ramnit | 84f47abd2a7ece82a7a2d71ff32a39ffc95456be4ea6a94b8edfbae599655960

Analysis

max time kernel
133s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe
Size

3.6MB
MD5

2ab8a84ec6c97be35f6497e269670ef5
SHA1

5a3f66b940d19a59139548872a679020b4faf155
SHA256

84f47abd2a7ece82a7a2d71ff32a39ffc95456be4ea6a94b8edfbae599655960
SHA512

e67d381e4a9734b6ee34289ba69e9cacb43cc91f686f6b195275c672587a78e301b85c1b80d27aad373d3fe9554ba400fdf837a4739bdcfa3a7482e30442f6ca
SSDEEP

98304:V1fX1YJdXWdlfmkfldqgVMgDnwo+kUNWvI3npO9Dz7vYzLEEvBZ0qwmy7mpmm9mq:V90dXwgSkpWfDz7vYzLEYBZ0qwmy7mp5

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 3 IoCs

pid	Process
2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
2752	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe
2880	DesktopLayer.exe

Loads dropped DLL 3 IoCs

pid	Process
1600	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe
2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
2752	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe"	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120f9-1.dat	upx
behavioral1/memory/2628-7-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x000700000001868b-9.dat	upx
behavioral1/memory/2752-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2628-23-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2880-35-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2880-30-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2628-16-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxEF9C.tmp	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEFAC.tmp	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA075CF1-CEF9-11EF-8F1B-EAF933E40231} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B9FDD771-CEF9-11EF-8F1B-EAF933E40231} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442637611"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
2880	DesktopLayer.exe
2880	DesktopLayer.exe
2880	DesktopLayer.exe
2880	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1600	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe
2712	iexplore.exe
1724	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1600	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1600	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe
2712	iexplore.exe
2712	iexplore.exe
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
1724	iexplore.exe
1724	iexplore.exe
1516	IEXPLORE.EXE
1516	IEXPLORE.EXE
1516	IEXPLORE.EXE
1516	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2628	1600	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe	30
PID 1600 wrote to memory of 2628	1600	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe	30
PID 1600 wrote to memory of 2628	1600	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe	30
PID 1600 wrote to memory of 2628	1600	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe	30
PID 2628 wrote to memory of 2752	2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe	31
PID 2628 wrote to memory of 2752	2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe	31
PID 2628 wrote to memory of 2752	2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe	31
PID 2628 wrote to memory of 2752	2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe	31
PID 2628 wrote to memory of 2712	2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe	32
PID 2628 wrote to memory of 2712	2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe	32
PID 2628 wrote to memory of 2712	2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe	32
PID 2628 wrote to memory of 2712	2628	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe	32
PID 2752 wrote to memory of 2880	2752	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe	33
PID 2752 wrote to memory of 2880	2752	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe	33
PID 2752 wrote to memory of 2880	2752	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe	33
PID 2752 wrote to memory of 2880	2752	2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe	33
PID 2880 wrote to memory of 1724	2880	DesktopLayer.exe	34
PID 2880 wrote to memory of 1724	2880	DesktopLayer.exe	34
PID 2880 wrote to memory of 1724	2880	DesktopLayer.exe	34
PID 2880 wrote to memory of 1724	2880	DesktopLayer.exe	34
PID 2712 wrote to memory of 2552	2712	iexplore.exe	35
PID 2712 wrote to memory of 2552	2712	iexplore.exe	35
PID 2712 wrote to memory of 2552	2712	iexplore.exe	35
PID 2712 wrote to memory of 2552	2712	iexplore.exe	35
PID 1724 wrote to memory of 1516	1724	iexplore.exe	36
PID 1724 wrote to memory of 1516	1724	iexplore.exe	36
PID 1724 wrote to memory of 1516	1724	iexplore.exe	36
PID 1724 wrote to memory of 1516	1724	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnit.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1516
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24e0fea4e5e1031448bd22a04f512a54

SHA1
0ab36ea95926f300b035b13dcba21c6cbef047f8

SHA256
93f68a9cbeb3eb62f1c5a1b5110330ea90641dc929fcc56ecc657ffad372ae68

SHA512
fc353008ced775323bae7ae89602ac0907b2fcc73e188c7b5652a31e714bd5af8a3a2aafc67edd0603b23ecebb32eef478ec0909a0bd188af28a862603d142be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75549b47b768451c9953165999251ca9

SHA1
928549d621627bf29690960eac9101e1d32b9ec0

SHA256
b4971d224b27ead41d543bc282b0d5a3e34ac0749141002f47486acd86b31f4e

SHA512
1ccc05b3e61d5802b4cb8a82773fec07ae637f5461adb0ef88115dbb557208f4ea2644be41669b22afc1694b6f125a26a8ecb9846333b4317ee11d587d0e1921

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1260d6ece3d1ed660bca9dd8d94b8c2d

SHA1
da15204f553d9170ca21455705782aa8dae34c06

SHA256
34a5937f20740b74e1d7e3be69b46a2c889b0b109e0fbc97ce3c9812c63b6b2b

SHA512
8beb647157604d8dc8bc4c01c78e203e6266d4cc1ff0841fe0476532ba5315f501b4e0b1502a6adf831626543e0773484ef1027d539943e7c13eba39a3e261b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cea116d08c8403ea5e129145ffb1b5a2

SHA1
e46c9b9ab672fcf8e4001e736923b7ae9bbbb5cb

SHA256
2db93aa441dc6c51cc286dee9566a13c82d9fd85bb56a51fc42b08c049340164

SHA512
f5d65dad35f7d8e0844f5a1b03b5efdd38aa076f910a330e665b5954e55a165e458659e62e7ccff7c3ba87ecba6f3592be63762760adeda04c722b0ec0269705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1adac01ec438afd8d93f1814c0390af

SHA1
3e46b0359171710f03e3d946d4e4f7946352c116

SHA256
ef22b391e90d0f845512344fca95520764ce4514a3bfc54454c2035bbd5b8da0

SHA512
1232e8596330ff0ba4d0fc4cdc8eceb6d9cd8ca31e450f8c07bf2ff9b0a56d6ab9c7e5f93fd3e2a7970e1bf5b384b96e205b154b08ec1ff543b1cd0084fd3069

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddbff5f62b488cce854f02ed2ee7b1be

SHA1
03f01cc3c215ccd68d97f8bb458d34444c38205d

SHA256
978eda6e2fd6c7da3116acf3d5084015b0f9d21d2678f5153d1f24957044922a

SHA512
ddaf5174a0f4ad22129a2bb1ccc7163ed91e6cc76e6b55668b6fa77eebb555c0415169fe558035c2e39814e4909ae46348af4a7c7a15e186e3ef93d11ea88c62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10a9e13a083adf2ed801582bac021d12

SHA1
2613c2967794c5751897d0ad1086edaadb4067db

SHA256
8d1c42e4b49b385bbec4009816acbfca1482778e8c6dedcee664a92335975de3

SHA512
ac48d5dce0785a2f2690ae0ec8816ecd9fd162777f7a52844ad5ab39d3a69fedf1621913a8d597839cd232cd044832f8fd1281b9a714ce09f8c8a5d636181471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
507dc453799f7f3276d7b0fb3f94804c

SHA1
470cea6814c3a39b4c7ca49817490e0653bbcd6d

SHA256
f56a59d0bd64ed62b6c2e0d225f0c6b5f4e8b34608541359258422b11fcabff5

SHA512
a99752a65b70a818255248641901e9126efec768e65ce20c7c3c7940368dd594f49a5139d10df6650053c6dd696e008edcd0111041a15c15abadfeb911aca7c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
775cf2ccdf2f562f5de8207d4cb4035a

SHA1
cb0cfd5ce42daa81ce7ea48250d95228f9f64ac1

SHA256
f4fd632c1d478b70d60df2921e090d6c24ae8e9e7f1de982f62104473f656743

SHA512
843864936639123d5646f225e1b37166ff3d6be7d25d09e7a16efeeb8b43a98684dc1c1d77f8d20e36106b35ad79c2d2cf6bb9681ff54f39a119fbfb7030d419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67fa0f12372abeb535900467c2112c4d

SHA1
1bfdbe606525c580ebb6bb3e6464fd650d03860b

SHA256
68573c9301b9dba24f2f5f588f4adf874be91689f5ccd49b6ab8c44181e2cf76

SHA512
7f37e7ce0931817f49d2bd7c1bf683005c9c8e929cce4d86f27a4ee531c8c97d777aadde57c60f5a207e66468cb67c7b715fafc209cb0c764dc13cc12b0ab769

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2a3c6e62a020bd4d2a2c77647aa59b7

SHA1
81782b3e320ca7fa82bf6eadfe388acd2f0598a7

SHA256
1923c400b86707fcad8fb723b42e3502ce113e9a9a5c257003742ecdcfa7429c

SHA512
a3c707d2a927b58f60a570a9eddcdb7f18857e3d3d5081d37ebdf6a374b6809942ae1a040e13ee4092138c6fc20e1fe29e85b84f74b5e12add42f1a4b5d164c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
992088819effa248a6adf970d46896bb

SHA1
1f0543dc03cb749abfb9a2c28c4a91adb45f3a70

SHA256
bb0c196f72ed932320a55cc1a85052edffc95214be2a2bcb5b65cd6ef9093a8b

SHA512
3a590dc2684efd7d160d3146649812188808b7a15f022f761d43d6de7d1d462a16a073ef78e0d78e95972f9c1ed7be099a2dcd7ac8ed0f3494b71e76061e660a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfd760413a23e3484a5974a4ccfd11f5

SHA1
9aca8efc612fae98f284249804aac10cae24f731

SHA256
b1b4db2c21159fe08f812d27b4919ccdb14f5c05b57576717abfc4e6205e1848

SHA512
8718cf92e395ed53e09bd8a9a499643476b77da6bd2b943d953297210b194d777797e2cef63288e7e90a682253ea042c83fae1784c47f055a3558e3392d21580

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35879d9e922f5d0aaa9a11324c6dae12

SHA1
d9a9b8c39927ea2be3da7e3dbce0760630096649

SHA256
45b0e64144e65bc468a80f5c82865e29d6d4b189bafcebabac96d8fbedf9fbb2

SHA512
44ba0134f0bf0cd6f7ab5a61975d8424a3eaff3c07d30620cab702ac798280695dcea260332f0b2633eaf06e4303faab79a239cc775d38a686ce2876846c08a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df52965f48e1b85df1ee1f52c42e5ba9

SHA1
6fe76d9f338ef4353eb8f6734fe115e66d189ebd

SHA256
4d175bb4290f5bea39a08ccc0be8ac7282bccaa0c9b2422e794e236318d26d47

SHA512
723a609f0455224a52d72920cbd13b605ad0bfd47678a6c85fef8ea23a4a1e37c8143261258d7fe86a505e8378eb567bfe3b8a5e3e7de6ea16567f859757c14c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f29d485121083ea4a2e542551a6da94f

SHA1
64c41d03bcccddaa680b1971d42576a995ea2115

SHA256
57e3952c4662887fce1c18b5c3c057a8b650fa85f872c3245b826984d05954d7

SHA512
e7243d283c560521764547b7ab7622d36251248bf96b26ee2921649025918e471a5e3922a9fa2c8dd937f578d72ef1e06f8fbb9d3551d6e0a1c0efb1921c3ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c610fc29492dced2c3d2081373177f3

SHA1
d4b07c396109b52afdf86858509f6f60139f0ee1

SHA256
0f1c4dee9c94629ba04cbe6f6052fd45a1bef6fc18e1158dc166db413736e980

SHA512
1137dd75b90ad58bc5ac7ef75fb6e6669c152dd387823327539bbde6209aa94419845af96517a9aa22359a7566b9838bf3e6ced194f3696b12437a6909c66498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54936b3bbac2da72b88afcfe91c331c9

SHA1
89c37958709a7d5baf24b7d3593b8e9b9c6d6033

SHA256
5093359325b137b38e1f5187e23459e29194a5c716ebe5c6ae80a226d37cff93

SHA512
5c0e41664efcec18ab5f8dc7605108afbd0f93cc88f837d864c7277e09779e809b969d19c2fb6962322acc3951b95893f27472ca466b49d535e61919a1510c1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0707287f09e1a595a31553b4e4c2a36c

SHA1
7f600b4929e7a441915ec9334e26501b525d1f0b

SHA256
8f7b145ff78ab3ba8ddffb898e7d6f467a94eb1f8a61e3f8bfaf53177e15ccc7

SHA512
7f869bada1dce9334f94b769444bf80ab9165463c82d6163b30cdd0e1ca32ff9e3b11a8f891bfe7ee30260d35de66588bebf3c964e6a2b8b618ea0d8b8c07d3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
450cfe129cc825140c7dfa1c9c63d6ae

SHA1
a9baa309443c361ed272c49f4504d3a07f7ab9fe

SHA256
971417e95f4a71fc708e1c0fc168bafbd1a9c1317030099d28d3c2a5059738af

SHA512
869ff8be7f690ad67ca9c1942937b4f871b0f6a09be1d707c32460ccddbbe4aefe11166f8324f42f30550f9f0356a8b31709a073a77c49a510aaa7535f45f7c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B9FDD771-CEF9-11EF-8F1B-EAF933E40231}.dat

Filesize
5KB

MD5
955838e30b5b00ef61dc9809812a538e

SHA1
9d252a510c33e2f64878b6e6fa3d70479164e9b2

SHA256
f7806592066b1af096e3fd7540bc3163eda34b5bc6226041cef8717388739fbf

SHA512
3bf88dc9bffb1e9ed4260294104c8a5b8255860e9f08e6ed52280db32db5ad9f80af171f8eb698af47afe30e06d877ce60d3c56f87e3c2226bdcdcb96cdbb691

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab561.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrv.exe

Filesize
111KB

MD5
0807f983542add1cd3540a715835595e

SHA1
f7e1bca5b50ab319e5bfc070a3648d2facb940eb

SHA256
8b492fd5118993f8adb4ddbba5371a827fa96ff69699fe82286ad3a92758bf5f

SHA512
27161f765072f32977bfae3737a804492251514bd256336ed9eee985a760f11c8c778bfb45760bdbf94cb69ed49fa6831f2700548a290412a577fbc70a5b7d77

Download Submit
\Users\Admin\AppData\Local\Temp\2025-01-10_2ab8a84ec6c97be35f6497e269670ef5_mafia_ramnitSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1600-42-0x0000000000210000-0x000000000024D000-memory.dmp

Filesize
244KB

Download
memory/1600-5-0x0000000000210000-0x000000000024D000-memory.dmp

Filesize
244KB

Download
memory/1600-4-0x0000000000FA0000-0x0000000001343000-memory.dmp

Filesize
3.6MB

Download
memory/1600-33-0x0000000000FA0000-0x0000000001343000-memory.dmp

Filesize
3.6MB

Download
memory/2628-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2628-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-11-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/2628-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-15-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2752-26-0x0000000000300000-0x000000000032E000-memory.dmp

Filesize
184KB

Download
memory/2752-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2880-35-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2880-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download