Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe
-
Size
2.3MB
-
MD5
e1411feac1ed6b50c014247eac55f469
-
SHA1
3f7b89523a51ed6a1a2ff6cff02afa1900ed0080
-
SHA256
78b9f2e1bd4572386c8c0941944ae586020e11d9f1d076101891d3f24c486a40
-
SHA512
965098224638c81d8f64b2003ff73c0c21cc5ab1e4cacf4aa8ea3bb71dd8b3cb208acd6b9f4f6fc2b18acf9c898fee9e42eae2ffc814042602dc924348378afa
-
SSDEEP
24576:9X/eO4qDtDC6jUoEAyjX/eO4qDAxqdaP+hH0F1tGrqnjlr6jT:0O4kLPyKO4OUPM0FGOVK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\vkqw.exe -dwup" vkqw.exe -
Executes dropped EXE 48 IoCs
pid Process 2820 vkqw.exe 4040 vkqw.exe 1372 vkqw.exe 392 vkqw.exe 4716 vkqw.exe 3536 vkqw.exe 4780 vkqw.exe 1008 vkqw.exe 2664 vkqw.exe 3248 vkqw.exe 1276 vkqw.exe 2260 vkqw.exe 4888 vkqw.exe 4712 vkqw.exe 4752 vkqw.exe 4580 vkqw.exe 1956 vkqw.exe 4316 vkqw.exe 4352 vkqw.exe 3796 vkqw.exe 1360 vkqw.exe 2028 vkqw.exe 3944 vkqw.exe 1868 vkqw.exe 4372 vkqw.exe 3756 vkqw.exe 2948 vkqw.exe 4504 vkqw.exe 1436 vkqw.exe 2752 vkqw.exe 2784 vkqw.exe 2964 vkqw.exe 4460 vkqw.exe 2284 vkqw.exe 1432 vkqw.exe 1628 vkqw.exe 2936 vkqw.exe 2428 vkqw.exe 2808 vkqw.exe 468 vkqw.exe 2300 vkqw.exe 2528 vkqw.exe 2780 vkqw.exe 4160 vkqw.exe 3156 vkqw.exe 1480 vkqw.exe 2228 vkqw.exe 3472 vkqw.exe -
Suspicious use of SetThreadContext 24 IoCs
description pid Process procid_target PID 2628 set thread context of 564 2628 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 87 PID 2820 set thread context of 4040 2820 vkqw.exe 93 PID 392 set thread context of 4716 392 vkqw.exe 99 PID 3536 set thread context of 4780 3536 vkqw.exe 101 PID 1008 set thread context of 2664 1008 vkqw.exe 104 PID 3248 set thread context of 1276 3248 vkqw.exe 106 PID 2260 set thread context of 4888 2260 vkqw.exe 108 PID 4712 set thread context of 4752 4712 vkqw.exe 110 PID 4580 set thread context of 1956 4580 vkqw.exe 112 PID 4316 set thread context of 4352 4316 vkqw.exe 114 PID 3796 set thread context of 1360 3796 vkqw.exe 116 PID 2028 set thread context of 3944 2028 vkqw.exe 118 PID 1868 set thread context of 4372 1868 vkqw.exe 120 PID 3756 set thread context of 2948 3756 vkqw.exe 122 PID 4504 set thread context of 1436 4504 vkqw.exe 124 PID 2752 set thread context of 2784 2752 vkqw.exe 126 PID 2964 set thread context of 4460 2964 vkqw.exe 128 PID 2284 set thread context of 1432 2284 vkqw.exe 130 PID 1628 set thread context of 2936 1628 vkqw.exe 132 PID 2428 set thread context of 2808 2428 vkqw.exe 134 PID 468 set thread context of 2300 468 vkqw.exe 136 PID 2528 set thread context of 2780 2528 vkqw.exe 138 PID 4160 set thread context of 3156 4160 vkqw.exe 140 PID 1480 set thread context of 2228 1480 vkqw.exe 142 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 564 2628 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 87 PID 2628 wrote to memory of 564 2628 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 87 PID 2628 wrote to memory of 564 2628 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 87 PID 2628 wrote to memory of 564 2628 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 87 PID 2628 wrote to memory of 564 2628 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 87 PID 2628 wrote to memory of 564 2628 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 87 PID 2628 wrote to memory of 564 2628 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 87 PID 2628 wrote to memory of 564 2628 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 87 PID 564 wrote to memory of 2820 564 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 88 PID 564 wrote to memory of 2820 564 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 88 PID 564 wrote to memory of 2820 564 2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe 88 PID 2820 wrote to memory of 4040 2820 vkqw.exe 93 PID 2820 wrote to memory of 4040 2820 vkqw.exe 93 PID 2820 wrote to memory of 4040 2820 vkqw.exe 93 PID 2820 wrote to memory of 4040 2820 vkqw.exe 93 PID 2820 wrote to memory of 4040 2820 vkqw.exe 93 PID 2820 wrote to memory of 4040 2820 vkqw.exe 93 PID 2820 wrote to memory of 4040 2820 vkqw.exe 93 PID 2820 wrote to memory of 4040 2820 vkqw.exe 93 PID 4040 wrote to memory of 1372 4040 vkqw.exe 94 PID 4040 wrote to memory of 1372 4040 vkqw.exe 94 PID 4040 wrote to memory of 1372 4040 vkqw.exe 94 PID 4040 wrote to memory of 1372 4040 vkqw.exe 94 PID 4040 wrote to memory of 1372 4040 vkqw.exe 94 PID 1372 wrote to memory of 392 1372 vkqw.exe 98 PID 1372 wrote to memory of 392 1372 vkqw.exe 98 PID 1372 wrote to memory of 392 1372 vkqw.exe 98 PID 392 wrote to memory of 4716 392 vkqw.exe 99 PID 392 wrote to memory of 4716 392 vkqw.exe 99 PID 392 wrote to memory of 4716 392 vkqw.exe 99 PID 392 wrote to memory of 4716 392 vkqw.exe 99 PID 392 wrote to memory of 4716 392 vkqw.exe 99 PID 392 wrote to memory of 4716 392 vkqw.exe 99 PID 392 wrote to memory of 4716 392 vkqw.exe 99 PID 392 wrote to memory of 4716 392 vkqw.exe 99 PID 1372 wrote to memory of 3536 1372 vkqw.exe 100 PID 1372 wrote to memory of 3536 1372 vkqw.exe 100 PID 1372 wrote to memory of 3536 1372 vkqw.exe 100 PID 3536 wrote to memory of 4780 3536 vkqw.exe 101 PID 3536 wrote to memory of 4780 3536 vkqw.exe 101 PID 3536 wrote to memory of 4780 3536 vkqw.exe 101 PID 3536 wrote to memory of 4780 3536 vkqw.exe 101 PID 3536 wrote to memory of 4780 3536 vkqw.exe 101 PID 3536 wrote to memory of 4780 3536 vkqw.exe 101 PID 3536 wrote to memory of 4780 3536 vkqw.exe 101 PID 3536 wrote to memory of 4780 3536 vkqw.exe 101 PID 1372 wrote to memory of 1008 1372 vkqw.exe 102 PID 1372 wrote to memory of 1008 1372 vkqw.exe 102 PID 1372 wrote to memory of 1008 1372 vkqw.exe 102 PID 1008 wrote to memory of 2664 1008 vkqw.exe 104 PID 1008 wrote to memory of 2664 1008 vkqw.exe 104 PID 1008 wrote to memory of 2664 1008 vkqw.exe 104 PID 1008 wrote to memory of 2664 1008 vkqw.exe 104 PID 1008 wrote to memory of 2664 1008 vkqw.exe 104 PID 1008 wrote to memory of 2664 1008 vkqw.exe 104 PID 1008 wrote to memory of 2664 1008 vkqw.exe 104 PID 1008 wrote to memory of 2664 1008 vkqw.exe 104 PID 1372 wrote to memory of 3248 1372 vkqw.exe 105 PID 1372 wrote to memory of 3248 1372 vkqw.exe 105 PID 1372 wrote to memory of 3248 1372 vkqw.exe 105 PID 3248 wrote to memory of 1276 3248 vkqw.exe 106 PID 3248 wrote to memory of 1276 3248 vkqw.exe 106 PID 3248 wrote to memory of 1276 3248 vkqw.exe 106 PID 3248 wrote to memory of 1276 3248 vkqw.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe -dwup3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Local\Temp\2024-04-04_e1411feac1ed6b50c014247eac55f469_icedid_ramnit.exe -dwup4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:4716
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:4780
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:2664
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:1276
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2260 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:4888
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4712 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:4752
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4580 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:1956
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4316 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:4352
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3796 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:1360
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2028 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:3944
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1868 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:4372
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3756 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:2948
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4504 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:1436
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2752 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:2784
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2964 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:4460
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2284 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:1432
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1628 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:2936
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2428 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:2808
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:468 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:2300
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2528 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:2780
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4160 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:3156
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1480 -
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe7⤵
- Executes dropped EXE
PID:2228
-
-
-
C:\Users\Admin\AppData\Roaming\vkqw.exeC:\Users\Admin\AppData\Roaming\vkqw.exe6⤵
- Executes dropped EXE
PID:3472
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5e1411feac1ed6b50c014247eac55f469
SHA13f7b89523a51ed6a1a2ff6cff02afa1900ed0080
SHA25678b9f2e1bd4572386c8c0941944ae586020e11d9f1d076101891d3f24c486a40
SHA512965098224638c81d8f64b2003ff73c0c21cc5ab1e4cacf4aa8ea3bb71dd8b3cb208acd6b9f4f6fc2b18acf9c898fee9e42eae2ffc814042602dc924348378afa