Analysis
-
max time kernel
136s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/03/2024, 00:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe
Resource
win7-20240221-en
General
-
Target
2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe
-
Size
350KB
-
MD5
eba37b2e24b58a1f57c766dcb88214a0
-
SHA1
3dc2de3996b2cba2482e7992e0073d91b10759f4
-
SHA256
1eead07a4c127453be9cd8c84e866388d7cc21c09f2c02edd1f5e034c3e9cfe5
-
SHA512
52edbd45c4f2b5d6aaa3e46ae4d76dd95f92e4b937dfa56448dcc8d76e970f5cbea6cc5337dfaa2837c3f885d4c2bd4cd8b1f69069c7686dd1a1bc3119eecec3
-
SSDEEP
6144:KznAtGqS5NjM2KbQbNYuhZ+6+eAbuQ5Zu60HnPLhDgWrA6hjt1aYTta:KTLnp+BCQ5Zu60HnP1TboYx
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral1/files/0x0010000000012248-2.dat UPX behavioral1/memory/1520-12-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral1/memory/1664-9-0x0000000000400000-0x000000000042E000-memory.dmp UPX behavioral1/memory/2944-20-0x0000000000400000-0x000000000042E000-memory.dmp UPX behavioral1/memory/2944-21-0x0000000000400000-0x000000000042E000-memory.dmp UPX -
Executes dropped EXE 2 IoCs
pid Process 1664 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe 2944 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 1520 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe 1664 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe -
resource yara_rule behavioral1/files/0x0010000000012248-2.dat upx behavioral1/memory/1664-9-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2944-20-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2944-21-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe File opened for modification C:\Program Files (x86)\Microsoft\px2414.tmp 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6260371-EE2D-11EE-8F9A-6A55B5C6A64E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417921009" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2944 DesktopLayer.exe 2944 DesktopLayer.exe 2944 DesktopLayer.exe 2944 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2556 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2556 iexplore.exe 2556 iexplore.exe 2524 IEXPLORE.EXE 2524 IEXPLORE.EXE 2524 IEXPLORE.EXE 2524 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1520 wrote to memory of 1664 1520 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe 29 PID 1520 wrote to memory of 1664 1520 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe 29 PID 1520 wrote to memory of 1664 1520 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe 29 PID 1520 wrote to memory of 1664 1520 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe 29 PID 1664 wrote to memory of 2944 1664 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe 30 PID 1664 wrote to memory of 2944 1664 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe 30 PID 1664 wrote to memory of 2944 1664 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe 30 PID 1664 wrote to memory of 2944 1664 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe 30 PID 2944 wrote to memory of 2556 2944 DesktopLayer.exe 31 PID 2944 wrote to memory of 2556 2944 DesktopLayer.exe 31 PID 2944 wrote to memory of 2556 2944 DesktopLayer.exe 31 PID 2944 wrote to memory of 2556 2944 DesktopLayer.exe 31 PID 2556 wrote to memory of 2524 2556 iexplore.exe 32 PID 2556 wrote to memory of 2524 2556 iexplore.exe 32 PID 2556 wrote to memory of 2524 2556 iexplore.exe 32 PID 2556 wrote to memory of 2524 2556 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exeC:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD572a8b925380a2cef4a29864092742034
SHA1e5161f8cf252cf576ad12d50769b942098039d1e
SHA2561aea0ba2ef50627fd6ef9887481909dddfad6549d30c8843556090684ac99d01
SHA51242c431d4b72bf2bf06d66a1652830ba17d1e4f7d2445af4778051d8b4aeaeb1cd7d036fadde709e72938591690a56a5fa98140a3b8fd9e257ea7d1b2a48d4a99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD525cdaf88d7c8eb5cee4940cfa3e635c4
SHA1833c7c2dfd6c8f6342ed625d21c505f704cd511f
SHA2569f7ab416dd8c32f895779bfddcd19a874af7576d26def603c5c9e762f5ea5885
SHA512a6351dbef485d3280bc04c4994711ec1ebc03634fec95645ff76b437672c96104c8edd8621e3839d9a3696a7264bddb5d2fc0a1918048d640dee91dd0c9de712
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54d97dffff4c22110bbdda7a499d35e3e
SHA16c9473efec1792a50c6421b9f8720e77fed7365b
SHA256adfb60320d3de841e4af77c86a3db68c49cdd9f6691efc05d990fc889943e5a2
SHA51292f26d7899bc07c3be713a3d0d3bd00d98f76560fe01cbf4d06484dac2727baf99e9d4228334eda695ab0afda15d442d3aa0949d355f3e8b73a7c23e83a640a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c9a9de2dd2c26dab989b025065acd38e
SHA1bd842347aa9db6968c982ff8ff54248d848c395e
SHA256219fd5bff41fe036a2d47745aaada3d96e0b96d45d716af735dd657313ee6bfc
SHA512670ae438edd67da49aa0557caaf0d7e0adb7716e0354d2bb0186fc832a59976d3cd4efe9a650307efa3d63111dad00f69216ffa9a685657f27e0932aa780f67f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5295a86935706dc11b18a62e4a786e450
SHA15de32213688969e902f8e43f01ccbd9a3612ec9b
SHA256c74ae9ba29021fd5435843261af0d27e59f6d80a9adcaf5fa278429cfb190520
SHA51276b54870708125e516428bd4879ca1ca09b299a81804fa4cfa0ce7776844ca4ce821bcf6d8a441ce707b986df3b2d74b4fc262b3afca9a79da2ab84dbc5f2b16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD576e56fc5cef80e190b12e8259852ca8b
SHA193a685b2ff980bb441780c86867870455593d204
SHA2568e400625861a5246b2dba101fd64d870174f08e2b5dd036db497f6f4bafa80ac
SHA512789b23c63d56a1510e439409190ac90cd533d7530544746f673d3556596620ee897552faacf77cc5432dad895c56c0ab97d84c0d15f42c47c010d205e380dfe2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53af0eb48310eea866acb15172e656d0c
SHA10f26c015aed4bb67f5c3b0edece68af9ac96ceff
SHA25626e4b6c72298a9dd71fb554519713747dceff7c9e53a53859a41704132bbe87c
SHA51286a2a6316c91c45f162a3b838b01fd3a071c167ed52a1cbb7ef75602c48682935557ec2950c1366f620cb2d2dc153540e142d860ebebc8ba888bfe91c0e629d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5093fa3a3d6fee5b68cdc6406ad9088b3
SHA118e04869a7c530805d768e5da44434f7158395f5
SHA2561b21e4c5e87e3372941c11b6784cb583114d21fac9a51675f9550a0c33bd5c18
SHA512c0d89b24d1cf874e8c0e4984e7a62898d940e64f27b43408e45a1a275734c9b14b8352da0dee323014093666a3e635dc633fddc1a4c4d12985358aee48dcaa8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e8c4fd924a1eb86c4af31a8eb4fcf0ad
SHA198656404de9744ae75cf0a6c03ba25b47c06dda5
SHA2560543cb37df95b50b7956452abeca27230442d49820060c6752aca57ec93d4a28
SHA51207d7e735b94842fb4840acfa4ce2cfcd831275269334ace1edc6c984c300125a8c9a6d9a6308c27f28e4a16fe4438c241e60e98bcbaf7ab971bd9bd52f9eac9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD579f1f3e3f468df3e4b5b292f72007388
SHA103eedd8ba2b68a6889b698c0e22d98f6d4d7a790
SHA25623c6efac0885db6156a4590ed376633bd196b6d6dc732eb8491e502b5160890a
SHA512c5be3ee63fe146daee649adaada7ad479a1931bd1b7b322ced077bcdaeff4f237dda55c36bf4a92060c3a231d233d91233997ff208741cd00cdd54c1c0e52851
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b6d1e81c7a90c9636f7d5b027e25dfb0
SHA184eaefa263295d5dce7d059cc987a07e57226ba1
SHA25620e6f46403ca3a5fa71eed32c53527175fb92707ec3d6817a4aa74766e3f6c2c
SHA512c4aa396c2552664a1506c85af740e7df9d857b4aa4c4bb3b994b768e3d7085eff54b69af8cccee452cd30a368d06001eeb1046edeb985cd2f22bddbecee57a85
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f8f16cdbb0d243a7ea0d0598e7c4b696
SHA14b097077b8caad87e02920afb212ef14f4cc356a
SHA256b9175cbb5c4dd0ee10945af84b8701b90189f60bb63bb8e2a348f71227083b7d
SHA512007dbdacd0f32228c4993c58a3a217ce5d8036e497160cfcd00e85dc932b384b4a2ecd69204e93deb54afccd192ffb7665b30bce7368c6237dfb82f8671036c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD505dcd2efe82232e11cc3618ab16ed3e2
SHA16cf535517ead61eb50b22d2361bdfdc6120b40d9
SHA25608db00fc6e106d9a6d347a429e19efeac25e73805037a718f342fc1bbe830d74
SHA512451ba17efa335b7460427c13614d0047171d533d1d2fa8bcb0354df2cafd36f1c0a7e17d46d38aa2964196006a6446104c0b98f320d3766c733a2137d4c20fbc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e6afb9bcb96fbad58095006e4ccbe707
SHA14d39630a1941605df6232486d5c6659e4fff9f31
SHA25677a1f08bb888ce9a9dc3c2ec04969e5c26a4cc7745a4d7636d7ba4866819eff1
SHA5128bcfc91555b4fc0d1ca5e70715df5589a55c76cfd1858ece4a50c146e16be171891ee705a37b344169d89369fc272eec9b1d101e93a89294f2cafdb846f7fb44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59af8ef13c7acc3e2339bc3b01c1c730e
SHA1753db463033e77e9758da5d0634e08e2d21cf07c
SHA25603ad664ff98d99eb3b3d826531e74bbba69b395a958b00edee4efd3308db6987
SHA512b3580e5846d3fab45bd85557a767f15b822fc84879c63598e4dddf49ae90b028430427ad9d7c5736f7ff8c4a83e60ba777a75edec1d51c5c73b2eac204ef08f9
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a