ramnit | fa4fd395f37da0940f08d5966ba6e3af1c570985d91f6cd93018a04452d9fdc8

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Size

4.2MB
MD5

ccb9978edf3b36a12999895f72400491
SHA1

15b5371c6908a845bf7a20ae3b29821892e9bf49
SHA256

fa4fd395f37da0940f08d5966ba6e3af1c570985d91f6cd93018a04452d9fdc8
SHA512

90b746fcb2b06e2fa0c48a76713d17ce98379153883997294d96a2d36c484614ca0329d89836ea9dc54154e34ede3a8f81c0fd7493c814e15795109769ed0878
SSDEEP

98304:LBBIoHkSDVaAYwohLvhTyYfECLacrR4LVos4KBNfzmh19mvgX6JcdCkoLcvTPruS:hHkSubTNac94LVos4KBNfzmh19mvgX6D

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2404	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe
2544	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
2404	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012117-1.dat	upx
behavioral1/memory/2404-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2404-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2544-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2544-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2544-21-0x00000000001D0000-0x00000000001DF000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC1AA.tmp	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DE69011-CE75-11EF-B5A6-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442580735"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\GraphStudioNext.GraphFile.v1	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\MACHINE\Software\Classes\GraphStudioNext.GraphFile.v1\shell\open\command	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphStudioNext.GraphFile.v1\shell\open\command	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.grfx	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphStudioNext.GraphFile.v1\ = "GraphStudioNext Filter Graph File"	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphStudioNext.GraphFile.v1	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.grfx\ = "GraphStudioNext.GraphFile.v1"	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphStudioNext.GraphFile.v1\shell\open	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphStudioNext.GraphFile.v1\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe \"%1\""	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphStudioNext.GraphFile.v1\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe,-129"	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphStudioNext.GraphFile.v1\shell	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\MACHINE\Software\Classes\GraphStudioNext.GraphFile.v1\DefaultIcon	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2544	DesktopLayer.exe
2544	DesktopLayer.exe
2544	DesktopLayer.exe
2544	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1716	iexplore.exe
2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
1716	iexplore.exe
1716	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2404	2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe	30
PID 2392 wrote to memory of 2404	2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe	30
PID 2392 wrote to memory of 2404	2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe	30
PID 2392 wrote to memory of 2404	2392	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe	30
PID 2404 wrote to memory of 2544	2404	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe	31
PID 2404 wrote to memory of 2544	2404	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe	31
PID 2404 wrote to memory of 2544	2404	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe	31
PID 2404 wrote to memory of 2544	2404	2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe	31
PID 2544 wrote to memory of 1716	2544	DesktopLayer.exe	32
PID 2544 wrote to memory of 1716	2544	DesktopLayer.exe	32
PID 2544 wrote to memory of 1716	2544	DesktopLayer.exe	32
PID 2544 wrote to memory of 1716	2544	DesktopLayer.exe	32
PID 1716 wrote to memory of 2884	1716	iexplore.exe	33
PID 1716 wrote to memory of 2884	1716	iexplore.exe	33
PID 1716 wrote to memory of 2884	1716	iexplore.exe	33
PID 1716 wrote to memory of 2884	1716	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
073ac65dde1cdccb20331f41424cf6d4

SHA1
ac62ed9975f77cfef2d431ba5708900c10f76252

SHA256
cc53de4d00b3bbdb2cde8fcfba183e201fadace1ec6cb60893ad4440c9d9b2c9

SHA512
6101419cf1256b742a8e6de3450a2c25b7b37e51f4bf1af1811b09aac3ad68b7a93f670d62ad387ce42f35a9f4c9a81f3452c81492c2352f64106d5a13089f0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f00d9ab78bba3a05c140273f57aebe0

SHA1
95c32a0906b770cdd0b65fa412645a19a62c0386

SHA256
9dd1132263b59d0c014326c4c6b5ef857dcc8c5ae6209c14d2773030ab16b81d

SHA512
1c3551d9324128c6af133d4b96bb8721443d42c62577ff12537e66202bdf959c7da5ca903264a67e895d9b7e189702bf01eb5411921f4991312d4f26c3231d6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f67124e0d036177ebd8d8b7ef8d9146

SHA1
e2285d847df7cf6f1ebd8c783a41782557d9e2a2

SHA256
614ed11d28d14004a6f1051e708fc1a9ae0846117d3d11e4746557a6acf52ac3

SHA512
3559e07298ffa99922e807febce38a1de99901ef0b1bb33a707d8f47098af9d7f274aff111415187613516d0a697ef7c66c46d6ee5c73069a23a3f0fa3efd3c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96b4dbb894b3a59f590df46fc1d655d8

SHA1
4798797b4157cce802b5e8f5f8c9ebb7f0d7b460

SHA256
eed1b180ea6c2bdb59492907f6b1c937f587ae7966a1e1a81d584d56cfa47923

SHA512
23aa64fadcd4c57c4364b59b70378607327cd9300677327bc063906aefd23d5c0b2217d7e450fc9a3bf6f1f5651f0485531fed94a28c9f20473c25548f4ae55b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d397a64d89e814ba2c85720fbc8720e

SHA1
17b3bb28f458859a2d9107325d11fc711381197a

SHA256
716efe18de7e8d67c7b6a87be20ac6825dac70f08a87cf2c5305ee6158941e1c

SHA512
68e992dd1efc8b86246deecf6b7a86b29e201c110409aef3f8b5bf45fdda556103c141dca2e5e8369d26483391858af5a3c4126c9f86b9c581b8f2d806f4cff6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68aa660dc4cadaaac3eeeeeb60a16386

SHA1
7d15bb570d6c008ee19863f982afbc4a6dc4faa0

SHA256
a5f04ca1cf62cfb24da5feb261263e4e8e656066497f9e2d4bc3b4e9557fac2e

SHA512
0ec64fb78b6192a8fcb8f1675bfe159af69aa6a1cb587e582fcd65a6a1615b7708df6984514d466c57e0f40b90f2cf94e2f1b5c645827e36818e6aef43d726f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a9780ffdb9f8544fd120166fe9838c9

SHA1
6b3e1b8be3756da58092e51b0e3ca3c8a6c6b908

SHA256
f6e538a1ea83fcc5b7f43816de5ce6870414afa6d8638f780da9c0fa388c75df

SHA512
288965345a350aed4cf58cbe5fae52f1901bfe3fd1ca8976b6a643ff867aa274c465d1a65b75c0939830c3f1046ebb993ed5588b5e0f47367fe2c9d13f68d271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3d0153152a1e489bc374c60b22b05b4

SHA1
7d8096236ec7d6000adc376d304c925253702f20

SHA256
e9e19a44636bf2bfdc6edb83b1a3d546735a62983e3474717ff5250dccd2c66c

SHA512
70f31ab7f839d3088a648b126350aba53748e4e2fdbce72ef58a0841e7d6e2ffab93eb2e6214653a5599b6fcab7ca2a23a7fc073636b0340a5b735c0cca81851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aec67f96cb275973d9c1f5c679ebb1d9

SHA1
38a4bc7d4468daff2d1318fa30843c5af6e5c34b

SHA256
7e17447dcddecd45835e29ee06f063c8967bfd3d47d2c88a7cc664c846e51f76

SHA512
352b808622b1355c39ab3c121d9eb573f8124754e93afdc9afc2352a2003f60a241fdb7409a9f8bba1ef8ee172a2819565815bd7351b60be766743eab8bf643e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb3f88b72ad2ac16b3aa5d391984ae9c

SHA1
2b7818f55c127a3d49a061c6e18988484df3e078

SHA256
e0fa85a968711784a064c1da2a24c7069b117c7535031c729f81d1601a2efa3b

SHA512
d1920e5ad8139d872ba311bf46fdc4b88bbab4cf3987e807badd734b573dbf4ae00759becef962bebdc8aef0ad18bfa2228ba8cca7cbfa360073590347c316ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfe62e5ea941ff68af61e576fa7e8a9a

SHA1
6d07dbff4f426428ce94025a82a5017a384897ed

SHA256
c7b32f55f96681bdf05ec5d3ee81fe5021a00fc538068e5f941e462b4a195fb9

SHA512
7f0c39bdd19919bbc8af1d6e5b889e5294c275f005cd91cacd1ae87eb6b76c5b1ed33363750f35c85ee2dc3478714359bd3da3715ed206b5af86347d95e27f7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcec146ea59e38aa7f31cf13fdafd8e2

SHA1
dd33c5a1c7967ab56fd93486f0486c85ab59cc24

SHA256
057b3a10ddb5c7e3282cfd4f793f872174fdcd0c98b053433cebb575b59f5a5a

SHA512
ececf1f945038e1d3021cbc95c30e52390679f4dcd471f349d8dc63c9b7d05d77bc0b5aec2d39edd9f5375a9ec55ea5a188bc8422b25a8a2d84420f256568b67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b23aeefac4fc19ef7159d1be278fb6dd

SHA1
5ee58b8c2a3fb460ec893168fa433a97a2624378

SHA256
074cd4898a49f86f5c2b76aae69901fae78af97ea7295ff7f8a9eeb724bcbb3c

SHA512
3e8824f676f3c793076c7440b54e97ec683d7befb0ece1de863444f6acb29278141219d2b97e23a759c7dfe61c19bf58ee0b6d493a6f6313f456c31f369a1f64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a362784d5c566e908c8ccc2a34c53a60

SHA1
bd37e54af9d254ea40ade9e5bc2087a971d5286f

SHA256
9900884adb791012ad46bf4aa54585db956dbdd960c07d94081a9bad35266656

SHA512
79963c82884d5608cc312b6d40ca245c45b7919ad4f2696665c95cd97d2412200c6fd35c3b415b7575a6a7f9a6a897b873af3632bd181221a22f73db549aa9d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adfc8d4b2187964618ace6b0c0c0aed8

SHA1
b4f919468a596d7c87212cbe6c6655489c171f5b

SHA256
a850f77d1a10898b88e2ae37e093893aa5910502a35ebab49ee6a58987618e86

SHA512
2cc49ee829f37afc849889e35bc7b1243f8db069546192f4255f4152a053465e1cb13e95d836ae48ff63099b3a241a30ee8b99f1b5378a6a68f49268af9e6463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c428d37d56f6e422675320159a94946f

SHA1
ff794f5e3942caddf3ac1e59008e581964ad6ef6

SHA256
d740b67a9cef093f045887b77b20766edf5586ac08a998c749aeda1d85022a83

SHA512
000cde014889c5cadeea919bfd873d3af58e16fd3b99ee4358a2266bb14ce3b259008d77958b3c6668f9ae56a99ae8e1cbccc772a220103f8dff6d75cad002d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f31855d734b68db293eb304be6e1ab67

SHA1
aae2dbe0024d83e0842d31d8407bbda687c7da78

SHA256
15c8d3c69eef2fa75d97553c68c873cff96faa352291964321c62787b1e195ee

SHA512
dd8d1bddc37a7553285d208bff809d73dcf1c4a6b017a7b856f3e8546c2d870e6c2d8a7d6efda8961d3fcba8e4bd34575c000f1af534442a5218cc3c392ce358

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
452e16afe1964e4e7f093614921cdfa2

SHA1
6e619b2397a60cf8235fa358a41bcedb00ca7da5

SHA256
2b6ed3d9cd4fdcf81e72791a166385543a7c52151b46dc40d9303b1e0cf09628

SHA512
0764c140eb5fd39856ba2d1aaa49259f591ede285dac772410241cdcb76d07c2022ce2d119471786caa2ff5febec465c9e2f0eff65d8d39e50783678be36bf09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7e97e303ecfce76f998bcc7c045914d

SHA1
71c57226cd3e8887dd1247fccbc7eac6afb4249b

SHA256
386daa8780ee81cf4da729393b4b5421cabfd7e20a7abfa0c07ab11e58713e77

SHA512
05f98886ad998e740e45005248c81b353974b936668d96909e5513483fdff0d43e27490276e12650e1cc172bf5d5e882135b7ff797f98a278a660a620235029b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0356592b912811d50d279221297f0b7

SHA1
67976922ac4e482802b7d3054e50b062ffeb3b30

SHA256
9be7b22c86cb7909c97ffe8ff3171d7c3616799e2c0d4fc1f7ad52bc3ab4a4e6

SHA512
092196005a3f3de21a7c8da375e524928c0687b10f764b191adf00e8b5c6e5a49a46f1521c7f5e53e2c5b94fd6025526417cac83423f299863ed2eb59c61a92f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1d8828f9e0c4c097f9edd479b99fbe0

SHA1
f6308e2dc9d71da7953d20e91f04c4108a7ddfb5

SHA256
add0595f8bd6fcf4cdd094b91f73d97159afe6b8addf0e8250f42bbbbdc4dba0

SHA512
c1262e1ef711ec4f8d019b7bb7d655b9970a957a0b0179d32714a6164a7376996170ba1c6dd3370380fd38627f6f3c5c927b4194f3b1708a053e8fd849e66e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE1DA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE24A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2025-01-09_ccb9978edf3b36a12999895f72400491_bkransomware_ramnitSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2392-5-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/2392-41-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2392-26-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/2392-25-0x00000000009E0000-0x0000000000E2F000-memory.dmp

Filesize
4.3MB

Download
memory/2392-3-0x00000000009E0000-0x0000000000E2F000-memory.dmp

Filesize
4.3MB

Download
memory/2392-458-0x0000000006610000-0x0000000006612000-memory.dmp

Filesize
8KB

Download
memory/2392-18-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2404-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2404-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2404-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2404-14-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/2544-20-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2544-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2544-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2544-21-0x00000000001D0000-0x00000000001DF000-memory.dmp

Filesize
60KB

Download