ramnit | ce728d96aa78387b2dcd45b20c213c3960147101f84ebb483a9c639cf991d940

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
Size

2.2MB
MD5

86ce99ced435589cd652db5e66919b88
SHA1

fd74bc1bb0dc154bd4f09f31db90096329b464d3
SHA256

ce728d96aa78387b2dcd45b20c213c3960147101f84ebb483a9c639cf991d940
SHA512

7d5d6130d001bc5500d483d966049d514404c8389d7cd4c0fb7f12c550329f0f35e893403a5436f4d98255868e6c84b5fbcd1e4cb12c7412ab21000fbe2ed994
SSDEEP

49152:JbheTlhinF4DNUScen4fuRQ24696jEs1rc/mUDYHfAlvwfGlM:QDiF4DNUben0uR46iE0rIYHfAlv

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
4344	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
4944	DesktopLayer.exe
3720	DesktopLayerSrv.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0032000000023b5c-3.dat	upx
behavioral2/memory/4344-5-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/files/0x000b000000023b5f-8.dat	upx
behavioral2/memory/4752-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3720-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4944-27-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4944-35-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4752-34-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3720-33-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3720-30-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4944-20-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4752-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4752-14-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4752-12-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4344-11-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px73F7.tmp	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7465.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px73C8.tmp	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1190455444"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1190611490"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C20A8F0-D297-11EF-B319-468C69F2ED48} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1190455444"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31155876"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1190298806"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31155876"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443638302"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1190611490"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31155876"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C27CF37-D297-11EF-B319-468C69F2ED48} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31155876"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31155876"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C2EF6E2-D297-11EF-B319-468C69F2ED48} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1190298806"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31155876"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
4944	DesktopLayer.exe
4944	DesktopLayer.exe
4944	DesktopLayer.exe
4944	DesktopLayer.exe
3720	DesktopLayerSrv.exe
3720	DesktopLayerSrv.exe
4944	DesktopLayer.exe
4944	DesktopLayer.exe
4944	DesktopLayer.exe
4944	DesktopLayer.exe
3720	DesktopLayerSrv.exe
3720	DesktopLayerSrv.exe
4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
3720	DesktopLayerSrv.exe
3720	DesktopLayerSrv.exe
3720	DesktopLayerSrv.exe
3720	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
228	iexplore.exe
2540	iexplore.exe
4044	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2360	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
2360	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
2540	iexplore.exe
2540	iexplore.exe
4044	iexplore.exe
4044	iexplore.exe
228	iexplore.exe
228	iexplore.exe
3316	IEXPLORE.EXE
3316	IEXPLORE.EXE
3204	IEXPLORE.EXE
3204	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4344	2360	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe	83
PID 2360 wrote to memory of 4344	2360	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe	83
PID 2360 wrote to memory of 4344	2360	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe	83
PID 4344 wrote to memory of 4752	4344	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	84
PID 4344 wrote to memory of 4752	4344	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	84
PID 4344 wrote to memory of 4752	4344	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	84
PID 4344 wrote to memory of 4944	4344	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	85
PID 4344 wrote to memory of 4944	4344	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	85
PID 4344 wrote to memory of 4944	4344	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe	85
PID 4944 wrote to memory of 3720	4944	DesktopLayer.exe	86
PID 4944 wrote to memory of 3720	4944	DesktopLayer.exe	86
PID 4944 wrote to memory of 3720	4944	DesktopLayer.exe	86
PID 4944 wrote to memory of 2540	4944	DesktopLayer.exe	87
PID 4944 wrote to memory of 2540	4944	DesktopLayer.exe	87
PID 4752 wrote to memory of 228	4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe	88
PID 4752 wrote to memory of 228	4752	2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe	88
PID 3720 wrote to memory of 4044	3720	DesktopLayerSrv.exe	89
PID 3720 wrote to memory of 4044	3720	DesktopLayerSrv.exe	89
PID 2540 wrote to memory of 3316	2540	iexplore.exe	90
PID 2540 wrote to memory of 3316	2540	iexplore.exe	90
PID 2540 wrote to memory of 3316	2540	iexplore.exe	90
PID 4044 wrote to memory of 2552	4044	iexplore.exe	91
PID 4044 wrote to memory of 2552	4044	iexplore.exe	91
PID 4044 wrote to memory of 2552	4044	iexplore.exe	91
PID 228 wrote to memory of 3204	228	iexplore.exe	92
PID 228 wrote to memory of 3204	228	iexplore.exe	92
PID 228 wrote to memory of 3204	228	iexplore.exe	92

C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnit.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:228 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3204
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4044 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2552
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fdba1e1aaafa78dc1bc5319f2afb6f86

SHA1
5432b1fa5f940052c9f9117307b2c97a7950cab2

SHA256
83c001e05993c8e603aec23cc4fa21a1515943496a69e18ab4a1196294b5354d

SHA512
ad7a1db5d9f4ac4edc07dfaacd2dd5aa15d8e228b2e096f9add822e4be84c66db28729583f9fdd5ae4f20fe685854cf2c35ced250a19df3b001c7b563c78a13e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
1c980e2b5573edf9b0a6b9772048cf41

SHA1
2dc7f23890dda8e0e06b36d1c303531795e7c296

SHA256
d61e3222792b6c019a77d14f991a382072c544c8439af06ed670d848cc6e7bdc

SHA512
c802175095abdd4392c06c1d3d3f1509bb853f3c8e22d1a2a18d2916747422faf0aacfa995abe92b4987f6887fb5bf4386424d09d58ba2dc92016dfbcc842f13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
634dc8c3e648f510de4eb7a9ee622bed

SHA1
20e3f1ae90182229ee640f27b38af0f05e3baaea

SHA256
ed5dd278a55471a9342c3c494023d13c42a8c781726de883a82e09d9c6677b78

SHA512
45bd3b9fb14969d5b757d1e15bea56417266cfff4d23842aa3d8e15887e69e56dc0482f94ed2ff40b025e5a1308db18b6c7055a22ae36e6c5b27ac4c3a48195d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d4c9e28b7a19e8455e21706259638772

SHA1
75bf183152570ff003ee97819fc320a1520be08e

SHA256
a2273f89f2e6ec5c961e919337b9403c25e12e8068a2bc662ae08ffa699ba7ae

SHA512
c47a4d7947300bff1a8c461ed32a9cc66a5103607b68b952131384889588b104d10fed2321b5d86af01580b27fcebdd6c15de5b6f524c7dcd6160cc6e9dd6cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C20A8F0-D297-11EF-B319-468C69F2ED48}.dat

Filesize
3KB

MD5
fb32adf8e33167a35a85f90e7b7e4895

SHA1
753c081888c1ca985b13b8e3d482945eaec684d2

SHA256
8253303fabe3c31d8e374ec531c16789539bb997b96e834b0a7dc32b02155af8

SHA512
b46502845cb7126c431539136bb7fdb35f5eec88eda3d3d16cf75e2e75f2a1582b59bfddde471b77320d21f224d18379378e5190af3c2ead177ada5f901c5590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C20A8F0-D297-11EF-B319-468C69F2ED48}.dat

Filesize
5KB

MD5
0240d15ab41d056f509ec522601ce524

SHA1
d84723ddca2c6bd1eccb4c3e5142b84f76d17191

SHA256
6c540af0a01eeb5a9beb552099b0269f2229f146931ed3cf1a7ec90c2f95cf36

SHA512
f8a637b3edfd5bf1846df322866164059702da970010d660f9b38208e496c787abb2430bc5ba808dd44a4cd181bae8dd97587e0abd71deee3053bc900631b66e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C2EF6E2-D297-11EF-B319-468C69F2ED48}.dat

Filesize
3KB

MD5
f50b169af2693fd9a336613e544b9039

SHA1
a04296d473db102e194ce6740ea4e460527ad39f

SHA256
389e690d6d136f4cc3688c21df700d1c8ba1f81555b6fd316bf553be3db3a69e

SHA512
c72313846021d806bb105a2909a6438cd23a0ee0d9085884828cd6f705319153044947bfdb29f703c9f5de049702620808b61cd4ec70d6c6d4228d03c866cfbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrv.exe

Filesize
111KB

MD5
ccc937bcd06f7bfa99abbdf16d4af87b

SHA1
22c08152fa73d1d055919283604fcf4685ba0e9a

SHA256
6841eefc56ca10ac8b40a71b23f471fa4fc36d71f19fb0bbfe548035f9cdab27

SHA512
875e2cdf0d158e00684d6a30b4adebb7f18c6f2918fa2328eddae173193cabe111badb72ce354cec223b409d713356854bf6125103bb06bd0496d9e615095d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-01-14_86ce99ced435589cd652db5e66919b88_bkransomware_ramnitSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2360-0-0x0000000000B80000-0x0000000000DC7000-memory.dmp

Filesize
2.3MB

Download
memory/2360-32-0x0000000000B80000-0x0000000000DC7000-memory.dmp

Filesize
2.3MB

Download
memory/3720-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3720-31-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3720-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3720-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4344-10-0x00000000004D0000-0x00000000004DF000-memory.dmp

Filesize
60KB

Download
memory/4344-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4344-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4752-18-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/4752-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4752-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4752-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4752-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4752-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4944-35-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4944-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4944-25-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/4944-27-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download