Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 17:35

General

  • Target

    2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe

  • Size

    8.1MB

  • MD5

    8dcef7c196a956126365a26069a0969d

  • SHA1

    34c4ab98d979132ee3f3bdbb60911bc184a2c727

  • SHA256

    5e8962d101029796689752b52989d9d5850282fa82d1eeb5cd743207be821ef1

  • SHA512

    6fd5e671a896596ac30b838ddba0c2c3dbc492082732e582e46fcac6323e6ef39f0f8712ad4bda2743489278606da9332f4b053b043387202463e407da99e8fe

  • SSDEEP

    98304:tdYOXwnS4rVR5v77GBfWx77GBfWGLMK+JL/+YOXwnS4rVv5mMrm1RF4HiIDQURma:AIcRGBfW1GBfWg+lIcJyHFQiuQ9w3

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 47 IoCs
  • Suspicious use of SetThreadContext 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Users\Admin\AppData\Roaming\vwbe.exe
        C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe -dwup
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1032
        • C:\Users\Admin\AppData\Roaming\vwbe.exe
          C:\Users\Admin\AppData\Local\Temp\2024-04-04_8dcef7c196a956126365a26069a0969d_icedid_ramnit.exe -dwup
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\Users\Admin\AppData\Roaming\vwbe.exe
            C:\Users\Admin\AppData\Roaming\vwbe.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4332
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1040
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4304
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3120
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:1800
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4852
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:2012
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2392
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:2472
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3696
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4688
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3168
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4604
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:852
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:3936
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4296
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:2872
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2096
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:1972
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1544
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:3692
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4504
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4596
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2152
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4080
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1744
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4680
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:392
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4340
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3128
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4984
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3692
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:3316
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3868
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:932
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1852
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:1036
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3440
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4596
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3160
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4572
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2296
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:1036
            • C:\Users\Admin\AppData\Roaming\vwbe.exe
              C:\Users\Admin\AppData\Roaming\vwbe.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1180
              • C:\Users\Admin\AppData\Roaming\vwbe.exe
                C:\Users\Admin\AppData\Roaming\vwbe.exe
                7⤵
                • Executes dropped EXE
                PID:4604
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2716

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\vwbe.exe

            Filesize

            8.1MB

            MD5

            8dcef7c196a956126365a26069a0969d

            SHA1

            34c4ab98d979132ee3f3bdbb60911bc184a2c727

            SHA256

            5e8962d101029796689752b52989d9d5850282fa82d1eeb5cd743207be821ef1

            SHA512

            6fd5e671a896596ac30b838ddba0c2c3dbc492082732e582e46fcac6323e6ef39f0f8712ad4bda2743489278606da9332f4b053b043387202463e407da99e8fe

          • memory/848-2-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/848-3-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/848-0-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/932-166-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/1036-200-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/1036-174-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/1800-36-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/1972-97-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/2012-44-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/2108-56-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/2108-16-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/2108-15-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/2108-18-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/2472-53-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/2872-88-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/3316-157-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/3692-105-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/3936-80-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4080-123-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4304-27-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4332-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

            Filesize

            4KB

          • memory/4340-140-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4572-191-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4596-114-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4596-183-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4604-71-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4604-209-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4680-131-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4688-62-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB

          • memory/4984-148-0x0000000000400000-0x000000000040D000-memory.dmp

            Filesize

            52KB