Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
Resource
win10v2004-20240319-en
General
-
Target
2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
-
Size
8.1MB
-
MD5
8dcef7c196a956126365a26069a0969d
-
SHA1
34c4ab98d979132ee3f3bdbb60911bc184a2c727
-
SHA256
5e8962d101029796689752b52989d9d5850282fa82d1eeb5cd743207be821ef1
-
SHA512
6fd5e671a896596ac30b838ddba0c2c3dbc492082732e582e46fcac6323e6ef39f0f8712ad4bda2743489278606da9332f4b053b043387202463e407da99e8fe
-
SSDEEP
98304:tdYOXwnS4rVR5v77GBfWx77GBfWGLMK+JL/+YOXwnS4rVv5mMrm1RF4HiIDQURma:AIcRGBfW1GBfWg+lIcJyHFQiuQ9w3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\cdpo.exe -dwup" cdpo.exe -
Executes dropped EXE 48 IoCs
pid Process 2548 cdpo.exe 2820 cdpo.exe 2788 cdpo.exe 2696 cdpo.exe 2776 cdpo.exe 2448 cdpo.exe 1220 cdpo.exe 2032 cdpo.exe 2496 cdpo.exe 2724 cdpo.exe 2732 cdpo.exe 2248 cdpo.exe 2832 cdpo.exe 1864 cdpo.exe 2312 cdpo.exe 968 cdpo.exe 2316 cdpo.exe 1060 cdpo.exe 1096 cdpo.exe 2228 cdpo.exe 3068 cdpo.exe 1692 cdpo.exe 1164 cdpo.exe 1680 cdpo.exe 2604 cdpo.exe 2444 cdpo.exe 1512 cdpo.exe 1980 cdpo.exe 2908 cdpo.exe 2868 cdpo.exe 2944 cdpo.exe 1364 cdpo.exe 1600 cdpo.exe 548 cdpo.exe 1492 cdpo.exe 824 cdpo.exe 1636 cdpo.exe 820 cdpo.exe 2060 cdpo.exe 1752 cdpo.exe 1768 cdpo.exe 756 cdpo.exe 1340 cdpo.exe 2876 cdpo.exe 1724 cdpo.exe 2220 cdpo.exe 2816 cdpo.exe 3012 cdpo.exe -
Loads dropped DLL 3 IoCs
pid Process 2340 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 2340 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 2548 cdpo.exe -
Suspicious use of SetThreadContext 24 IoCs
description pid Process procid_target PID 2180 set thread context of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2548 set thread context of 2820 2548 cdpo.exe 30 PID 2696 set thread context of 2776 2696 cdpo.exe 35 PID 2448 set thread context of 1220 2448 cdpo.exe 37 PID 2032 set thread context of 2496 2032 cdpo.exe 39 PID 2724 set thread context of 2732 2724 cdpo.exe 41 PID 2248 set thread context of 2832 2248 cdpo.exe 45 PID 1864 set thread context of 2312 1864 cdpo.exe 47 PID 968 set thread context of 2316 968 cdpo.exe 49 PID 1060 set thread context of 1096 1060 cdpo.exe 51 PID 2228 set thread context of 3068 2228 cdpo.exe 53 PID 1692 set thread context of 1164 1692 cdpo.exe 55 PID 1680 set thread context of 2604 1680 cdpo.exe 57 PID 2444 set thread context of 1512 2444 cdpo.exe 59 PID 1980 set thread context of 2908 1980 cdpo.exe 61 PID 2868 set thread context of 2944 2868 cdpo.exe 63 PID 1364 set thread context of 1600 1364 cdpo.exe 65 PID 548 set thread context of 1492 548 cdpo.exe 67 PID 824 set thread context of 1636 824 cdpo.exe 69 PID 820 set thread context of 2060 820 cdpo.exe 71 PID 1752 set thread context of 1768 1752 cdpo.exe 73 PID 756 set thread context of 1340 756 cdpo.exe 75 PID 2876 set thread context of 1724 2876 cdpo.exe 77 PID 2220 set thread context of 2816 2220 cdpo.exe 79 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2180 wrote to memory of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2180 wrote to memory of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2180 wrote to memory of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2180 wrote to memory of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2180 wrote to memory of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2180 wrote to memory of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2180 wrote to memory of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2180 wrote to memory of 2340 2180 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 28 PID 2340 wrote to memory of 2548 2340 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 29 PID 2340 wrote to memory of 2548 2340 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 29 PID 2340 wrote to memory of 2548 2340 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 29 PID 2340 wrote to memory of 2548 2340 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 29 PID 2548 wrote to memory of 2820 2548 cdpo.exe 30 PID 2548 wrote to memory of 2820 2548 cdpo.exe 30 PID 2548 wrote to memory of 2820 2548 cdpo.exe 30 PID 2548 wrote to memory of 2820 2548 cdpo.exe 30 PID 2548 wrote to memory of 2820 2548 cdpo.exe 30 PID 2548 wrote to memory of 2820 2548 cdpo.exe 30 PID 2548 wrote to memory of 2820 2548 cdpo.exe 30 PID 2548 wrote to memory of 2820 2548 cdpo.exe 30 PID 2548 wrote to memory of 2820 2548 cdpo.exe 30 PID 2820 wrote to memory of 2788 2820 cdpo.exe 31 PID 2820 wrote to memory of 2788 2820 cdpo.exe 31 PID 2820 wrote to memory of 2788 2820 cdpo.exe 31 PID 2820 wrote to memory of 2788 2820 cdpo.exe 31 PID 2820 wrote to memory of 2788 2820 cdpo.exe 31 PID 2820 wrote to memory of 2788 2820 cdpo.exe 31 PID 2788 wrote to memory of 2696 2788 cdpo.exe 34 PID 2788 wrote to memory of 2696 2788 cdpo.exe 34 PID 2788 wrote to memory of 2696 2788 cdpo.exe 34 PID 2788 wrote to memory of 2696 2788 cdpo.exe 34 PID 2696 wrote to memory of 2776 2696 cdpo.exe 35 PID 2696 wrote to memory of 2776 2696 cdpo.exe 35 PID 2696 wrote to memory of 2776 2696 cdpo.exe 35 PID 2696 wrote to memory of 2776 2696 cdpo.exe 35 PID 2696 wrote to memory of 2776 2696 cdpo.exe 35 PID 2696 wrote to memory of 2776 2696 cdpo.exe 35 PID 2696 wrote to memory of 2776 2696 cdpo.exe 35 PID 2696 wrote to memory of 2776 2696 cdpo.exe 35 PID 2696 wrote to memory of 2776 2696 cdpo.exe 35 PID 2788 wrote to memory of 2448 2788 cdpo.exe 36 PID 2788 wrote to memory of 2448 2788 cdpo.exe 36 PID 2788 wrote to memory of 2448 2788 cdpo.exe 36 PID 2788 wrote to memory of 2448 2788 cdpo.exe 36 PID 2448 wrote to memory of 1220 2448 cdpo.exe 37 PID 2448 wrote to memory of 1220 2448 cdpo.exe 37 PID 2448 wrote to memory of 1220 2448 cdpo.exe 37 PID 2448 wrote to memory of 1220 2448 cdpo.exe 37 PID 2448 wrote to memory of 1220 2448 cdpo.exe 37 PID 2448 wrote to memory of 1220 2448 cdpo.exe 37 PID 2448 wrote to memory of 1220 2448 cdpo.exe 37 PID 2448 wrote to memory of 1220 2448 cdpo.exe 37 PID 2448 wrote to memory of 1220 2448 cdpo.exe 37 PID 2788 wrote to memory of 2032 2788 cdpo.exe 38 PID 2788 wrote to memory of 2032 2788 cdpo.exe 38 PID 2788 wrote to memory of 2032 2788 cdpo.exe 38 PID 2788 wrote to memory of 2032 2788 cdpo.exe 38 PID 2032 wrote to memory of 2496 2032 cdpo.exe 39 PID 2032 wrote to memory of 2496 2032 cdpo.exe 39 PID 2032 wrote to memory of 2496 2032 cdpo.exe 39 PID 2032 wrote to memory of 2496 2032 cdpo.exe 39 PID 2032 wrote to memory of 2496 2032 cdpo.exe 39 PID 2032 wrote to memory of 2496 2032 cdpo.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe -dwup3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe -dwup4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2776
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1220
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2496
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2724 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2732
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2248 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2832
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1864 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2312
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:968 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2316
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1060 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1096
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2228 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:3068
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1692 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1164
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1680 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2604
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2444 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1512
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1980 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2908
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2868 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2944
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1364 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1600
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:548 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1492
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:824 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1636
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:820 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2060
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1752 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1768
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:756 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1340
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2876 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:1724
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2220 -
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe7⤵
- Executes dropped EXE
PID:2816
-
-
-
C:\Users\Admin\AppData\Roaming\cdpo.exeC:\Users\Admin\AppData\Roaming\cdpo.exe6⤵
- Executes dropped EXE
PID:3012
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.1MB
MD58dcef7c196a956126365a26069a0969d
SHA134c4ab98d979132ee3f3bdbb60911bc184a2c727
SHA2565e8962d101029796689752b52989d9d5850282fa82d1eeb5cd743207be821ef1
SHA5126fd5e671a896596ac30b838ddba0c2c3dbc492082732e582e46fcac6323e6ef39f0f8712ad4bda2743489278606da9332f4b053b043387202463e407da99e8fe