b3965f9c52f577c729450631b121f1dc46e769c62f7128ce4f02e5300ca97302

Analysis

max time kernel
223s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2023 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe
Size

24.5MB
MD5

9b126668d3c443dbfc589ec422d0f4e8
SHA1

619beab9224f99d4ebf1d8a74f8595de7ec439c0
SHA256

b3965f9c52f577c729450631b121f1dc46e769c62f7128ce4f02e5300ca97302
SHA512

94b7d0874b69e68b6ff108df497385ec9892689dfab5dcb3a441857f33d9ed181d9b73f983eb1755755d2195e57a49053a58219dfe2f5fc1237a81acfddc3c2e
SSDEEP

393216:DkmiCKFdu9ORaVNQncGiOTxowhmVytML5kGufmgoe7lHkWdyn:9yKjkTOq+3n

Score

10^/10

upx

Malware Config

Signatures

Detects any file with a triage score of 10 11 IoCs

This file has been assigned a triage score of 10, indicating a high likelihood of malicious behavior.

Processes:

resource	yara_rule
behavioral2/memory/3032-142-0x0000000000400000-0x0000000001C90000-memory.dmp	triage_score_10
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\QtCore4.dll	triage_score_10
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\QtCore4.dll	triage_score_10
behavioral2/memory/1880-189-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral2/memory/1880-199-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral2/memory/1880-203-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral2/memory/1880-215-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral2/memory/1880-219-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral2/memory/1880-223-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral2/memory/1880-231-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral2/memory/1880-235-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10

Executes dropped EXE 2 IoCs

Processes:

2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exeUpdateWizard.exe

pid process

4348 2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
1880 UpdateWizard.exe
Loads dropped DLL 3 IoCs

Processes:

UpdateWizard.exe

pid process

1880 UpdateWizard.exe
1880 UpdateWizard.exe
1880 UpdateWizard.exe

pid	process
4348	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
1880	UpdateWizard.exe

pid	process
1880	UpdateWizard.exe
1880	UpdateWizard.exe
1880	UpdateWizard.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe	upx
behavioral2/memory/4348-143-0x0000000000400000-0x0000000000465000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3452 4348 WerFault.exe 2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe

pid process

3032 2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe

pid	pid_target	process	target process
3452	4348	WerFault.exe	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe

pid	process
3032	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe

description	pid	process	target process
PID 3032 wrote to memory of 4348	3032	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
PID 3032 wrote to memory of 4348	3032	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
PID 3032 wrote to memory of 4348	3032	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
PID 3032 wrote to memory of 1880	3032	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe	UpdateWizard.exe
PID 3032 wrote to memory of 1880	3032	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe	UpdateWizard.exe
PID 3032 wrote to memory of 1880	3032	2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe	UpdateWizard.exe

C:\Users\Admin\AppData\Local\Temp\2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
C:\Users\Admin\AppData\Local\Temp\2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 264
3⤵
- Program crash
PID:3452

C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\UpdateWizard.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnit.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4348 -ip 4348
1⤵
PID:1428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2023-04-29_9b126668d3c443dbfc589ec422d0f4e8_icedid_mirai_ramnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\QtCore4.dll
Filesize
1.4MB

MD5
8326988db23abf07186e538f16376ae9

SHA1
72c6d89921a9c4ae5054e78147928e6c58294bf6

SHA256
9ec0090edd157562c1478f9ade93bb4c03bb3beb2c8a3c84a981ebcb80b5e451

SHA512
a083d90b40360f9118f45736855a7c0b6586242857c2f1eafc54627edec0bbdb8142493bff9bf74f27dbd361b6656f155b6d145fa7cd88a2aec111387e79be29

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\QtCore4.dll
Filesize
1.4MB

MD5
8326988db23abf07186e538f16376ae9

SHA1
72c6d89921a9c4ae5054e78147928e6c58294bf6

SHA256
9ec0090edd157562c1478f9ade93bb4c03bb3beb2c8a3c84a981ebcb80b5e451

SHA512
a083d90b40360f9118f45736855a7c0b6586242857c2f1eafc54627edec0bbdb8142493bff9bf74f27dbd361b6656f155b6d145fa7cd88a2aec111387e79be29

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\QtGui4.dll
Filesize
5.2MB

MD5
29be5d4eb2da45c049eb42d7d6da9236

SHA1
3fe635bb4d125b722eac276b78e804b238d29ca3

SHA256
1581ac53aaca8ffd5b3c748dcb5d1ee0d1020ba41196bc3cb371f29b370a9662

SHA512
6da64b8ca3f209a5cf5ef39c35149415ca838bd74092fd4b44c351c309399e62567794d3f8b93775c86759454fa7c85729bb1ef2cc2ed58645e980dc8dc4bc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\QtGui4.dll
Filesize
5.2MB

MD5
29be5d4eb2da45c049eb42d7d6da9236

SHA1
3fe635bb4d125b722eac276b78e804b238d29ca3

SHA256
1581ac53aaca8ffd5b3c748dcb5d1ee0d1020ba41196bc3cb371f29b370a9662

SHA512
6da64b8ca3f209a5cf5ef39c35149415ca838bd74092fd4b44c351c309399e62567794d3f8b93775c86759454fa7c85729bb1ef2cc2ed58645e980dc8dc4bc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\UpdateWizard.exe
Filesize
17.4MB

MD5
19b2bb7cefd1460224f5ca14f6d910d6

SHA1
8aa8e2ff17d36fd4d903caf939a38bdd034237e1

SHA256
86ce1b2b0c1e53631cd2206678a6fcf8ebb2996f02cc7d4bc4ea74b4a3a145eb

SHA512
714d2542db5a45588768ebbb5ed41b0a8f045551ec9eb1fd92cb81386e02b77197bc677620b364f6864bc38ff4811420632e607bd6ae95767ee6f96b87c278e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\UpdateWizard.exe
Filesize
17.4MB

MD5
19b2bb7cefd1460224f5ca14f6d910d6

SHA1
8aa8e2ff17d36fd4d903caf939a38bdd034237e1

SHA256
86ce1b2b0c1e53631cd2206678a6fcf8ebb2996f02cc7d4bc4ea74b4a3a145eb

SHA512
714d2542db5a45588768ebbb5ed41b0a8f045551ec9eb1fd92cb81386e02b77197bc677620b364f6864bc38ff4811420632e607bd6ae95767ee6f96b87c278e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\mingwm10.dll
Filesize
15KB

MD5
04d9ee3ee2ab1a2a5ae9bf91b595a80d

SHA1
55eaa1118d15831b868372c1ae15327dc0773208

SHA256
0acf47d1b635c13308ffecca1c39acd2a3c0338a575e3dab97e97ee1f17df277

SHA512
d41ae647e6ba28d0b9334fc27729a12cce76be5190344f070a16a4194e074cd14902037dd84f4dd2df65e7900373b458ff9f4f2a4a38b6c4a9fc154dc93c96e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C9.tmp\mingwm10.dll
Filesize
15KB

MD5
04d9ee3ee2ab1a2a5ae9bf91b595a80d

SHA1
55eaa1118d15831b868372c1ae15327dc0773208

SHA256
0acf47d1b635c13308ffecca1c39acd2a3c0338a575e3dab97e97ee1f17df277

SHA512
d41ae647e6ba28d0b9334fc27729a12cce76be5190344f070a16a4194e074cd14902037dd84f4dd2df65e7900373b458ff9f4f2a4a38b6c4a9fc154dc93c96e5

Download Submit
memory/1880-190-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-215-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1880-244-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-187-0x0000000000400000-0x0000000001561000-memory.dmp

Filesize
17.4MB

Download
memory/1880-188-0x000000006FBC0000-0x000000006FBC8000-memory.dmp

Filesize
32KB

Download
memory/1880-189-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1880-240-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-195-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-199-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1880-200-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-203-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1880-204-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-208-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-235-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1880-216-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-219-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1880-220-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-223-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1880-224-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-228-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1880-231-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1880-232-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/3032-142-0x0000000000400000-0x0000000001C90000-memory.dmp

Filesize
24.6MB

Download
memory/4348-143-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4348-144-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download