ramnit | 21cb862b0e7b729a973f6a2a7171c0dbff0065f625ff58bee734abc55c11f857

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/01/2025, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe
Size

1.9MB
MD5

4a65bc7f8169b7856bcf301224a778d3
SHA1

91ae75d9cfa2d93df53a39222bd4b482d719e1db
SHA256

21cb862b0e7b729a973f6a2a7171c0dbff0065f625ff58bee734abc55c11f857
SHA512

8d9ec6697566b546f1fd905bfbac9aabe33b45cdc757e2d806c8dbea1ca76f66b6f248b8b8e6ad06e63cdf0ac139a96100cd3e9a44795a40661c6186bdea53dd
SSDEEP

49152:GfH9d7Hq+fTD6aHf3IFLeVsxKaEwudNNNkeeBqocYdAt1HKgD9vBZ:GfdRHq+7OaHf4LxxKaEwudNNNkeekt1d

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe
2692	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
2840	DesktopLayer.exe
2568	DesktopLayerSrv.exe

Loads dropped DLL 4 IoCs

pid	Process
2672	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe
2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe
2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe
2840	DesktopLayer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000012280-5.dat	upx
behavioral1/files/0x0008000000015f41-12.dat	upx
behavioral1/memory/2780-27-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2692-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2692-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2780-16-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2780-7-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2568-39-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2840-37-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2568-42-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE7A1.tmp	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE7A1.tmp	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE86C.tmp	DesktopLayerSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{059BCFB1-C9CE-11EF-A51B-E61828AB23DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442069084"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0582C971-C9CE-11EF-A51B-E61828AB23DD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2692	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
2692	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
2692	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
2692	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
2840	DesktopLayer.exe
2840	DesktopLayer.exe
2840	DesktopLayer.exe
2840	DesktopLayer.exe
2568	DesktopLayerSrv.exe
2568	DesktopLayerSrv.exe
2568	DesktopLayerSrv.exe
2568	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2248	iexplore.exe
2716	iexplore.exe
2664	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2672	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe
2672	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe
2248	iexplore.exe
2248	iexplore.exe
2716	iexplore.exe
2716	iexplore.exe
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE
828	IEXPLORE.EXE
828	IEXPLORE.EXE
2664	iexplore.exe
2664	iexplore.exe
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2780	2672	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe	31
PID 2672 wrote to memory of 2780	2672	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe	31
PID 2672 wrote to memory of 2780	2672	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe	31
PID 2672 wrote to memory of 2780	2672	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe	31
PID 2780 wrote to memory of 2692	2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe	32
PID 2780 wrote to memory of 2692	2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe	32
PID 2780 wrote to memory of 2692	2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe	32
PID 2780 wrote to memory of 2692	2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe	32
PID 2692 wrote to memory of 2248	2692	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe	33
PID 2692 wrote to memory of 2248	2692	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe	33
PID 2692 wrote to memory of 2248	2692	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe	33
PID 2692 wrote to memory of 2248	2692	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe	33
PID 2780 wrote to memory of 2840	2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe	34
PID 2780 wrote to memory of 2840	2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe	34
PID 2780 wrote to memory of 2840	2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe	34
PID 2780 wrote to memory of 2840	2780	2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe	34
PID 2840 wrote to memory of 2568	2840	DesktopLayer.exe	35
PID 2840 wrote to memory of 2568	2840	DesktopLayer.exe	35
PID 2840 wrote to memory of 2568	2840	DesktopLayer.exe	35
PID 2840 wrote to memory of 2568	2840	DesktopLayer.exe	35
PID 2840 wrote to memory of 2716	2840	DesktopLayer.exe	36
PID 2840 wrote to memory of 2716	2840	DesktopLayer.exe	36
PID 2840 wrote to memory of 2716	2840	DesktopLayer.exe	36
PID 2840 wrote to memory of 2716	2840	DesktopLayer.exe	36
PID 2568 wrote to memory of 2664	2568	DesktopLayerSrv.exe	37
PID 2568 wrote to memory of 2664	2568	DesktopLayerSrv.exe	37
PID 2568 wrote to memory of 2664	2568	DesktopLayerSrv.exe	37
PID 2568 wrote to memory of 2664	2568	DesktopLayerSrv.exe	37
PID 2248 wrote to memory of 1920	2248	iexplore.exe	38
PID 2248 wrote to memory of 1920	2248	iexplore.exe	38
PID 2248 wrote to memory of 1920	2248	iexplore.exe	38
PID 2248 wrote to memory of 1920	2248	iexplore.exe	38
PID 2716 wrote to memory of 828	2716	iexplore.exe	39
PID 2716 wrote to memory of 828	2716	iexplore.exe	39
PID 2716 wrote to memory of 828	2716	iexplore.exe	39
PID 2716 wrote to memory of 828	2716	iexplore.exe	39
PID 2664 wrote to memory of 2292	2664	iexplore.exe	40
PID 2664 wrote to memory of 2292	2664	iexplore.exe	40
PID 2664 wrote to memory of 2292	2664	iexplore.exe	40
PID 2664 wrote to memory of 2292	2664	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1920
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275458 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22430257988f0d76d16a9671f996f93f

SHA1
d380cb6d8d70d5f0a5ee8a3deb6339bc9cb6596f

SHA256
7462566d71e145ecf90815e5b33663da985ccd396836dad52799622d25cc9a92

SHA512
b91168a67f77f77967c19e2cb3f3add87c2808557595276c63560ce6e981ae8dfcb772c43eb0d353f0677d4a2aa47263416b7af62c7a964fe4ec9a0bd73e52c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3257d09b93ff929735a914b4c10b1729

SHA1
3e83a1d1b5eb352be98a3e7ef01f6d875f7e7228

SHA256
0d4f85957962bd0b59b58c202e2332fff7734b8efcf81761bba1ef06d8aecfdd

SHA512
6c7994ff6747a15e950743357e2439aad38deffdb36d9b379f98b876662883969356dff8dad70fb32a4e6c85e29810dba14d1bc40ac593e3c4ceadcfb71f21e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70314cb9afe708edf581f5c18cfbc931

SHA1
774e7d3bf0059938f91a1e2fbbbe9869b903b12f

SHA256
cc5af4b9a084025098cbacd8380db307e44f21a39af81062c1c6a762b4532711

SHA512
7a3c803b060eb9ed375affad736802895c9dcca4443d648c500dfd8ec36f8c7d28ac29bec2375032aef7a63b04c48307b04548edcd5396f943bb8537e082363f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dd911251b81a7e8ceb4857fd14fb0ac

SHA1
6786222fad229b1887e64a2395524ff88876dbf4

SHA256
7692dc6b3eaa74f4bc808cdb95d4b86fe73f698dee6d3d046773c9fb6c4bd102

SHA512
2a18f64c5900328ceead05d975e1befdb11667e7d2d2ddd84e6e626948e31d1ace758a7bdc5bae80e076c020be84eb267edf086906703e6259218f3d94cf1ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7acd4251b1ee56338bd14d4e0eebdcf8

SHA1
9146ea6b0e17457a185e223df02bcb42d7cf29b3

SHA256
f053dbe50dfbed766dcbbee6d5a7ed2a6db9dd76ad637f1de13e51c5f341664f

SHA512
8f10d6db5147b5d58a88a007807ab3b85c564ca69126c5faeed3f2ddd300046080d612ef4d8fdf5d94e3d4990893628ccb02a72419ba402a770f852fe2634067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
571ca095834e51ae1098c05afa0776ce

SHA1
db74889dbe948c064f413d9f3c5d11b68bb08039

SHA256
61581050ef780a9aee944d6f3bf067fa45a0fc66136696d75c64abeb275bea3c

SHA512
01dd032e80517c747a0f244472418f2ba662d5f5be3307791eb33a3fff4bca81483116d5d17ce429ffdfc8f974b51533f21e9dd3868aac462227dac361f26891

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
233b7570ab2e8936c40beb18fd76a2a6

SHA1
93406a57f98a49d6e368e1b98c839c052cd8f6a1

SHA256
58c76838935f461113ff247ae36d424981e1c940fe4d6007ce6d06d39b997c70

SHA512
9def09aafc0b0b3e57831855911e39cd083de04d21f9acfc6c8a486dcece469cbd98bbdae9bddb8c7e1f68b37fa34a9e06053b89e4778955caf449bc2c1b6409

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8ae9880455bc0e5089ddde23ee786ce

SHA1
a4e053927564ec41e393d1677f33bc3ca5941457

SHA256
1ce19b35616f1d7ea53b76714463e25f25f50924986180cee367a5c113c0778f

SHA512
16308c406d449835e2529cadf383f6d60a709647123b568be86d4d622788101519df5d3bab1f24c9da977385653ace41e5592b00d2a4c931c55ea198168924c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80451bf129718afa6de2166d75bdfa31

SHA1
deed9bc5f5cf0d454982d8eb4e98b3cc059706a8

SHA256
ada159002bd30915eca8e34aea8541e098d7dd559ac9fc1d83f2f1cf1ab6de14

SHA512
714193cf31d5ee1262184c7cbf878f0dbac6adedbd0e2d3bbe40840412c7e3d30c23773c377ad233aff8b160c411da0afea59ae7ef770bfda50cb9188c677ba5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54648f401d355911867f35619d0ac244

SHA1
982eb85f1299f7127dac7b95fa0c05c5aceb3f22

SHA256
0b5a109c0bd147f88e72d99c14eaee8b615ca6387ca68dd188072d287e410212

SHA512
fd103315f216eec29c728fa59e47db05543dcf0904eb20b7a9c5f7fb95aa7ea441d2dc47586d7adcc237d6716a087a6680d3792dc3180b1e26ec2da462ec7a05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e36b7b319e789614c98166da68c56f1d

SHA1
39d60f1969260e30b2a50ef3afbf21839c678769

SHA256
0a2963cdb59230c6da4b7ea674e146598c156c8e36567c8e93dcfac36748ae15

SHA512
8605d84863deb07343b062e9ef5539cefe2a3a54017edb4b4696a7e951446d51b63f359ef58061e3529649df1cbda20bf48988eb7edf600dd6f2709c8c983e9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
684788d77979ea72d04f5f24f69c4613

SHA1
79617919755cee249d3c866a60432e3ddef3d3f4

SHA256
04ef6e974d5943013a0593aa89d7ecc77478c683fa7bf7e0665ae96e34358b54

SHA512
16a9e26eb4226ec0135956e42e0977aabe11d2544fe068e7538e033d11a6437328a7dea40dc37ae7020f8cf6d964a952d4032359e7c376bfa766968bdd7ab429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7c09a1ecc9b407496c4c5ed455dfcfb

SHA1
f80f1c4c07637d3dcfefda1a148fe5e72590e5bf

SHA256
a4cae0033dc46b1c2d3af7ba8f97b2ab759a9564d1653fa377bd19fa0aaddb8b

SHA512
8cb1553cb5e493b7d5252e789696442a9df8aec1225915353caee27c073c2d30e8881e40e9b94c7f9accd5582a8f8b381f1b98b7cb5870a0ed5884f9ff4b0006

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2134871524e1b7707aad3d0477ec0ea1

SHA1
66b9dc3bf7805abd44059e9e34a9ffd2bc999ca1

SHA256
0360a129f35c48ac69e9ed9fc3fb56ec4e0fc2c8855407bc8079cec315dcead6

SHA512
b9ab479027f700a1f95f08cddfa77817d9cd635daea04385481c34510bc31d9a17d9fa752e0e862002fc519f24fc059a86a78d55f461fefbccf8004b252fed0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
720aeae313b82fde0381ce4e2449aaaf

SHA1
7c1a2219977ff54d5d37923f080080927e076640

SHA256
023d9fe305a7a0065b5c2c6bff28f8d38aa4a4fe0c173f23038b78a3e3909bff

SHA512
8b04f23f9d2348fe4d4a85bbb33fe7d111e7efd7c0f9c6850479d5cabb8742d416889a6e101ea633ced59ff31dfcf7245832955fbe3ea0f96544e38ac968d1be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f9dc06a5eb47349487468558d21e3b2

SHA1
87e350a6437d8fb6a9fb6bc7f7a32ef3c76e5506

SHA256
97cfb16202f8fc800e433c00ef8054b34076b8cc64ac231da8a49fd71bfd98bb

SHA512
9baaac65a3757ee9f9c0d158ccc30f53033b73f98ea9e091acc51e8f14eb9d0e1030877fba0466f47ddcf613fb8d6adea2e994d7c663e06a993f8edafcc178fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ca3c1e50f3db85e1b48744ebcd2c2ee

SHA1
750f15d17aa5b23374aa119d24a8f77e05aa4252

SHA256
d824b5eceb8996c27436c2ee2d293f4ccac8556792eeb007f5cabcabc53876a4

SHA512
a85ac0c8d6f8bfaf3338e06086fa55eacc014ee304c460c263dfdb8d2d49aafec2d97d614297b91ce763e67623c7ac0e86f33afcc278a6f1b5c9cc46fe503141

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8609776fdad09d7b7a06a05853a7dbd0

SHA1
a7284be96693c9f94fc70f3b2614c981031f8e86

SHA256
0421c7d9a19dfeb6e81e635c0ea73b6d7a227643f97df59c1846422d70fea151

SHA512
bbc1c12c56ac2eb658d623a7311e4e564eeb6aadfd0cc151b7e36092a85bbe8c3460d8e357881be611783a140938cc5d9ea41ef564c5b4d23109362fb09eecb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0582C971-C9CE-11EF-A51B-E61828AB23DD}.dat

Filesize
5KB

MD5
f976d00914836d4de4404545945a8f87

SHA1
9563d44d7bb0401a68d41ab94b5aa8b7bc16cf41

SHA256
532e6f3bd7cc9e779775ecf96e5dad5c4f0bf5283878f5e9d46afc63e496d1e7

SHA512
7a796f74a620c2117abda670d46b80b87eff32dbb2084ff4a0b334409da5ad3d66f18a77eb81fdabb9da400bc00e1f6402173b0ad7a45f40ee06b8f56bf902dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{059BCFB1-C9CE-11EF-A51B-E61828AB23DD}.dat

Filesize
4KB

MD5
af3e6d20fdf3083947d1878128e94981

SHA1
21483c366c7a809fb51f7c3ccfc5778a04b07bfa

SHA256
5ef545fae8a8feea008fdb717cf8bce18dc6cadc397fbd18d8510c4e12b21b9d

SHA512
dba85c9f9322f63205adec7a35b49f92a8382577bf4bf8f4b1323698a24c94f329604de8119c130a1079858aad66df840f556a08ed117324d5e34bc83aae3be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{059BCFB1-C9CE-11EF-A51B-E61828AB23DD}.dat

Filesize
5KB

MD5
3ac22fda915fec31d494350197438d2c

SHA1
1e95692c7e03cc58dc3986ebbd84e0d6892579da

SHA256
c274f7685552ea8d44741d86033959ed72b5e1d36363b40f05408bfdf5936f6f

SHA512
035a6aef9d4cebd5c7321ee870384a1da3c730a03dd0408a5d9fb55ceda3759df5af26cadcaf9379b06327fb72e6c7cae5a3377736034a04b883acc82681de89

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrv.exe

Filesize
111KB

MD5
0807f983542add1cd3540a715835595e

SHA1
f7e1bca5b50ab319e5bfc070a3648d2facb940eb

SHA256
8b492fd5118993f8adb4ddbba5371a827fa96ff69699fe82286ad3a92758bf5f

SHA512
27161f765072f32977bfae3737a804492251514bd256336ed9eee985a760f11c8c778bfb45760bdbf94cb69ed49fa6831f2700548a290412a577fbc70a5b7d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-01-03_4a65bc7f8169b7856bcf301224a778d3_mafia_ramnitSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE11.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE81.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2568-42-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2568-39-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2672-1-0x0000000000990000-0x0000000000B85000-memory.dmp

Filesize
2.0MB

Download
memory/2672-46-0x0000000000170000-0x00000000001AD000-memory.dmp

Filesize
244KB

Download
memory/2672-43-0x0000000000990000-0x0000000000B85000-memory.dmp

Filesize
2.0MB

Download
memory/2672-6-0x0000000000170000-0x00000000001AD000-memory.dmp

Filesize
244KB

Download
memory/2692-20-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2692-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2692-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2780-13-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/2780-14-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2780-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2780-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2780-27-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-34-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2840-37-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download