Malware Analysis Report

2025-08-05 19:12

Sample ID 240330-azg2esdg96
Target 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit
SHA256 1eead07a4c127453be9cd8c84e866388d7cc21c09f2c02edd1f5e034c3e9cfe5
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1eead07a4c127453be9cd8c84e866388d7cc21c09f2c02edd1f5e034c3e9cfe5

Threat Level: Known bad

The file 2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-30 00:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 00:38

Reported

2024-03-30 00:41

Platform

win7-20240221-en

Max time kernel

136s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px2414.tmp C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6260371-EE2D-11EE-8F9A-6A55B5C6A64E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417921009" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe
PID 1520 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe
PID 1520 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe
PID 1520 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe
PID 1664 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1664 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1664 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1664 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2944 wrote to memory of 2556 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 2556 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 2556 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2944 wrote to memory of 2556 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2556 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1520-0-0x0000000000400000-0x0000000000460000-memory.dmp

\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1520-6-0x0000000000240000-0x000000000026E000-memory.dmp

memory/1664-13-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1520-12-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1664-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2944-19-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/2944-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2944-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2944-22-0x00000000777FF000-0x0000000077800000-memory.dmp

memory/2944-21-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4675.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8f16cdbb0d243a7ea0d0598e7c4b696
SHA1 4b097077b8caad87e02920afb212ef14f4cc356a
SHA256 b9175cbb5c4dd0ee10945af84b8701b90189f60bb63bb8e2a348f71227083b7d
SHA512 007dbdacd0f32228c4993c58a3a217ce5d8036e497160cfcd00e85dc932b384b4a2ecd69204e93deb54afccd192ffb7665b30bce7368c6237dfb82f8671036c7

C:\Users\Admin\AppData\Local\Temp\Tar4766.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9af8ef13c7acc3e2339bc3b01c1c730e
SHA1 753db463033e77e9758da5d0634e08e2d21cf07c
SHA256 03ad664ff98d99eb3b3d826531e74bbba69b395a958b00edee4efd3308db6987
SHA512 b3580e5846d3fab45bd85557a767f15b822fc84879c63598e4dddf49ae90b028430427ad9d7c5736f7ff8c4a83e60ba777a75edec1d51c5c73b2eac204ef08f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72a8b925380a2cef4a29864092742034
SHA1 e5161f8cf252cf576ad12d50769b942098039d1e
SHA256 1aea0ba2ef50627fd6ef9887481909dddfad6549d30c8843556090684ac99d01
SHA512 42c431d4b72bf2bf06d66a1652830ba17d1e4f7d2445af4778051d8b4aeaeb1cd7d036fadde709e72938591690a56a5fa98140a3b8fd9e257ea7d1b2a48d4a99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25cdaf88d7c8eb5cee4940cfa3e635c4
SHA1 833c7c2dfd6c8f6342ed625d21c505f704cd511f
SHA256 9f7ab416dd8c32f895779bfddcd19a874af7576d26def603c5c9e762f5ea5885
SHA512 a6351dbef485d3280bc04c4994711ec1ebc03634fec95645ff76b437672c96104c8edd8621e3839d9a3696a7264bddb5d2fc0a1918048d640dee91dd0c9de712

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d97dffff4c22110bbdda7a499d35e3e
SHA1 6c9473efec1792a50c6421b9f8720e77fed7365b
SHA256 adfb60320d3de841e4af77c86a3db68c49cdd9f6691efc05d990fc889943e5a2
SHA512 92f26d7899bc07c3be713a3d0d3bd00d98f76560fe01cbf4d06484dac2727baf99e9d4228334eda695ab0afda15d442d3aa0949d355f3e8b73a7c23e83a640a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9a9de2dd2c26dab989b025065acd38e
SHA1 bd842347aa9db6968c982ff8ff54248d848c395e
SHA256 219fd5bff41fe036a2d47745aaada3d96e0b96d45d716af735dd657313ee6bfc
SHA512 670ae438edd67da49aa0557caaf0d7e0adb7716e0354d2bb0186fc832a59976d3cd4efe9a650307efa3d63111dad00f69216ffa9a685657f27e0932aa780f67f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 295a86935706dc11b18a62e4a786e450
SHA1 5de32213688969e902f8e43f01ccbd9a3612ec9b
SHA256 c74ae9ba29021fd5435843261af0d27e59f6d80a9adcaf5fa278429cfb190520
SHA512 76b54870708125e516428bd4879ca1ca09b299a81804fa4cfa0ce7776844ca4ce821bcf6d8a441ce707b986df3b2d74b4fc262b3afca9a79da2ab84dbc5f2b16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76e56fc5cef80e190b12e8259852ca8b
SHA1 93a685b2ff980bb441780c86867870455593d204
SHA256 8e400625861a5246b2dba101fd64d870174f08e2b5dd036db497f6f4bafa80ac
SHA512 789b23c63d56a1510e439409190ac90cd533d7530544746f673d3556596620ee897552faacf77cc5432dad895c56c0ab97d84c0d15f42c47c010d205e380dfe2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3af0eb48310eea866acb15172e656d0c
SHA1 0f26c015aed4bb67f5c3b0edece68af9ac96ceff
SHA256 26e4b6c72298a9dd71fb554519713747dceff7c9e53a53859a41704132bbe87c
SHA512 86a2a6316c91c45f162a3b838b01fd3a071c167ed52a1cbb7ef75602c48682935557ec2950c1366f620cb2d2dc153540e142d860ebebc8ba888bfe91c0e629d0

memory/2944-497-0x00000000777FF000-0x0000000077800000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 093fa3a3d6fee5b68cdc6406ad9088b3
SHA1 18e04869a7c530805d768e5da44434f7158395f5
SHA256 1b21e4c5e87e3372941c11b6784cb583114d21fac9a51675f9550a0c33bd5c18
SHA512 c0d89b24d1cf874e8c0e4984e7a62898d940e64f27b43408e45a1a275734c9b14b8352da0dee323014093666a3e635dc633fddc1a4c4d12985358aee48dcaa8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8c4fd924a1eb86c4af31a8eb4fcf0ad
SHA1 98656404de9744ae75cf0a6c03ba25b47c06dda5
SHA256 0543cb37df95b50b7956452abeca27230442d49820060c6752aca57ec93d4a28
SHA512 07d7e735b94842fb4840acfa4ce2cfcd831275269334ace1edc6c984c300125a8c9a6d9a6308c27f28e4a16fe4438c241e60e98bcbaf7ab971bd9bd52f9eac9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79f1f3e3f468df3e4b5b292f72007388
SHA1 03eedd8ba2b68a6889b698c0e22d98f6d4d7a790
SHA256 23c6efac0885db6156a4590ed376633bd196b6d6dc732eb8491e502b5160890a
SHA512 c5be3ee63fe146daee649adaada7ad479a1931bd1b7b322ced077bcdaeff4f237dda55c36bf4a92060c3a231d233d91233997ff208741cd00cdd54c1c0e52851

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6d1e81c7a90c9636f7d5b027e25dfb0
SHA1 84eaefa263295d5dce7d059cc987a07e57226ba1
SHA256 20e6f46403ca3a5fa71eed32c53527175fb92707ec3d6817a4aa74766e3f6c2c
SHA512 c4aa396c2552664a1506c85af740e7df9d857b4aa4c4bb3b994b768e3d7085eff54b69af8cccee452cd30a368d06001eeb1046edeb985cd2f22bddbecee57a85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05dcd2efe82232e11cc3618ab16ed3e2
SHA1 6cf535517ead61eb50b22d2361bdfdc6120b40d9
SHA256 08db00fc6e106d9a6d347a429e19efeac25e73805037a718f342fc1bbe830d74
SHA512 451ba17efa335b7460427c13614d0047171d533d1d2fa8bcb0354df2cafd36f1c0a7e17d46d38aa2964196006a6446104c0b98f320d3766c733a2137d4c20fbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6afb9bcb96fbad58095006e4ccbe707
SHA1 4d39630a1941605df6232486d5c6659e4fff9f31
SHA256 77a1f08bb888ce9a9dc3c2ec04969e5c26a4cc7745a4d7636d7ba4866819eff1
SHA512 8bcfc91555b4fc0d1ca5e70715df5589a55c76cfd1858ece4a50c146e16be171891ee705a37b344169d89369fc272eec9b1d101e93a89294f2cafdb846f7fb44

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 00:38

Reported

2024-03-30 00:41

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px40E1.tmp C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418524118" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31097402" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3150027649" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3150027649" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31097402" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3152215722" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3152215722" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31097402" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E749C22D-EE2D-11EE-9216-6257B05D87B4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31097402" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe
PID 1892 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe
PID 1892 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe
PID 3600 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3600 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3600 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4748 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4748 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 4680 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2696 wrote to memory of 4680 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2696 wrote to memory of 4680 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.34.16.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/1892-0-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-03-30_eba37b2e24b58a1f57c766dcb88214a0_icedid_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/3600-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3600-10-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3600-7-0x0000000000590000-0x000000000059F000-memory.dmp

memory/1892-6-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4748-13-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4748-15-0x0000000001EF0000-0x0000000001EFF000-memory.dmp

memory/4748-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4748-18-0x0000000076EE2000-0x0000000076EE3000-memory.dmp

memory/4748-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4748-16-0x0000000001F00000-0x0000000001F01000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 83b49b2e7134c3062b8085920426bfb3
SHA1 b4cf85a34739004f8c250efa1c3b021c19830c85
SHA256 1cd035d5b63a191de0e8853548025d785dcd928e3049dec5642009391f5befcc
SHA512 a7d8db600b83ae679a8b03a677259b5746d883bfd131f09859447c0400835536297b3ed6419a44e961aff996dc5536b55d340399ebacca3be3ba4b8b19781d4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 fdbfab59dd731fc781a0a138c771202a
SHA1 929c5136d238408f69ba3056d99b3c3204b63eb2
SHA256 f4b7ad5ebe693d2eaa3f80dce3416b3cf2d9099864e1cef9826a7939f1cbc5eb
SHA512 f5a24edc9d42603e86563313e0a0602b70a9caad52f555979f0dec7239d74df7ab189f276e7809fac3bc2799d00a4c28efb2ef1b58659b00b397085e6b92aae2

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB96D.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0ZA3FRO8\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee