Analysis

  • max time kernel
    136s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2024, 00:38

General

  • Target

    2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe

  • Size

    350KB

  • MD5

    eba37b2e24b58a1f57c766dcb88214a0

  • SHA1

    3dc2de3996b2cba2482e7992e0073d91b10759f4

  • SHA256

    1eead07a4c127453be9cd8c84e866388d7cc21c09f2c02edd1f5e034c3e9cfe5

  • SHA512

    52edbd45c4f2b5d6aaa3e46ae4d76dd95f92e4b937dfa56448dcc8d76e970f5cbea6cc5337dfaa2837c3f885d4c2bd4cd8b1f69069c7686dd1a1bc3119eecec3

  • SSDEEP

    6144:KznAtGqS5NjM2KbQbNYuhZ+6+eAbuQ5Zu60HnPLhDgWrA6hjt1aYTta:KTLnp+BCQ5Zu60HnP1TboYx

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • UPX dump on OEP (original entry point) 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe
      C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2524

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          72a8b925380a2cef4a29864092742034

          SHA1

          e5161f8cf252cf576ad12d50769b942098039d1e

          SHA256

          1aea0ba2ef50627fd6ef9887481909dddfad6549d30c8843556090684ac99d01

          SHA512

          42c431d4b72bf2bf06d66a1652830ba17d1e4f7d2445af4778051d8b4aeaeb1cd7d036fadde709e72938591690a56a5fa98140a3b8fd9e257ea7d1b2a48d4a99

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          25cdaf88d7c8eb5cee4940cfa3e635c4

          SHA1

          833c7c2dfd6c8f6342ed625d21c505f704cd511f

          SHA256

          9f7ab416dd8c32f895779bfddcd19a874af7576d26def603c5c9e762f5ea5885

          SHA512

          a6351dbef485d3280bc04c4994711ec1ebc03634fec95645ff76b437672c96104c8edd8621e3839d9a3696a7264bddb5d2fc0a1918048d640dee91dd0c9de712

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          4d97dffff4c22110bbdda7a499d35e3e

          SHA1

          6c9473efec1792a50c6421b9f8720e77fed7365b

          SHA256

          adfb60320d3de841e4af77c86a3db68c49cdd9f6691efc05d990fc889943e5a2

          SHA512

          92f26d7899bc07c3be713a3d0d3bd00d98f76560fe01cbf4d06484dac2727baf99e9d4228334eda695ab0afda15d442d3aa0949d355f3e8b73a7c23e83a640a5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          c9a9de2dd2c26dab989b025065acd38e

          SHA1

          bd842347aa9db6968c982ff8ff54248d848c395e

          SHA256

          219fd5bff41fe036a2d47745aaada3d96e0b96d45d716af735dd657313ee6bfc

          SHA512

          670ae438edd67da49aa0557caaf0d7e0adb7716e0354d2bb0186fc832a59976d3cd4efe9a650307efa3d63111dad00f69216ffa9a685657f27e0932aa780f67f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          295a86935706dc11b18a62e4a786e450

          SHA1

          5de32213688969e902f8e43f01ccbd9a3612ec9b

          SHA256

          c74ae9ba29021fd5435843261af0d27e59f6d80a9adcaf5fa278429cfb190520

          SHA512

          76b54870708125e516428bd4879ca1ca09b299a81804fa4cfa0ce7776844ca4ce821bcf6d8a441ce707b986df3b2d74b4fc262b3afca9a79da2ab84dbc5f2b16

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          76e56fc5cef80e190b12e8259852ca8b

          SHA1

          93a685b2ff980bb441780c86867870455593d204

          SHA256

          8e400625861a5246b2dba101fd64d870174f08e2b5dd036db497f6f4bafa80ac

          SHA512

          789b23c63d56a1510e439409190ac90cd533d7530544746f673d3556596620ee897552faacf77cc5432dad895c56c0ab97d84c0d15f42c47c010d205e380dfe2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          3af0eb48310eea866acb15172e656d0c

          SHA1

          0f26c015aed4bb67f5c3b0edece68af9ac96ceff

          SHA256

          26e4b6c72298a9dd71fb554519713747dceff7c9e53a53859a41704132bbe87c

          SHA512

          86a2a6316c91c45f162a3b838b01fd3a071c167ed52a1cbb7ef75602c48682935557ec2950c1366f620cb2d2dc153540e142d860ebebc8ba888bfe91c0e629d0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          093fa3a3d6fee5b68cdc6406ad9088b3

          SHA1

          18e04869a7c530805d768e5da44434f7158395f5

          SHA256

          1b21e4c5e87e3372941c11b6784cb583114d21fac9a51675f9550a0c33bd5c18

          SHA512

          c0d89b24d1cf874e8c0e4984e7a62898d940e64f27b43408e45a1a275734c9b14b8352da0dee323014093666a3e635dc633fddc1a4c4d12985358aee48dcaa8d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          e8c4fd924a1eb86c4af31a8eb4fcf0ad

          SHA1

          98656404de9744ae75cf0a6c03ba25b47c06dda5

          SHA256

          0543cb37df95b50b7956452abeca27230442d49820060c6752aca57ec93d4a28

          SHA512

          07d7e735b94842fb4840acfa4ce2cfcd831275269334ace1edc6c984c300125a8c9a6d9a6308c27f28e4a16fe4438c241e60e98bcbaf7ab971bd9bd52f9eac9c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          79f1f3e3f468df3e4b5b292f72007388

          SHA1

          03eedd8ba2b68a6889b698c0e22d98f6d4d7a790

          SHA256

          23c6efac0885db6156a4590ed376633bd196b6d6dc732eb8491e502b5160890a

          SHA512

          c5be3ee63fe146daee649adaada7ad479a1931bd1b7b322ced077bcdaeff4f237dda55c36bf4a92060c3a231d233d91233997ff208741cd00cdd54c1c0e52851

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b6d1e81c7a90c9636f7d5b027e25dfb0

          SHA1

          84eaefa263295d5dce7d059cc987a07e57226ba1

          SHA256

          20e6f46403ca3a5fa71eed32c53527175fb92707ec3d6817a4aa74766e3f6c2c

          SHA512

          c4aa396c2552664a1506c85af740e7df9d857b4aa4c4bb3b994b768e3d7085eff54b69af8cccee452cd30a368d06001eeb1046edeb985cd2f22bddbecee57a85

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          f8f16cdbb0d243a7ea0d0598e7c4b696

          SHA1

          4b097077b8caad87e02920afb212ef14f4cc356a

          SHA256

          b9175cbb5c4dd0ee10945af84b8701b90189f60bb63bb8e2a348f71227083b7d

          SHA512

          007dbdacd0f32228c4993c58a3a217ce5d8036e497160cfcd00e85dc932b384b4a2ecd69204e93deb54afccd192ffb7665b30bce7368c6237dfb82f8671036c7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          05dcd2efe82232e11cc3618ab16ed3e2

          SHA1

          6cf535517ead61eb50b22d2361bdfdc6120b40d9

          SHA256

          08db00fc6e106d9a6d347a429e19efeac25e73805037a718f342fc1bbe830d74

          SHA512

          451ba17efa335b7460427c13614d0047171d533d1d2fa8bcb0354df2cafd36f1c0a7e17d46d38aa2964196006a6446104c0b98f320d3766c733a2137d4c20fbc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          e6afb9bcb96fbad58095006e4ccbe707

          SHA1

          4d39630a1941605df6232486d5c6659e4fff9f31

          SHA256

          77a1f08bb888ce9a9dc3c2ec04969e5c26a4cc7745a4d7636d7ba4866819eff1

          SHA512

          8bcfc91555b4fc0d1ca5e70715df5589a55c76cfd1858ece4a50c146e16be171891ee705a37b344169d89369fc272eec9b1d101e93a89294f2cafdb846f7fb44

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          9af8ef13c7acc3e2339bc3b01c1c730e

          SHA1

          753db463033e77e9758da5d0634e08e2d21cf07c

          SHA256

          03ad664ff98d99eb3b3d826531e74bbba69b395a958b00edee4efd3308db6987

          SHA512

          b3580e5846d3fab45bd85557a767f15b822fc84879c63598e4dddf49ae90b028430427ad9d7c5736f7ff8c4a83e60ba777a75edec1d51c5c73b2eac204ef08f9

        • C:\Users\Admin\AppData\Local\Temp\Cab4675.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar4766.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • \Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe

          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

        • memory/1520-0-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/1520-12-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/1520-6-0x0000000000240000-0x000000000026E000-memory.dmp

          Filesize

          184KB

        • memory/1664-9-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1664-13-0x0000000000230000-0x000000000023F000-memory.dmp

          Filesize

          60KB

        • memory/2944-21-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2944-22-0x00000000777FF000-0x0000000077800000-memory.dmp

          Filesize

          4KB

        • memory/2944-20-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2944-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

        • memory/2944-497-0x00000000777FF000-0x0000000077800000-memory.dmp

          Filesize

          4KB

        • memory/2944-19-0x00000000001C0000-0x00000000001CF000-memory.dmp

          Filesize

          60KB