Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
Resource
win10v2004-20240319-en
General
-
Target
2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
-
Size
8.1MB
-
MD5
8dcef7c196a956126365a26069a0969d
-
SHA1
34c4ab98d979132ee3f3bdbb60911bc184a2c727
-
SHA256
5e8962d101029796689752b52989d9d5850282fa82d1eeb5cd743207be821ef1
-
SHA512
6fd5e671a896596ac30b838ddba0c2c3dbc492082732e582e46fcac6323e6ef39f0f8712ad4bda2743489278606da9332f4b053b043387202463e407da99e8fe
-
SSDEEP
98304:tdYOXwnS4rVR5v77GBfWx77GBfWGLMK+JL/+YOXwnS4rVv5mMrm1RF4HiIDQURma:AIcRGBfW1GBfWg+lIcJyHFQiuQ9w3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\vwbe.exe -dwup" vwbe.exe -
Executes dropped EXE 47 IoCs
pid Process 1032 vwbe.exe 2108 vwbe.exe 4332 vwbe.exe 1040 vwbe.exe 4304 vwbe.exe 3120 vwbe.exe 1800 vwbe.exe 4852 vwbe.exe 2012 vwbe.exe 2392 vwbe.exe 2472 vwbe.exe 3696 vwbe.exe 4688 vwbe.exe 3168 vwbe.exe 4604 vwbe.exe 852 vwbe.exe 3936 vwbe.exe 4296 vwbe.exe 2872 vwbe.exe 2096 vwbe.exe 1972 vwbe.exe 1544 vwbe.exe 3692 vwbe.exe 4504 vwbe.exe 4596 vwbe.exe 2152 vwbe.exe 4080 vwbe.exe 1744 vwbe.exe 4680 vwbe.exe 392 vwbe.exe 4340 vwbe.exe 3128 vwbe.exe 4984 vwbe.exe 3692 vwbe.exe 3316 vwbe.exe 3868 vwbe.exe 932 vwbe.exe 1852 vwbe.exe 1036 vwbe.exe 3440 vwbe.exe 4596 vwbe.exe 3160 vwbe.exe 4572 vwbe.exe 2296 vwbe.exe 1036 vwbe.exe 1180 vwbe.exe 4604 vwbe.exe -
Suspicious use of SetThreadContext 24 IoCs
description pid Process procid_target PID 3636 set thread context of 848 3636 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 96 PID 1032 set thread context of 2108 1032 vwbe.exe 103 PID 1040 set thread context of 4304 1040 vwbe.exe 111 PID 3120 set thread context of 1800 3120 vwbe.exe 113 PID 4852 set thread context of 2012 4852 vwbe.exe 116 PID 2392 set thread context of 2472 2392 vwbe.exe 119 PID 3696 set thread context of 4688 3696 vwbe.exe 121 PID 3168 set thread context of 4604 3168 vwbe.exe 124 PID 852 set thread context of 3936 852 vwbe.exe 126 PID 4296 set thread context of 2872 4296 vwbe.exe 128 PID 2096 set thread context of 1972 2096 vwbe.exe 131 PID 1544 set thread context of 3692 1544 vwbe.exe 133 PID 4504 set thread context of 4596 4504 vwbe.exe 135 PID 2152 set thread context of 4080 2152 vwbe.exe 137 PID 1744 set thread context of 4680 1744 vwbe.exe 139 PID 392 set thread context of 4340 392 vwbe.exe 141 PID 3128 set thread context of 4984 3128 vwbe.exe 147 PID 3692 set thread context of 3316 3692 vwbe.exe 152 PID 3868 set thread context of 932 3868 vwbe.exe 154 PID 1852 set thread context of 1036 1852 vwbe.exe 156 PID 3440 set thread context of 4596 3440 vwbe.exe 158 PID 3160 set thread context of 4572 3160 vwbe.exe 160 PID 2296 set thread context of 1036 2296 vwbe.exe 163 PID 1180 set thread context of 4604 1180 vwbe.exe 167 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3636 wrote to memory of 848 3636 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 96 PID 3636 wrote to memory of 848 3636 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 96 PID 3636 wrote to memory of 848 3636 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 96 PID 3636 wrote to memory of 848 3636 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 96 PID 3636 wrote to memory of 848 3636 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 96 PID 3636 wrote to memory of 848 3636 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 96 PID 3636 wrote to memory of 848 3636 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 96 PID 3636 wrote to memory of 848 3636 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 96 PID 848 wrote to memory of 1032 848 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 99 PID 848 wrote to memory of 1032 848 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 99 PID 848 wrote to memory of 1032 848 2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe 99 PID 1032 wrote to memory of 2108 1032 vwbe.exe 103 PID 1032 wrote to memory of 2108 1032 vwbe.exe 103 PID 1032 wrote to memory of 2108 1032 vwbe.exe 103 PID 1032 wrote to memory of 2108 1032 vwbe.exe 103 PID 1032 wrote to memory of 2108 1032 vwbe.exe 103 PID 1032 wrote to memory of 2108 1032 vwbe.exe 103 PID 1032 wrote to memory of 2108 1032 vwbe.exe 103 PID 1032 wrote to memory of 2108 1032 vwbe.exe 103 PID 2108 wrote to memory of 4332 2108 vwbe.exe 104 PID 2108 wrote to memory of 4332 2108 vwbe.exe 104 PID 2108 wrote to memory of 4332 2108 vwbe.exe 104 PID 2108 wrote to memory of 4332 2108 vwbe.exe 104 PID 2108 wrote to memory of 4332 2108 vwbe.exe 104 PID 4332 wrote to memory of 1040 4332 vwbe.exe 110 PID 4332 wrote to memory of 1040 4332 vwbe.exe 110 PID 4332 wrote to memory of 1040 4332 vwbe.exe 110 PID 1040 wrote to memory of 4304 1040 vwbe.exe 111 PID 1040 wrote to memory of 4304 1040 vwbe.exe 111 PID 1040 wrote to memory of 4304 1040 vwbe.exe 111 PID 1040 wrote to memory of 4304 1040 vwbe.exe 111 PID 1040 wrote to memory of 4304 1040 vwbe.exe 111 PID 1040 wrote to memory of 4304 1040 vwbe.exe 111 PID 1040 wrote to memory of 4304 1040 vwbe.exe 111 PID 1040 wrote to memory of 4304 1040 vwbe.exe 111 PID 4332 wrote to memory of 3120 4332 vwbe.exe 112 PID 4332 wrote to memory of 3120 4332 vwbe.exe 112 PID 4332 wrote to memory of 3120 4332 vwbe.exe 112 PID 3120 wrote to memory of 1800 3120 vwbe.exe 113 PID 3120 wrote to memory of 1800 3120 vwbe.exe 113 PID 3120 wrote to memory of 1800 3120 vwbe.exe 113 PID 3120 wrote to memory of 1800 3120 vwbe.exe 113 PID 3120 wrote to memory of 1800 3120 vwbe.exe 113 PID 3120 wrote to memory of 1800 3120 vwbe.exe 113 PID 3120 wrote to memory of 1800 3120 vwbe.exe 113 PID 3120 wrote to memory of 1800 3120 vwbe.exe 113 PID 4332 wrote to memory of 4852 4332 vwbe.exe 115 PID 4332 wrote to memory of 4852 4332 vwbe.exe 115 PID 4332 wrote to memory of 4852 4332 vwbe.exe 115 PID 4852 wrote to memory of 2012 4852 vwbe.exe 116 PID 4852 wrote to memory of 2012 4852 vwbe.exe 116 PID 4852 wrote to memory of 2012 4852 vwbe.exe 116 PID 4852 wrote to memory of 2012 4852 vwbe.exe 116 PID 4852 wrote to memory of 2012 4852 vwbe.exe 116 PID 4852 wrote to memory of 2012 4852 vwbe.exe 116 PID 4852 wrote to memory of 2012 4852 vwbe.exe 116 PID 4852 wrote to memory of 2012 4852 vwbe.exe 116 PID 4332 wrote to memory of 2392 4332 vwbe.exe 118 PID 4332 wrote to memory of 2392 4332 vwbe.exe 118 PID 4332 wrote to memory of 2392 4332 vwbe.exe 118 PID 2392 wrote to memory of 2472 2392 vwbe.exe 119 PID 2392 wrote to memory of 2472 2392 vwbe.exe 119 PID 2392 wrote to memory of 2472 2392 vwbe.exe 119 PID 2392 wrote to memory of 2472 2392 vwbe.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe -dwup3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe -dwup4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4304
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:1800
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:2012
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:2472
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3696 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4688
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3168 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4604
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:852 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:3936
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4296 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:2872
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2096 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:1972
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1544 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:3692
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4504 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4596
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2152 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4080
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1744 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4680
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:392 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4340
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3128 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4984
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3692 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:3316
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3868 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:932
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1852 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:1036
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3440 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4596
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3160 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4572
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2296 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:1036
-
-
-
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1180 -
C:\Users\Admin\AppData\Roaming\vwbe.exeC:\Users\Admin\AppData\Roaming\vwbe.exe7⤵
- Executes dropped EXE
PID:4604
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:81⤵PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.1MB
MD58dcef7c196a956126365a26069a0969d
SHA134c4ab98d979132ee3f3bdbb60911bc184a2c727
SHA2565e8962d101029796689752b52989d9d5850282fa82d1eeb5cd743207be821ef1
SHA5126fd5e671a896596ac30b838ddba0c2c3dbc492082732e582e46fcac6323e6ef39f0f8712ad4bda2743489278606da9332f4b053b043387202463e407da99e8fe