ramnit | ce728d96aa78387b2dcd45b20c213c3960147101f84ebb483a9c639cf991d940

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
Size

2.2MB
MD5

86ce99ced435589cd652db5e66919b88
SHA1

fd74bc1bb0dc154bd4f09f31db90096329b464d3
SHA256

ce728d96aa78387b2dcd45b20c213c3960147101f84ebb483a9c639cf991d940
SHA512

7d5d6130d001bc5500d483d966049d514404c8389d7cd4c0fb7f12c550329f0f35e893403a5436f4d98255868e6c84b5fbcd1e4cb12c7412ab21000fbe2ed994
SSDEEP

49152:JbheTlhinF4DNUScen4fuRQ24696jEs1rc/mUDYHfAlvwfGlM:QDiF4DNUben0uR46iE0rIYHfAlv

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
2812	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
2604	DesktopLayer.exe
1628	DesktopLayerSrv.exe

Loads dropped DLL 4 IoCs

pid	Process
2448	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
2604	DesktopLayer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120ff-10.dat	upx
behavioral1/files/0x0008000000017051-6.dat	upx
behavioral1/memory/1628-38-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2604-35-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2604-28-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2812-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2812-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2744-14-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1628-41-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px759D.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px754F.tmp	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px755F.tmp	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B563851-D297-11EF-A528-527E38F5B48B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443035193"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B4A5171-D297-11EF-A528-527E38F5B48B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B432D51-D297-11EF-A528-527E38F5B48B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2812	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
2812	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
2812	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
2812	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
2604	DesktopLayer.exe
2604	DesktopLayer.exe
2604	DesktopLayer.exe
2604	DesktopLayer.exe
1628	DesktopLayerSrv.exe
1628	DesktopLayerSrv.exe
1628	DesktopLayerSrv.exe
1628	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2760	iexplore.exe
2644	iexplore.exe
2628	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2448	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
2448	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
2760	iexplore.exe
2760	iexplore.exe
2644	iexplore.exe
2644	iexplore.exe
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
2628	iexplore.exe
2628	iexplore.exe
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2744	2448	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe	30
PID 2448 wrote to memory of 2744	2448	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe	30
PID 2448 wrote to memory of 2744	2448	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe	30
PID 2448 wrote to memory of 2744	2448	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe	30
PID 2744 wrote to memory of 2812	2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	31
PID 2744 wrote to memory of 2812	2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	31
PID 2744 wrote to memory of 2812	2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	31
PID 2744 wrote to memory of 2812	2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	31
PID 2744 wrote to memory of 2604	2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	32
PID 2744 wrote to memory of 2604	2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	32
PID 2744 wrote to memory of 2604	2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	32
PID 2744 wrote to memory of 2604	2744	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	32
PID 2812 wrote to memory of 2760	2812	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe	33
PID 2812 wrote to memory of 2760	2812	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe	33
PID 2812 wrote to memory of 2760	2812	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe	33
PID 2812 wrote to memory of 2760	2812	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe	33
PID 2604 wrote to memory of 1628	2604	DesktopLayer.exe	34
PID 2604 wrote to memory of 1628	2604	DesktopLayer.exe	34
PID 2604 wrote to memory of 1628	2604	DesktopLayer.exe	34
PID 2604 wrote to memory of 1628	2604	DesktopLayer.exe	34
PID 2604 wrote to memory of 2644	2604	DesktopLayer.exe	35
PID 2604 wrote to memory of 2644	2604	DesktopLayer.exe	35
PID 2604 wrote to memory of 2644	2604	DesktopLayer.exe	35
PID 2604 wrote to memory of 2644	2604	DesktopLayer.exe	35
PID 1628 wrote to memory of 2628	1628	DesktopLayerSrv.exe	36
PID 1628 wrote to memory of 2628	1628	DesktopLayerSrv.exe	36
PID 1628 wrote to memory of 2628	1628	DesktopLayerSrv.exe	36
PID 1628 wrote to memory of 2628	1628	DesktopLayerSrv.exe	36
PID 2760 wrote to memory of 2416	2760	iexplore.exe	37
PID 2760 wrote to memory of 2416	2760	iexplore.exe	37
PID 2760 wrote to memory of 2416	2760	iexplore.exe	37
PID 2760 wrote to memory of 2416	2760	iexplore.exe	37
PID 2644 wrote to memory of 2516	2644	iexplore.exe	38
PID 2644 wrote to memory of 2516	2644	iexplore.exe	38
PID 2644 wrote to memory of 2516	2644	iexplore.exe	38
PID 2644 wrote to memory of 2516	2644	iexplore.exe	38
PID 2628 wrote to memory of 2956	2628	iexplore.exe	39
PID 2628 wrote to memory of 2956	2628	iexplore.exe	39
PID 2628 wrote to memory of 2956	2628	iexplore.exe	39
PID 2628 wrote to memory of 2956	2628	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2416
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2956
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:340993 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98ac79850dfe56fcd5dae6a9d35581b1

SHA1
54d2bdffcbcb1a8d4cd4bff2b16df3d9ec645133

SHA256
65ec90eaceabf991f93c0431d1265ef53ae3727f214b0f08a640d03b34017c4f

SHA512
d57b2a4c65de3b3edd48b477c6fd0ae6f095797ab7a8ea8303264ecfbc0580f7690484084da1481d5809607027f273003c0de0ba5275cfc7359e335626cbea96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c34238eec542d857870bb5c9133cb840

SHA1
bb63aecbf74287ffedd85d99d9b21ac1fdf40f9b

SHA256
664ff8ed7d40067079b28279ae5dea125ea980764b35e2f8bdb4f0a986cb456e

SHA512
2ab75e7788cbbefb2ba6e9bc098342153ab9bd4506c47f1bbc79e31f0207006386303ecdc281678737f78c602d586f099e939337fd8e9ebd95ab3e29aadedaf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25feb2ce2f8edd16f69ff48c6e0bd61d

SHA1
829a4fc50e6e5c4ea7283b7466fa3ae6b4b49fe8

SHA256
6fe26acafb40db3f3ad02ca404751700dde77b036b785e6809a22017ee9adf27

SHA512
f393da2a449d36c621560d3f46db6c559d46e4cf6eae7d76291ba977e1ecb550b1d74606274fc536b28c27bc7bd509c5c34d723e71f588ac79abee168f9caedf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
866040448b20324d98867ebe9416f270

SHA1
1539a5552a3883691f84e9b13d669ec7a3148e85

SHA256
9ae804bf72b502544cb66c06028fb0a2681395330fe10bc4c53be4a878f461fd

SHA512
ec4dc45accff3d75ddf9ad6c5f68077eee8ec333f062255fc2cda22c40085d8626816b57f7a985062f5201cfe6caaf363de7fa9de54dd1a7d0251f4e31057ee4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4870962573f66324cd8eb0f6fdf9ed1

SHA1
bed1a48d98712fea8696a852ab2c3175bdf1ef53

SHA256
866a641aab2edf2d6aba25ca2e2f197419ab762fc1371a2fc0ffdbcadec2cf13

SHA512
e2b06de3237610fec37d474990079297588f035637dc182e1c118ab22c8e5b9b5527e7df2de5071e7a4b863c870f954f16ed587668b7c9dfc3b6b9feae6585b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d11893b77807db4c29eb9abd1e9f147

SHA1
0c0130196ec8e5e145832d226253bb3b42c1fed6

SHA256
21c678bfff0276740e9a7243ffe5cae54ad534543439272082d35e7c82d772ea

SHA512
0721f111f243674feb576635d70ca05f83026fc2103159e70d810cc8a45d41c938224e20a1835a5af11de5617fc1cdc53caa41a71d347623fbb0e47592c610f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdd9bc98ddf62f8544563037ebba04b3

SHA1
64b1a1fe722c6bfca0dc8b3b06e71ca8e183ced6

SHA256
a678078c2cae1a8d1d28700f4205086f9467d338d066fcacd77406552aa577d9

SHA512
1beb2d06abbb81d120bc0427d93b33ffed7b6fe84cd061f0b0c72a6116b282709c95af93d11397a28e1f299af776df5530c730639ec53b90ea8ac70bf1397a24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a37ef4ec5fe022f41e01ad100f6741b7

SHA1
56ceff965dc8418bb0373b821b973719967cbcf3

SHA256
6ecc22861c79d63ae2af4fca0827fe09f28cfc6395db6d5fc99e0b2c4af7bf4a

SHA512
420df349ec0f7f0c7ddc4f5b14f7c03f884abf2978be73d4532d8b44c08de756d6aadb6ef27902c502cd093a2fe25632253d1c9c81301a728a39ec71c1b682fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18f86c170920ab836a7eb0ae5e054c89

SHA1
69efbea1ad398ef1c5a0717b1575937749a01ccc

SHA256
7401d3f1cd7c9ebcede5eeab72d5e88dfecf83115168c8a026d65859ce2d8a26

SHA512
9abd57bc637a5c6cf2ac9c5d3d9f6afcd014d43a0dc86af7d66620679513b4a43d3d0e4844dee41d26e8997831d767cb67e8ad7e544850a35d17a1ff1c1f4b19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
994e79883527a997f3f2aebd05d6a289

SHA1
85b2a2086e619e297aa25b880ef468ca597b375e

SHA256
6371f268c07e37b6dbbda80feb352f809a8954bb72456a4e3b568140be71a282

SHA512
648d1b4012b7a5de8bce700dcc60ef9a9ca032d411cc753c6899af4b962a07bf3875d245dcbd5918aac5dd79114c0f4267fc02bc2c73f0e2c9cd9ba942f243d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1288494a9aa7a38a7384a83c21a35edd

SHA1
66cec5b44cdc05630aa7d5601071a61b859b2c8d

SHA256
43b9cf7b6ec558f0f5576a321bce506dbe47ae4e556fc171033b7af614c1fffe

SHA512
197efe935d8ca8581db10cd5f157babda2dd7a99822ffe5350fe59ba0f4dc9ad996835009cae0ad6e38149873ba6a1aa6b7443bb85cfb2b51a99af9eed3f42b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
373cdd54ce7d146c244cd30fbda8e62d

SHA1
15a497585d52117e03994e26e68c1f1883dda0d2

SHA256
d68f72a822cf23348d2cd09340040772d34002f435f047817bbadf86c23a4c34

SHA512
32062efc4e1a7e2d8b587f09d086d6e88a0e51a6998c33beb24b7b66e89c5c602565964890b996a8792beea5fbba24a04d9c23c84c116fcde753f861f3f13395

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98a0a206f67ec14a38e9f61b41a06b51

SHA1
b5a2e6f8b9c5a7b6b1cdae50a4f52eaa42160f1b

SHA256
3ee54a848ff924a4a3cc2142098c5456489ea0d9d192e083e9efea83ab836e87

SHA512
c65972f8227fea25d0b5eb430c725f270488d5d3b0dd33a3f3b0b8f21fb2ae77331ac512bd44cbb9d690b49cbbc85ec01ea2b8b958742abb82af87d91c7c0c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34abbccef15885f82a2c0520d30cd14d

SHA1
78c289dd9dd4bc70d7b694634454b78bdb0a191d

SHA256
8c40e2a0779d5dd292e589b0e2fff381b73eda7f1f94a43ca64cd0c27e423719

SHA512
60ebf11b536cc72ff6c7bf02b076c827f4ddd71e7398fa0f173adb99d9ea0fc1e0824cc4d50a4ccac1033e76982f19c75afe98234a5b1a346d48cd749422aa40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7b4efac5d304f762b3523f96b3de1d6

SHA1
45a2e2435dfa5e3d031dbe17b80bf8292b184f92

SHA256
417c21a7c6ea7b1d5b60951d1047df443a44626018f7654ca97f6e46ace03207

SHA512
187dce710ee85f3c27c64592e9a5b4bcdb0b15d1bdfa67c0af045db2ff59e380357d4c7687ca6826b534bffbf15286b44b2b52a9b23fe316f6ec1acdbb5de638

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d35158d634daeb389de7e5ead6cb8ae

SHA1
8454635e75a6420bac4d5534821745a0dade5b78

SHA256
c55ad00c735ccf89f3d90b1ab37a8d9ec85f002201b8659104517d179ce93bab

SHA512
27c285c406e5de2714ea9bf1c02f054a1d1e4926c9dcce9ddc8355a1283cbc7b6a03640196947e145861388d8a524aafdc57b6190bf8aa6e3a95ad6d6ef030e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5588b4c9a2cc48caf7a16faaa9312638

SHA1
4430a74776ffcc07e89b6404dc3adb9c48e4cfaf

SHA256
a44a64262560c8e012cc973797eb539ae3f2267063a5abdb14e1f53811a7f93d

SHA512
25c316b2a5b29f7b5ca23c3225e7a478e0b9bf868c15c9b199e978012744ed7e4dba28f3c4be02739b539a8c75375e62368065d9abfed7034f78450c2a992e91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a031b5194e83a25efd0dd69b987b5f66

SHA1
3ead9719d42ae8f65c4d66d0fa33b0c6721f6757

SHA256
f1bbd8b3a634c83fa72fd4acc86102b297bda02276611ab4b8b93ee148745145

SHA512
e8ec524f3cecbba7c5de5e4168f99db4c7e6130697f9a24ccf45f6d088a013613b49e6c0e93bcf041330ed8a5a48eef2616fd2f0197ebbaf49fb36f5a78d559d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93f8c0a493e4de816090c1678e9c27f4

SHA1
9ac2041edd702f6f4c09e3cb0120106ba43eede1

SHA256
b5e0091c7022d18df16a3a1d890af30cf52f3679004e0988158eae435963001a

SHA512
80e33b686610c8403faacea5751f8216932ea0cdc9cb21bb0e6a4e99cff73ca0d6c9817bc25bad2b4e0f6b21dd2d80b681eba3b02bf6f342472e94edfaa65482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B432D51-D297-11EF-A528-527E38F5B48B}.dat

Filesize
5KB

MD5
99e44cdf7a12f72f32100a2c39423e8c

SHA1
41b3a2db1596bf0668c63a81594964f284eeab87

SHA256
2786e85a9def077139e5999c16d075b4fb6bbee82e03f8a1ff2ae12c4c4b5f8c

SHA512
2d120d83679190243fcb984220d6074b6927f43bd68ca6d2c25b7a96094843dffbaf79b1473f3902c98aa3d9035995b701727860e450e60a905d267e572c2a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B4A5171-D297-11EF-A528-527E38F5B48B}.dat

Filesize
1KB

MD5
72f5c05b7ea8dd6059bf59f50b22df33

SHA1
d5af52e129e15e3a34772806f6c5fbf132e7408e

SHA256
1dc0c8d7304c177ad0e74d3d2f1002eb773f4b180685a7df6bbe75ccc24b0164

SHA512
6ff1e2e6b99bd0a4ed7ca8a9e943551bcd73a0befcace6f1b1106e88595c0846c9bb76ca99a33266ffec2440cf6a440090f803abbf28b208a6c7bc6310beb39e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B4A5171-D297-11EF-A528-527E38F5B48B}.dat

Filesize
5KB

MD5
f08ba5c23ccb54324c7d63f105b436e6

SHA1
57dc6d5c6d808d591ddffb2c73c8e443831c4f6f

SHA256
2cce5081cb607e636f52f74da5ce7506035780042cc70bebc3ea8b187d289346

SHA512
260c6fe8466a54cd60c22679eaf02e4bcca903c51174f5c58781d58205704a3e22ce5ce5f88ecc1f6306d54ea93f57a28fa3fb362c021b57d4ef623c841c55cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe

Filesize
111KB

MD5
ccc937bcd06f7bfa99abbdf16d4af87b

SHA1
22c08152fa73d1d055919283604fcf4685ba0e9a

SHA256
6841eefc56ca10ac8b40a71b23f471fa4fc36d71f19fb0bbfe548035f9cdab27

SHA512
875e2cdf0d158e00684d6a30b4adebb7f18c6f2918fa2328eddae173193cabe111badb72ce354cec223b409d713356854bf6125103bb06bd0496d9e615095d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8B23.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8BD1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1628-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1628-41-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1628-39-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2448-45-0x0000000000050000-0x0000000000297000-memory.dmp

Filesize
2.3MB

Download
memory/2448-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2448-8-0x0000000000050000-0x0000000000297000-memory.dmp

Filesize
2.3MB

Download
memory/2448-46-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2604-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2604-35-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2744-12-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/2744-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2744-13-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2812-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2812-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2812-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download