Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe
-
Size
2.3MB
-
MD5
e1411feac1ed6b50c014247eac55f469
-
SHA1
3f7b89523a51ed6a1a2ff6cff02afa1900ed0080
-
SHA256
78b9f2e1bd4572386c8c0941944ae586020e11d9f1d076101891d3f24c486a40
-
SHA512
965098224638c81d8f64b2003ff73c0c21cc5ab1e4cacf4aa8ea3bb71dd8b3cb208acd6b9f4f6fc2b18acf9c898fee9e42eae2ffc814042602dc924348378afa
-
SSDEEP
24576:9X/eO4qDtDC6jUoEAyjX/eO4qDAxqdaP+hH0F1tGrqnjlr6jT:0O4kLPyKO4OUPM0FGOVK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xudj.exe -dwup" xudj.exe -
Executes dropped EXE 48 IoCs
pid Process 2956 xudj.exe 2492 xudj.exe 2604 xudj.exe 672 xudj.exe 472 xudj.exe 2628 xudj.exe 1892 xudj.exe 2612 xudj.exe 2624 xudj.exe 1560 xudj.exe 1752 xudj.exe 1720 xudj.exe 2964 xudj.exe 1160 xudj.exe 828 xudj.exe 1768 xudj.exe 1056 xudj.exe 292 xudj.exe 636 xudj.exe 1760 xudj.exe 1656 xudj.exe 2224 xudj.exe 2692 xudj.exe 3028 xudj.exe 2568 xudj.exe 2560 xudj.exe 2456 xudj.exe 2328 xudj.exe 1408 xudj.exe 2536 xudj.exe 2880 xudj.exe 1580 xudj.exe 1628 xudj.exe 284 xudj.exe 572 xudj.exe 2076 xudj.exe 2792 xudj.exe 2296 xudj.exe 612 xudj.exe 2788 xudj.exe 1784 xudj.exe 1828 xudj.exe 948 xudj.exe 1152 xudj.exe 780 xudj.exe 2228 xudj.exe 2648 xudj.exe 2348 xudj.exe -
Loads dropped DLL 2 IoCs
pid Process 840 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 840 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe -
Suspicious use of SetThreadContext 24 IoCs
description pid Process procid_target PID 2432 set thread context of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 2956 set thread context of 2492 2956 xudj.exe 30 PID 672 set thread context of 472 672 xudj.exe 35 PID 2628 set thread context of 1892 2628 xudj.exe 37 PID 2612 set thread context of 2624 2612 xudj.exe 39 PID 1560 set thread context of 1752 1560 xudj.exe 43 PID 1720 set thread context of 2964 1720 xudj.exe 45 PID 1160 set thread context of 828 1160 xudj.exe 47 PID 1768 set thread context of 1056 1768 xudj.exe 49 PID 292 set thread context of 636 292 xudj.exe 51 PID 1760 set thread context of 1656 1760 xudj.exe 53 PID 2224 set thread context of 2692 2224 xudj.exe 55 PID 3028 set thread context of 2568 3028 xudj.exe 57 PID 2560 set thread context of 2456 2560 xudj.exe 59 PID 2328 set thread context of 1408 2328 xudj.exe 61 PID 2536 set thread context of 2880 2536 xudj.exe 63 PID 1580 set thread context of 1628 1580 xudj.exe 65 PID 284 set thread context of 572 284 xudj.exe 67 PID 2076 set thread context of 2792 2076 xudj.exe 69 PID 2296 set thread context of 612 2296 xudj.exe 71 PID 2788 set thread context of 1784 2788 xudj.exe 73 PID 1828 set thread context of 948 1828 xudj.exe 75 PID 1152 set thread context of 780 1152 xudj.exe 77 PID 2228 set thread context of 2648 2228 xudj.exe 79 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 2432 wrote to memory of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 2432 wrote to memory of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 2432 wrote to memory of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 2432 wrote to memory of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 2432 wrote to memory of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 2432 wrote to memory of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 2432 wrote to memory of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 2432 wrote to memory of 840 2432 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 28 PID 840 wrote to memory of 2956 840 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 29 PID 840 wrote to memory of 2956 840 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 29 PID 840 wrote to memory of 2956 840 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 29 PID 840 wrote to memory of 2956 840 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 29 PID 2956 wrote to memory of 2492 2956 xudj.exe 30 PID 2956 wrote to memory of 2492 2956 xudj.exe 30 PID 2956 wrote to memory of 2492 2956 xudj.exe 30 PID 2956 wrote to memory of 2492 2956 xudj.exe 30 PID 2956 wrote to memory of 2492 2956 xudj.exe 30 PID 2956 wrote to memory of 2492 2956 xudj.exe 30 PID 2956 wrote to memory of 2492 2956 xudj.exe 30 PID 2956 wrote to memory of 2492 2956 xudj.exe 30 PID 2956 wrote to memory of 2492 2956 xudj.exe 30 PID 2492 wrote to memory of 2604 2492 xudj.exe 31 PID 2492 wrote to memory of 2604 2492 xudj.exe 31 PID 2492 wrote to memory of 2604 2492 xudj.exe 31 PID 2492 wrote to memory of 2604 2492 xudj.exe 31 PID 2492 wrote to memory of 2604 2492 xudj.exe 31 PID 2492 wrote to memory of 2604 2492 xudj.exe 31 PID 2604 wrote to memory of 672 2604 xudj.exe 34 PID 2604 wrote to memory of 672 2604 xudj.exe 34 PID 2604 wrote to memory of 672 2604 xudj.exe 34 PID 2604 wrote to memory of 672 2604 xudj.exe 34 PID 672 wrote to memory of 472 672 xudj.exe 35 PID 672 wrote to memory of 472 672 xudj.exe 35 PID 672 wrote to memory of 472 672 xudj.exe 35 PID 672 wrote to memory of 472 672 xudj.exe 35 PID 672 wrote to memory of 472 672 xudj.exe 35 PID 672 wrote to memory of 472 672 xudj.exe 35 PID 672 wrote to memory of 472 672 xudj.exe 35 PID 672 wrote to memory of 472 672 xudj.exe 35 PID 672 wrote to memory of 472 672 xudj.exe 35 PID 2604 wrote to memory of 2628 2604 xudj.exe 36 PID 2604 wrote to memory of 2628 2604 xudj.exe 36 PID 2604 wrote to memory of 2628 2604 xudj.exe 36 PID 2604 wrote to memory of 2628 2604 xudj.exe 36 PID 2628 wrote to memory of 1892 2628 xudj.exe 37 PID 2628 wrote to memory of 1892 2628 xudj.exe 37 PID 2628 wrote to memory of 1892 2628 xudj.exe 37 PID 2628 wrote to memory of 1892 2628 xudj.exe 37 PID 2628 wrote to memory of 1892 2628 xudj.exe 37 PID 2628 wrote to memory of 1892 2628 xudj.exe 37 PID 2628 wrote to memory of 1892 2628 xudj.exe 37 PID 2628 wrote to memory of 1892 2628 xudj.exe 37 PID 2628 wrote to memory of 1892 2628 xudj.exe 37 PID 2604 wrote to memory of 2612 2604 xudj.exe 38 PID 2604 wrote to memory of 2612 2604 xudj.exe 38 PID 2604 wrote to memory of 2612 2604 xudj.exe 38 PID 2604 wrote to memory of 2612 2604 xudj.exe 38 PID 2612 wrote to memory of 2624 2612 xudj.exe 39 PID 2612 wrote to memory of 2624 2612 xudj.exe 39 PID 2612 wrote to memory of 2624 2612 xudj.exe 39 PID 2612 wrote to memory of 2624 2612 xudj.exe 39 PID 2612 wrote to memory of 2624 2612 xudj.exe 39 PID 2612 wrote to memory of 2624 2612 xudj.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe -dwup3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe -dwup4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:472
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:1892
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:2624
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1560 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:1752
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1720 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:2964
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1160 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:828
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1768 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:1056
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:292 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:636
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1760 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:1656
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2224 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:2692
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3028 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:2568
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2560 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:2456
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2328 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:1408
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2536 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:2880
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1580 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:1628
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:284 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:572
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2076 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:2792
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2296 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:612
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2788 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:1784
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1828 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:948
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1152 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:780
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2228 -
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe7⤵
- Executes dropped EXE
PID:2648
-
-
-
C:\Users\Admin\AppData\Roaming\xudj.exeC:\Users\Admin\AppData\Roaming\xudj.exe6⤵
- Executes dropped EXE
PID:2348
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5e1411feac1ed6b50c014247eac55f469
SHA13f7b89523a51ed6a1a2ff6cff02afa1900ed0080
SHA25678b9f2e1bd4572386c8c0941944ae586020e11d9f1d076101891d3f24c486a40
SHA512965098224638c81d8f64b2003ff73c0c21cc5ab1e4cacf4aa8ea3bb71dd8b3cb208acd6b9f4f6fc2b18acf9c898fee9e42eae2ffc814042602dc924348378afa