Analysis Overview
SHA256
7bd1e0c55451a630d5c43486e99de0b610d878dc13e7212dd4b827d0dbd35c36
Threat Level: Known bad
The file 2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit was found to be: Known bad.
Malicious Activity Summary
Ramnit family
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 11:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 11:44
Reported
2024-11-15 11:47
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px77FF.tmp | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438436070" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143763" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3710137936" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3712794540" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{08AC5CF8-A347-11EF-B9B6-E6FB6C85BB83} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3710137936" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143763" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143763" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3916-0-0x0000000000630000-0x000000000082C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2392-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4968-14-0x0000000000490000-0x0000000000491000-memory.dmp
memory/2392-8-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2392-6-0x0000000002040000-0x000000000204F000-memory.dmp
memory/4968-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4968-17-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3916-18-0x0000000000630000-0x000000000082C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4716dbab6f2ab2afcbaf76db5f0b38c9 |
| SHA1 | 9ff921c8611055814c46c2f6040cc4212879907b |
| SHA256 | 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573 |
| SHA512 | 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | afee958f588f3f1c974325129c433ba9 |
| SHA1 | 7bc816780b62ddd5d2f6a79e950442cb7196b0ff |
| SHA256 | d381672f632407b5f7d59380d17b802223aaf2d6416e197ccbbba74f79e688fd |
| SHA512 | 68963505490fe677499a2f5f62f11be6629c97fddc7ad6b29e19d6af8dd67db67a5db4aa098c1d480b8600dcc2580746f9fca2ff00b0e550915e726e2f6df8b1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 11:44
Reported
2024-11-15 11:47
Platform
win7-20240903-en
Max time kernel
135s
Max time network
129s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxEA6E.tmp | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437832963" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{080CD171-A347-11EF-A96C-C6DA928D33CD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2648-5-0x00000000001A0000-0x00000000001CE000-memory.dmp
memory/2764-7-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2648-4-0x0000000000BE0000-0x0000000000DDC000-memory.dmp
memory/3028-19-0x0000000000240000-0x0000000000241000-memory.dmp
memory/3028-21-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3028-17-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2764-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2648-22-0x0000000000BE0000-0x0000000000DDC000-memory.dmp
memory/2648-23-0x00000000001A0000-0x00000000001CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1C8.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1DB.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 361452ddb8bb0551e17d591c1403d0c7 |
| SHA1 | 435e93b147d07f8e4d5b09426b330c484ddaade8 |
| SHA256 | a02ed581c436aa2ddab6c0518e4fda6ae28f7abce8f967b5854da3e900161461 |
| SHA512 | 93db364b5bcf213dd21f7587617d81f6df6113ef3a2783e5d768604c063a35cf209067782917c1d11b05f54cb18262344db94165629744be2543c9fb19a764bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 177f0d226700cc69bc44d5ab8b30a0f8 |
| SHA1 | 0c384f8d7a9f142967cbb5dd4fa6bb25be83f96a |
| SHA256 | 67a42b2f81a0122b6b4b908507ee317b473cc415810d0269528fd8f3f52054ba |
| SHA512 | 1d9923beba1cd118a024509f7d97568f4784e44417120e7154acbe59b12ba051a8cb326ac8ac79730b848e0c94db0d8d669562ddb5fd627f98c732b496e07045 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae02c7cf6dc6812f282f294c9351cb4e |
| SHA1 | f502244dd27e6123f304cebe6d135dfb4c67e36c |
| SHA256 | 4570524957ad6dbf3a620e9bf2f1dcee93adabd3746ad426d65fcb6eacabd5e1 |
| SHA512 | b7acf02c04a376c7249041676d8f0ad6dc5530db9565cb3681de8e720d1296ddaf8e83b485d5c8034f468ea0124aeea8d271326841b60a5dfe0b8fa4594cad9d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9796a67e255814e7bb5f90e30a212dea |
| SHA1 | 459ff6f1c0039bc5f39706053470feda07d16573 |
| SHA256 | 87ae5a39e7cafd460ff79ee170c392877a5ff56e1ae9970d7e862daa497b6cba |
| SHA512 | 0915b02005a6f8b6689e05ba39ab4b0be4bc31e0ba307916ee81f57c8734c655c6bc190f210daec9a0866b1a56215ed1aed435ed9f6a980676ade65f38ece730 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76f010cc9893b732ce5d7415682e6411 |
| SHA1 | b1fd4971337c9729300b1c8726a1b2e0f310930f |
| SHA256 | ea547a8ea3ad194abf82c201852aff06dbc71aa56e311ad21cb9abc5c27b39ce |
| SHA512 | f97d6a9fae90f2df10d524834d11181533abd5a2502e8409069a59a2c6393ad0e9942f57e0be8b2fb87f16c41943527049d1af25bc5dd5cce1c6d23793239436 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66774b692219315fa6f5d95377aec343 |
| SHA1 | 307f02ea497a6e763449ec9ac4912255568e6f6a |
| SHA256 | a897129d55ca2354ddb266cb232c29ae3dd1dfafc720274d89d50851824eec77 |
| SHA512 | a676cb0da23558c1b205bb84125329c9c2fdfdc831a852b5acfe4b714a77d2f94dc3b1fc92a739835ddc6b2e2d0395278cbd38cabe3b223c34da97991706b7c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 463e7e6e13306276e5f42f9915a73b29 |
| SHA1 | fc438b2c6391d6b4a79875a800e367869bb07d9d |
| SHA256 | bde13fd908bab24f9849a4b8d424d00144d367bfea9a959676b55c7c012b6034 |
| SHA512 | 9dfe67c5c4621e1437e5450bb576213fdfc191de4c09673fa4f05d6f2c5f01a35c3f606717068d32051bf49438fbe02b10b60f0083e8b6d0e3e24279c0b9bae6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5cdfed7cf79657c329a6c9971880bc7 |
| SHA1 | 80bd3f35e45d9e22ff11f0e142a39a9a157665a0 |
| SHA256 | 800712bf19442a188b285c2271f2614c4fe74e2f3c80598d3b6f6db670efc0b6 |
| SHA512 | bf0d5c16b16b4825631e77c23d02a19cfab603faf45a9241efa73eb74419c47be6fc83c0ff379e9e533831b2047c35374afacf578d57b8b3fcf0eacef4c63fe2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a3dae02b793436e2b9dfae631c3a35f |
| SHA1 | 4360bb8e589e338e153949aa70295fcdc0dc0b90 |
| SHA256 | c255500f10e1a3ffb3b114b5cb78048178215446b84bb46be6b74896af5ef42a |
| SHA512 | 022fb9e9fcd74c79f48c061f07a2604cf5a470e1b3ac5a1a39675e00b109338e7e58f90f61d87247d92b5c43e38d3814f50ed182613a8ff4cd6f805b01e23b83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a063f9eeff6eb298e781f84776ba342a |
| SHA1 | cdf49a3dcf94e822ead5ac46d14a9df1b8bf4a87 |
| SHA256 | 9ee4e86b7f9699a2b97dfc9d7e91c7863cef180af1f2e8c9bddcb0d05a81ce6d |
| SHA512 | 41e53ac8ee0bd6676d25ee1075cf5f93d30bba562b7b5937d2d4f0015b551e903d473a3f71cd8ae4571f0a86b6134578bed580e69c613216fc1887836a7677d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a612454bfb306dc56cd16ecba1da8c9 |
| SHA1 | 0c55d9f031e37e075d52ff543b6e2f322d262533 |
| SHA256 | 077b24aac6fb668e38bf37b4331d56b6b8af0a4afbe0ac482304cd4eea41b613 |
| SHA512 | 196f51e61a9eafd751c01b3db5f3c5e12e90b52a9f2dafba7d48e28308b5f57ed6c6b35d4613d4602ebc99d4200b685bf1f550e3967093c406b0e17e319aa2bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57c98640537c2c7363443f76bae0a950 |
| SHA1 | 9c102d66a270e9d2a4bd64589a2ddd63924a8a4f |
| SHA256 | ce53a4eccd912507faaf423e83897253f79778d863add37390c07b4297e4e54e |
| SHA512 | 80eb9f268b2a78e3d4c16d569d4d45f6a132f78d9128cb0ed4c0059741700ea7b74ffb542d90a2c3a79ded132b1563c00e0a274695ada20d44ea34bbd9a31581 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7d69c45bab4fa52e1fe7b28e4c03e851 |
| SHA1 | 87227cb89063472e46c4a1c21c77978f912dc4ce |
| SHA256 | 46f5964940138ef28b68b977121c6ce786891ed1383d4327fbb584dfc2657d9a |
| SHA512 | 89d317935f3ebe0b3f32dfd8afeedda3c0b2cee3e6edc1dfe867a2fa53b8b314cfce9352708bd5e87a5d95c0b6aec1f61ba434edf41843ee27131124dc0b6b64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e8a40a19be20762f90ee98b58e6b57f |
| SHA1 | e17ef07b3f38ca5d8a8b248f578b5e19625d22f4 |
| SHA256 | 3c765b0f94274886469300217da0ea9648173a8c3b2765976ab08dd78a7f54a9 |
| SHA512 | d91004f96860ea653c9b916502c95f1c21b3cfa03c60e2ef6312ff4f0e8eebbe615e894c569a16d6975b199f839e82727b8538734c31d1a7adc5db2f4f8da2ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 368378b1a635adde6e2089d21d0cffc2 |
| SHA1 | 57d34828c50a27c6d2dd457c3da1a7da4a67f9fd |
| SHA256 | 6d98706f311f99a5a63f8c33484a0c70a8e433472f8f4301430c2beb22d2829c |
| SHA512 | a0938a0026650af32b3c0ac946b1c6e941c07dc6e4fcae73c2b75f5a3eb99a5dde6fb8dc2fb650d69970a4fb8d89159d000b442378edba6d85e11c62e5f9d11a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7bafe9f4e1e8e7e711e932430a8af2ee |
| SHA1 | 6f14d5fc7629c54635835c973cddca6b755ab330 |
| SHA256 | 9b1ae2afc4ebadd5f32d8afc004a98f4e5ea3b1a31b27325ffedd71422285e1e |
| SHA512 | 8e63adc81edd786e587a9639cbba02090f01831573cb0f0086095ae13aaa11be5a53a723714accabe7ce968e9a63d3aae67af53728d34c3ef0ce0354cd8d6adc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a78989104ec197dc7b18af5e611e7e18 |
| SHA1 | f485dd1c18928541a7a6e63024773ab4e51d64a9 |
| SHA256 | 8ec9c79aa3523b475adc8f62e7d176ea5b44026f1e3005a1729d392fb1556500 |
| SHA512 | aaa3d5f791ae782c02a210da9b53c7af07040708645f6a6fc525ec5dfed82abf35bc94a078bf054fe05e23dccfb6caf558fb274b6495b49a67c6578538cc701d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0784fe31996f53bd7b66a9b3ab3c74c9 |
| SHA1 | 3b6b9847b0fd6309db3bfcd14c0888a9ced55f53 |
| SHA256 | a997f94f4299a02590fa8390f218344fa5bd8977cdb41f5ef9456bb9b95c5503 |
| SHA512 | 8c02dc90f851cdfd1bbec2b43f79382a959ff6c8f6d870d43ed7b91f8e6d479fa036fcf5578cdc9071ef76ece65decbadf5e948578825e1d88135e15753fc0de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff702b1428680fa1e4a72046325f611d |
| SHA1 | f0f2618a804a3e14af9b554aa1c7f7770e09f5a1 |
| SHA256 | 6bbef5624deb8af006320312367318bfc4c04cd9d47d39d8a262227276ad8937 |
| SHA512 | 6079a53e6e377504ded45682711964f7bcc9a0fb78d25c0c1cf4092f0e0972c061f81bd65c35e8fdda5308ce6d3a9d581611cb7861df92904cd5aab355f91738 |