebcc8e5952aac98f8a5a4608ebc8f391e05d205acf0f48a2c9683036a6bbe1124742
-
Filesize
342B
MD57c9ec716600fad7d563d56c070adad68
SHA17f5760dc66198e6d8844f35578f612db89b087f8
SHA2568e51ed8e23861a06c3145e606bfc21e3a2b00e35069dbb3aa0e3ebaaa2b154b5
SHA51288b747828ecf656ea4df14a2b2b495b499353f3fcb561c32ca46dc3d3c9e4ceff4dedf14a4b8de188a0b451a901fcd5688400f2a3d58e909f5d277305d98160c
-
Filesize
342B
MD549a59e1526996f7b7928558fe8398a91
SHA118b31744cf38a289a601a067b554d741d35d710f
SHA256c9908123484fa6fa6e86bd3014dec61069a2319478cee1dcfe9d70ca3301013b
SHA51250bc0d76ca8ee271f5f37ce34a5bd13c3df38052724c7ef5bc5c67c571b92810d34d4388337c61ff127fe408f6a052798b22628be66573b48d1a45007ce7c7e9
-
Filesize
342B
MD5c9d5dae2f6326efdd3abd2ffbf0f2546
SHA1a4dd04aed1530778ac6afc7871f5fc99d4f70f55
SHA256a5b7b26a536e90df52a5a31794a54929a40d5aca44c929c3c0ded53592c06b0e
SHA512b1a41e7221ca58f6ebdb6bb9f40997dd3a3a66ade195d9280bca027bd8211cb2dedeecc297661f8d1150af91233f17134ae60d37da087c39b32d0e37034b5f88
-
Filesize
3KB
MD5866566c5a9a709704a63f6d8fc4cadc0
SHA14e80148a4608809c1cf95deaa0e8cb491c8bac8f
SHA256627419114ea75772c821310fdf3c6faf8e65afe4d2b836ac100f29afe91118d0
SHA5125a2dde44f250ff3f179d1391ef2442f9ac732ca87886818ef598f06ec0216edae6f09814c2d653c9d7a7a58874185e9299b42c2b2808e0f4ac9f6639deab27ea
-
Filesize
5KB
MD516a1e07248d465b1937b3a6a2e4244a4
SHA124c51ac469204971ac24f67783ffc2d6ae2939c1
SHA256e7c9c3cb2c0ffe2a71d448dd40a8b0d24c7191cf20b200f409e8fed1ba837f16
SHA512ea766c67457709276300f49a0f9ca41c9d5d11e0bb7633a5f2c41760f82b909fd26b9f141ed48d3f157aa3e28d7cf4211ffe6c0769b986ee037f47f9853538ed
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
159KB
MD58703c6aeb2e62da71e50db9698d91e35
SHA1cafceda794c5b1976b46a5d39949137aba8dc9e6
SHA256c3a332de99e2b195bbb3e5927f8ee4217f968bc373f8c499db45db0b3388d47d
SHA51248e45868929fcacfa06c5078de2e54d32cfab80e5dd00036b37f3d55b33269f0ee82f46b68e7a6adc2ec9aecad8672393a77602c1b995133876c2c4e6d15229a
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
4KB
-
Filesize
400KB
-
Filesize
4KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
400KB
-
Filesize
516KB