Malware Analysis Report

2024-12-07 02:09

Sample ID 241116-flayvazhpg
Target 2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit
SHA256 29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524

Threat Level: Known bad

The file 2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Ramnit family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 04:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 04:57

Reported

2024-11-16 04:59

Platform

win7-20240903-en

Max time kernel

134s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxE244.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C33BAF1-A3D7-11EF-9E7F-EE9D5ADBD8E3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437894897" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
PID 1224 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
PID 1224 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
PID 1224 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
PID 2332 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2332 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2332 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2332 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2536 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2144 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1224-1-0x0000000000E70000-0x00000000011F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1224-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2332-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2332-8-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2332-13-0x0000000000240000-0x000000000026E000-memory.dmp

memory/2536-18-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1224-23-0x0000000000E70000-0x00000000011F3000-memory.dmp

memory/2536-20-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2536-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2536-21-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2A2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar351.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 517d27eb5da9ba1214cd9e74349b87e7
SHA1 f584da931a13e10cee4fcfe40a2c404f25c0f2df
SHA256 288a56a908ff18756424b0bb05f7ec62a36d9b8bf6f644dc4f53dd02d99c665b
SHA512 cdb45ed00a576dfc2dfc2814ddee9b963053f446460195fe992e0ace920cb72b122b4934351602247b3596f9dd1ad968893c10c2813b51c86d9aab0f331e8af5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b23b5e89e0a35a8e5e18a6d344cbb214
SHA1 e1a74ada6f9ed2cbdf3ed0174fbd4897e749b1db
SHA256 cd7d4b395970965009dbd6c22f491bfc4788bdd60503a69869273dbd5bc49b3d
SHA512 0278aafbf43a9e1849498482de8cff379f56e9910f067ab62720110a0198772a3c8434def9a5dbc91a33149497bd06fa9558e05ed9f868b1916320f95cb45f6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16658b5e04fb61f78475eed7f0155161
SHA1 ebdbf158419560125e42957949897e073f04a97f
SHA256 c89957e7e5e00b731937b3264c6b686e0068246c2e6b76e42dfc05ed2ebe190d
SHA512 f744851904efd8408d9a1ec1c453b21fdc15417811a4d7943e966832908d2af55ba429f277e549396fdd8e6c7d9a20d7a7e06208f7ffd4850a720577a73f86a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 635efad5987dc1065126048b9ac6d52a
SHA1 5d8354b09369fddfa847de806a52d6c35d4cb558
SHA256 1d3fb2bd24dcc16c263d0407d3cf60b3002c1ab4ee299ae9d662227e095d56bb
SHA512 05ae3a52d6712399c8684898f7d87de80af682900f59910e810971ee30ae61ff11a8d09e3031d12822d645a6b471ce05add13678e8330586ead89f6bbc313887

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1d8d454d3224b73fe1d6b1fd199bfc7
SHA1 e49e7ba62d7bc42b68407707a261be08177a5244
SHA256 3165280fe40c678c546b51fab684edd2131b53b58c7a7c9c8126cbab08d66ed8
SHA512 161bc57610c78fa5a5a8fe07671bb9ca1d35d35d89e3e3c04a5b85b9ec22c47272f7c844389401af00075557854ca8c9f3916a099d9053cfe241b30f711a8c51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9c0b76fe5639300fa4043c03ec9da33
SHA1 c3fe011b6732a2424014b035d97790ef7f847bd4
SHA256 665bee04ac137ab33152bd95b2c946ddcb4594508958c46e2ea3d1347dae26f5
SHA512 a165abd561cdc9a33394e439f1d2a09d79a13f6539b81aca910979c94ca71e2b1e8deddb4a60afad6f86251e78adcd7b31fa2615b0a96be9efbfe201a7a532df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cafdc38dc0cf39ec30391b8559786144
SHA1 0725fd256784346b87665b96d5b6a70846b69ded
SHA256 7c17ae8c2bcecad900eb51f0755bab7a98650a4f5ab02c2b7499d8d1cda55e5a
SHA512 ca5c052b4616dae37272d5795f8e46cf1c6cee857bd441f8f8e96a63a287662e27fda42577f0a232d6bf3b1190f0914cbe5e6f54ed9b1e47e055bb9884fc23aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 997dd0f56bd36a709f58b900c62c8c1d
SHA1 2cd5f04756ab59034ee3253cf373acd5781c71b9
SHA256 ff10008be6773de1676db429da3324edbe47323afc4f6ab5df2dabaa67d55a5b
SHA512 7beb45edabeed9df5cbd50ececc7cc4bc0ec52d512c8ee5c4795840f1918c627401f96f63320669e6e3bc9553b9375988df66ac09cd41c0a782ddccd37344a7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee219dc80860d0b06c228c9ff558fb74
SHA1 925d3fc31c356649db3bf07d4fafb867a5e06047
SHA256 1bce9ae6664f03c0c66d9b3d4348b445713de84aa247cff95d0829e381944096
SHA512 9949024f2d8bc38d227d67764202d0cb74ac14b3197eebfd29a65a564dd836a27bf6f15cee0631a67c1239f2996b168684db1e7422dd66242248317611345c01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dff4676269e31218f53d670fcf85eb51
SHA1 054998d4d85dbb9e42315c45432501e8880b5115
SHA256 a0086f5e590db74238028d9c9e74cf19eb6f43a96308a199293e7870e92c8de3
SHA512 2c2230db57f88ce6395cabf5033cbc679809daa91e12100019f580d2eb1f20e73a9e6643b1eb3f37e884c30f9bd079386c77be17c9c3abdc3589f8adfa193969

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acae96ab4faa04a20d56f22b8f9f3a80
SHA1 85f7f768b4ae7255968ef9ba6d3a7007cc91900a
SHA256 20ec00f6ffe6cf118ff9ea56ab5219e21f81c1179e4cba71b9bdfc1a2b0d0caa
SHA512 0cf42f2a8b4be2ef14a0d62e04da67a0c556e611b2a45a8d945a16d1b2556066a180095fd3e12a92b5f4a375dc489f948e3adbf25c303db4dcd071b247c40c9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7670f6eac1298ddbd5021a76aef6928b
SHA1 7ea5d814ead4338011f40a54aa91e928906576ea
SHA256 d0922855a60a51c70f66fabc7264ac1abbee562bfd4e12eeadd5188395fd79ae
SHA512 f976df58596ff5819d032d3c984bfbf902e6ece26c25796b7449e0adfe0b53ed9a28748fd37f68fd83d42f3177c1fd3370c9e273b523af029a5a9bb293c5a3cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5442c0d22c4fb24f6925f7a2ad49997b
SHA1 e924042ac334d9eab496daf50a18479afee1d12d
SHA256 cf9834505fb5f3dbd7145bf81ccf218655d71798163ef920f9836b4806fd0390
SHA512 f05923d885bdb8521e9b455049224858970e9e94824423027a86715d31c32cfae3cca066737e5b8b470e18995c7e36e82e7576c78ce220e57418f78a8d976e3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e46672a30b883568950ad2f971ab6e77
SHA1 777f79aba1e92d80edc8f83a267cd83c6879e437
SHA256 ea30463544ad2ffc29ac36964b184ae35a786ae2ae77f215605c9091cbb27d1d
SHA512 95a0eee34c2d3cfc1be0128ea8e8c37d6e98ce7f3a24e1d1d4f02e1bcfa157023e0350894bba5e754b9c2c9f817771dbafb0c2075da24677bcac150a86eed525

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a023bef2be80c9e3e7bfadcb1c43d4e2
SHA1 cc48b4af85ad08e057d8b4757374d398631e2ab8
SHA256 8903756ef3fa52a51ce1acebe424664a932e196317be2b8d05f77d20265d9d30
SHA512 530e0ed35e7231284559b8021eae0282fdb8f216985f033e89833f027432b31eb2079d3fa0a436532bb8a4581dc3fa05343402bd537ad12d8074d204d2b37625

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85d64eb0f88c49433a9c2a7de289eb59
SHA1 a373daf533eab3e70ceabb7459f5217a6c0d46c1
SHA256 03ba09b7e5831776b38cab418161fefbe3582eedc076f95a8ec1ae3e1808491b
SHA512 1bfc183d2346e3e1aec96edce696a0f1506c4436b84c92c11b59272938583c71878f8ee3ae928a6e68a2c381af5db78ef9d82a02326a6e28a074a7e2e0cca23f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3899350a824f9cd48f1d9647a6926d3
SHA1 fab552b550ec9d14886008cde757b2d946b99141
SHA256 bdd66e9eb3c9a9d91e3f72e671fcbd2c0d9ca74081cf929161d7bb027ec864c7
SHA512 f2875e3299838363b69ab0586500030a5a7efaaf43ceb08a099854b1e35e490c43c0d3c5a4ae8925b95a022c3b3f724e405e98fea94e3b60d17d346f9fd26582

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c8cc455beb68b9dabdb3417bc9c1bfd
SHA1 abab31f8e41c267617670ddfdee805ac76da7ca4
SHA256 d287336113d5576724445da1b40f183c01021ed952feb4e63d93af126d637c96
SHA512 5f6155a94cdce7a7050048e86b184308ab07991230699464dd79203bdc814904bb9327b0c7d30b7e96f05fa4bcef2254fb9a20cc1825b0e5364b348e87004a89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e63690da37fdc0fe15fc4fec92e4a363
SHA1 29a0140050c58e172fe3eca56ef66cddda117f94
SHA256 c7c52427c72a4f414897cfb1ab22b617d473df1ec58b1a01437be2f1a31b89c8
SHA512 db44fd652cc97bf49abae57fb361fc67a6fe6dac4dc38b15de4b22a1589354b8f128713cf941a0f970aa200d4689bef7e91a313ae729bb535ac17b4f7176c3fc

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 04:57

Reported

2024-11-16 04:59

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxAB63.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143908" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438498006" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "297126436" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3D0256DF-A3D7-11EF-A4B7-D2BD7E71DA05} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143908" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "292595658" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143908" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "292595658" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
PID 5020 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
PID 5020 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
PID 3896 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3896 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3896 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1144 wrote to memory of 4748 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1144 wrote to memory of 4748 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4748 wrote to memory of 2236 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4748 wrote to memory of 2236 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4748 wrote to memory of 2236 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/5020-0-0x00000000000D0000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/3896-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3896-5-0x0000000000480000-0x000000000048F000-memory.dmp

memory/3896-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1144-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1144-13-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/1144-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1144-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5020-18-0x00000000000D0000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4716dbab6f2ab2afcbaf76db5f0b38c9
SHA1 9ff921c8611055814c46c2f6040cc4212879907b
SHA256 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573
SHA512 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 6e52d7cf8ce4faa24abb923cd5052bb9
SHA1 63ead0481998dcdece567282d394eb8fcbceacdf
SHA256 60193bc59338a84d205bc227b0585128c55b1b3a3ad135384d2288db14d8a196
SHA512 ee1526785569e1cc9d8480d1b99f66a64553314d1c00c6fc26472a2c33164ebafeed8524479852ac241a796aad799f4bc5788c143908ed14e110d49a0a6fa4b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee