Analysis Overview
SHA256
29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524
Threat Level: Known bad
The file 2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit was found to be: Known bad.
Malicious Activity Summary
Ramnit
Ramnit family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-16 04:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-16 04:57
Reported
2024-11-16 04:59
Platform
win7-20240903-en
Max time kernel
134s
Max time network
127s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxE244.tmp | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C33BAF1-A3D7-11EF-9E7F-EE9D5ADBD8E3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437894897" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1224-1-0x0000000000E70000-0x00000000011F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/1224-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2332-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2332-8-0x0000000000230000-0x000000000023F000-memory.dmp
memory/2332-13-0x0000000000240000-0x000000000026E000-memory.dmp
memory/2536-18-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1224-23-0x0000000000E70000-0x00000000011F3000-memory.dmp
memory/2536-20-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2536-19-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2536-21-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2A2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar351.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 517d27eb5da9ba1214cd9e74349b87e7 |
| SHA1 | f584da931a13e10cee4fcfe40a2c404f25c0f2df |
| SHA256 | 288a56a908ff18756424b0bb05f7ec62a36d9b8bf6f644dc4f53dd02d99c665b |
| SHA512 | cdb45ed00a576dfc2dfc2814ddee9b963053f446460195fe992e0ace920cb72b122b4934351602247b3596f9dd1ad968893c10c2813b51c86d9aab0f331e8af5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b23b5e89e0a35a8e5e18a6d344cbb214 |
| SHA1 | e1a74ada6f9ed2cbdf3ed0174fbd4897e749b1db |
| SHA256 | cd7d4b395970965009dbd6c22f491bfc4788bdd60503a69869273dbd5bc49b3d |
| SHA512 | 0278aafbf43a9e1849498482de8cff379f56e9910f067ab62720110a0198772a3c8434def9a5dbc91a33149497bd06fa9558e05ed9f868b1916320f95cb45f6f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16658b5e04fb61f78475eed7f0155161 |
| SHA1 | ebdbf158419560125e42957949897e073f04a97f |
| SHA256 | c89957e7e5e00b731937b3264c6b686e0068246c2e6b76e42dfc05ed2ebe190d |
| SHA512 | f744851904efd8408d9a1ec1c453b21fdc15417811a4d7943e966832908d2af55ba429f277e549396fdd8e6c7d9a20d7a7e06208f7ffd4850a720577a73f86a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 635efad5987dc1065126048b9ac6d52a |
| SHA1 | 5d8354b09369fddfa847de806a52d6c35d4cb558 |
| SHA256 | 1d3fb2bd24dcc16c263d0407d3cf60b3002c1ab4ee299ae9d662227e095d56bb |
| SHA512 | 05ae3a52d6712399c8684898f7d87de80af682900f59910e810971ee30ae61ff11a8d09e3031d12822d645a6b471ce05add13678e8330586ead89f6bbc313887 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1d8d454d3224b73fe1d6b1fd199bfc7 |
| SHA1 | e49e7ba62d7bc42b68407707a261be08177a5244 |
| SHA256 | 3165280fe40c678c546b51fab684edd2131b53b58c7a7c9c8126cbab08d66ed8 |
| SHA512 | 161bc57610c78fa5a5a8fe07671bb9ca1d35d35d89e3e3c04a5b85b9ec22c47272f7c844389401af00075557854ca8c9f3916a099d9053cfe241b30f711a8c51 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9c0b76fe5639300fa4043c03ec9da33 |
| SHA1 | c3fe011b6732a2424014b035d97790ef7f847bd4 |
| SHA256 | 665bee04ac137ab33152bd95b2c946ddcb4594508958c46e2ea3d1347dae26f5 |
| SHA512 | a165abd561cdc9a33394e439f1d2a09d79a13f6539b81aca910979c94ca71e2b1e8deddb4a60afad6f86251e78adcd7b31fa2615b0a96be9efbfe201a7a532df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cafdc38dc0cf39ec30391b8559786144 |
| SHA1 | 0725fd256784346b87665b96d5b6a70846b69ded |
| SHA256 | 7c17ae8c2bcecad900eb51f0755bab7a98650a4f5ab02c2b7499d8d1cda55e5a |
| SHA512 | ca5c052b4616dae37272d5795f8e46cf1c6cee857bd441f8f8e96a63a287662e27fda42577f0a232d6bf3b1190f0914cbe5e6f54ed9b1e47e055bb9884fc23aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 997dd0f56bd36a709f58b900c62c8c1d |
| SHA1 | 2cd5f04756ab59034ee3253cf373acd5781c71b9 |
| SHA256 | ff10008be6773de1676db429da3324edbe47323afc4f6ab5df2dabaa67d55a5b |
| SHA512 | 7beb45edabeed9df5cbd50ececc7cc4bc0ec52d512c8ee5c4795840f1918c627401f96f63320669e6e3bc9553b9375988df66ac09cd41c0a782ddccd37344a7f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee219dc80860d0b06c228c9ff558fb74 |
| SHA1 | 925d3fc31c356649db3bf07d4fafb867a5e06047 |
| SHA256 | 1bce9ae6664f03c0c66d9b3d4348b445713de84aa247cff95d0829e381944096 |
| SHA512 | 9949024f2d8bc38d227d67764202d0cb74ac14b3197eebfd29a65a564dd836a27bf6f15cee0631a67c1239f2996b168684db1e7422dd66242248317611345c01 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dff4676269e31218f53d670fcf85eb51 |
| SHA1 | 054998d4d85dbb9e42315c45432501e8880b5115 |
| SHA256 | a0086f5e590db74238028d9c9e74cf19eb6f43a96308a199293e7870e92c8de3 |
| SHA512 | 2c2230db57f88ce6395cabf5033cbc679809daa91e12100019f580d2eb1f20e73a9e6643b1eb3f37e884c30f9bd079386c77be17c9c3abdc3589f8adfa193969 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | acae96ab4faa04a20d56f22b8f9f3a80 |
| SHA1 | 85f7f768b4ae7255968ef9ba6d3a7007cc91900a |
| SHA256 | 20ec00f6ffe6cf118ff9ea56ab5219e21f81c1179e4cba71b9bdfc1a2b0d0caa |
| SHA512 | 0cf42f2a8b4be2ef14a0d62e04da67a0c556e611b2a45a8d945a16d1b2556066a180095fd3e12a92b5f4a375dc489f948e3adbf25c303db4dcd071b247c40c9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7670f6eac1298ddbd5021a76aef6928b |
| SHA1 | 7ea5d814ead4338011f40a54aa91e928906576ea |
| SHA256 | d0922855a60a51c70f66fabc7264ac1abbee562bfd4e12eeadd5188395fd79ae |
| SHA512 | f976df58596ff5819d032d3c984bfbf902e6ece26c25796b7449e0adfe0b53ed9a28748fd37f68fd83d42f3177c1fd3370c9e273b523af029a5a9bb293c5a3cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5442c0d22c4fb24f6925f7a2ad49997b |
| SHA1 | e924042ac334d9eab496daf50a18479afee1d12d |
| SHA256 | cf9834505fb5f3dbd7145bf81ccf218655d71798163ef920f9836b4806fd0390 |
| SHA512 | f05923d885bdb8521e9b455049224858970e9e94824423027a86715d31c32cfae3cca066737e5b8b470e18995c7e36e82e7576c78ce220e57418f78a8d976e3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e46672a30b883568950ad2f971ab6e77 |
| SHA1 | 777f79aba1e92d80edc8f83a267cd83c6879e437 |
| SHA256 | ea30463544ad2ffc29ac36964b184ae35a786ae2ae77f215605c9091cbb27d1d |
| SHA512 | 95a0eee34c2d3cfc1be0128ea8e8c37d6e98ce7f3a24e1d1d4f02e1bcfa157023e0350894bba5e754b9c2c9f817771dbafb0c2075da24677bcac150a86eed525 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a023bef2be80c9e3e7bfadcb1c43d4e2 |
| SHA1 | cc48b4af85ad08e057d8b4757374d398631e2ab8 |
| SHA256 | 8903756ef3fa52a51ce1acebe424664a932e196317be2b8d05f77d20265d9d30 |
| SHA512 | 530e0ed35e7231284559b8021eae0282fdb8f216985f033e89833f027432b31eb2079d3fa0a436532bb8a4581dc3fa05343402bd537ad12d8074d204d2b37625 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85d64eb0f88c49433a9c2a7de289eb59 |
| SHA1 | a373daf533eab3e70ceabb7459f5217a6c0d46c1 |
| SHA256 | 03ba09b7e5831776b38cab418161fefbe3582eedc076f95a8ec1ae3e1808491b |
| SHA512 | 1bfc183d2346e3e1aec96edce696a0f1506c4436b84c92c11b59272938583c71878f8ee3ae928a6e68a2c381af5db78ef9d82a02326a6e28a074a7e2e0cca23f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3899350a824f9cd48f1d9647a6926d3 |
| SHA1 | fab552b550ec9d14886008cde757b2d946b99141 |
| SHA256 | bdd66e9eb3c9a9d91e3f72e671fcbd2c0d9ca74081cf929161d7bb027ec864c7 |
| SHA512 | f2875e3299838363b69ab0586500030a5a7efaaf43ceb08a099854b1e35e490c43c0d3c5a4ae8925b95a022c3b3f724e405e98fea94e3b60d17d346f9fd26582 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c8cc455beb68b9dabdb3417bc9c1bfd |
| SHA1 | abab31f8e41c267617670ddfdee805ac76da7ca4 |
| SHA256 | d287336113d5576724445da1b40f183c01021ed952feb4e63d93af126d637c96 |
| SHA512 | 5f6155a94cdce7a7050048e86b184308ab07991230699464dd79203bdc814904bb9327b0c7d30b7e96f05fa4bcef2254fb9a20cc1825b0e5364b348e87004a89 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e63690da37fdc0fe15fc4fec92e4a363 |
| SHA1 | 29a0140050c58e172fe3eca56ef66cddda117f94 |
| SHA256 | c7c52427c72a4f414897cfb1ab22b617d473df1ec58b1a01437be2f1a31b89c8 |
| SHA512 | db44fd652cc97bf49abae57fb361fc67a6fe6dac4dc38b15de4b22a1589354b8f128713cf941a0f970aa200d4689bef7e91a313ae729bb535ac17b4f7176c3fc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-16 04:57
Reported
2024-11-16 04:59
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
143s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxAB63.tmp | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143908" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438498006" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "297126436" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3D0256DF-A3D7-11EF-A4B7-D2BD7E71DA05} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143908" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "292595658" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143908" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "292595658" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnit.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/5020-0-0x00000000000D0000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-11-16_db438db1484da27156855d17574b1cd0_bkransomware_ramnitSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/3896-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3896-5-0x0000000000480000-0x000000000048F000-memory.dmp
memory/3896-8-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1144-11-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1144-13-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/1144-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1144-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/5020-18-0x00000000000D0000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4716dbab6f2ab2afcbaf76db5f0b38c9 |
| SHA1 | 9ff921c8611055814c46c2f6040cc4212879907b |
| SHA256 | 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573 |
| SHA512 | 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 6e52d7cf8ce4faa24abb923cd5052bb9 |
| SHA1 | 63ead0481998dcdece567282d394eb8fcbceacdf |
| SHA256 | 60193bc59338a84d205bc227b0585128c55b1b3a3ad135384d2288db14d8a196 |
| SHA512 | ee1526785569e1cc9d8480d1b99f66a64553314d1c00c6fc26472a2c33164ebafeed8524479852ac241a796aad799f4bc5788c143908ed14e110d49a0a6fa4b4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |