Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 17:35

General

  • Target

    2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe

  • Size

    8.1MB

  • MD5

    8dcef7c196a956126365a26069a0969d

  • SHA1

    34c4ab98d979132ee3f3bdbb60911bc184a2c727

  • SHA256

    5e8962d101029796689752b52989d9d5850282fa82d1eeb5cd743207be821ef1

  • SHA512

    6fd5e671a896596ac30b838ddba0c2c3dbc492082732e582e46fcac6323e6ef39f0f8712ad4bda2743489278606da9332f4b053b043387202463e407da99e8fe

  • SSDEEP

    98304:tdYOXwnS4rVR5v77GBfWx77GBfWGLMK+JL/+YOXwnS4rVv5mMrm1RF4HiIDQURma:AIcRGBfW1GBfWg+lIcJyHFQiuQ9w3

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 48 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Users\Admin\AppData\Roaming\cdpo.exe
        C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe -dwup
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Users\Admin\AppData\Roaming\cdpo.exe
          C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe -dwup
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Users\Admin\AppData\Roaming\cdpo.exe
            C:\Users\Admin\AppData\Roaming\cdpo.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2696
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2776
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2448
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1220
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2032
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2496
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2724
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2732
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2248
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2832
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1864
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2312
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:968
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2316
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1060
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1096
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2228
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:3068
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1692
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1164
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1680
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2604
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2444
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1512
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1980
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2908
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2868
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2944
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1364
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1600
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:548
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1492
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:824
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1636
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:820
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2060
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1752
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1768
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:756
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1340
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2876
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:1724
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2220
              • C:\Users\Admin\AppData\Roaming\cdpo.exe
                C:\Users\Admin\AppData\Roaming\cdpo.exe
                7⤵
                • Executes dropped EXE
                PID:2816
            • C:\Users\Admin\AppData\Roaming\cdpo.exe
              C:\Users\Admin\AppData\Roaming\cdpo.exe
              6⤵
              • Executes dropped EXE
              PID:3012

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Roaming\cdpo.exe

          Filesize

          8.1MB

          MD5

          8dcef7c196a956126365a26069a0969d

          SHA1

          34c4ab98d979132ee3f3bdbb60911bc184a2c727

          SHA256

          5e8962d101029796689752b52989d9d5850282fa82d1eeb5cd743207be821ef1

          SHA512

          6fd5e671a896596ac30b838ddba0c2c3dbc492082732e582e46fcac6323e6ef39f0f8712ad4bda2743489278606da9332f4b053b043387202463e407da99e8fe

        • memory/1096-198-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1164-235-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1220-86-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1340-421-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1492-347-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1512-273-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1600-328-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1636-366-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1724-440-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1768-403-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2060-384-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2312-161-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2316-180-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2340-4-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2340-13-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2340-12-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2340-10-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2340-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2340-2-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2340-6-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2340-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2496-104-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2604-254-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2732-124-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2776-67-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2788-45-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/2788-49-0x00000000001C0000-0x00000000001C1000-memory.dmp

          Filesize

          4KB

        • memory/2816-459-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2820-51-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2820-42-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2832-142-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2908-291-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2944-310-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/3068-217-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB