Analysis

  • max time kernel
    134s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 20:24

General

  • Target

    2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe

  • Size

    408KB

  • MD5

    ef2a7e2ce9baee7a4d65584eb229cc35

  • SHA1

    a205d264e2835d54c8b4f1a6994469611b370c21

  • SHA256

    428166438360179d95d2921684c9efe3caece80bbb94df10a2de493a7ff5de52

  • SHA512

    ee21ac4bd880677ead9ba39a858ee848e4deb289191c2fb10f40cc5988ecf761122de1e4a47ca388d005beccc2612d863ec63ce3663afe945c119c6bd70ea925

  • SSDEEP

    6144:FznAtGqS5NjM2KbQbNYuhZ+6+eAbuQ5Zu60HnPLhDgWg4ilbz3RG+abSjthrRRTv:FTLnp+BCQ5Zu60HnP129bz33158sSg

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • UPX dump on OEP (original entry point) 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f9de83f535e7c3db89465dc8de558ed2

    SHA1

    56973984b7d854b26774f29098259491a98c3fcd

    SHA256

    262939e00155ed44c58000cf1707ff85fd1fea3c087578e47640afb65eea072a

    SHA512

    1aced377729e04d73290632825fccebccd4450cdfae67669a1ddb34a33a41a48fca248ce657293a025237447d3da9870c060a8cc18b59fb92c4a22c0a1534b00

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ee99c195e69c026e8316439dd9f73eca

    SHA1

    c303d3dd2873f3fa93be42d1710a6f4f4c25b05d

    SHA256

    ebdd20cc5acea081baa2d0ddcffc2c58b472ce1716c491503d9ceef8bca0887e

    SHA512

    86d273fbbd3ee37da79465b0f74658cac9cc65e86cea77dc121fb07b88223945c879170f3033b1b042ab420645601dd2709b3a2229dedc1d7a33f66db2e68e00

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4aadb67a35b9691379cc77723044197e

    SHA1

    8a25d31985f569d33208cda41c8d0f573354b620

    SHA256

    b7d7c461ba38dc126eb653e467da67fee7d28ba3857d485c5f895aabfb57f2f7

    SHA512

    bc7d6047c4aaccfa42c2e1599458609988bf20b3831eea728cf10ffeff6412b26d4823a54347a2ab6f34954991fc27fd01b6a0be19cf4fec9e4dd894625c889f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    59944bb02333fb9916d480e418856445

    SHA1

    0cbd73bbf999d7290d2e64c3450e629aa8e9d0ac

    SHA256

    ad18fa6bb1db5d003adb45bbca52f7ceaafa5b8664f6792416cf5b0165874695

    SHA512

    f661c107644d85052129f254d7119933f47c95b4a2eb3c7eb925f68be9efe8d9d82e2d259d9735876b78f17a15fae00f844139ce132a5ebfbeb43cc79c64fafa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0d6c3677ab0cec5a27622076890f6231

    SHA1

    9b43debc58bfd833d727350299c81ccf67baff22

    SHA256

    c1f9ea9f5ff5ea34faa7ed0214e00cc596165c4d9d1d041c5647fd0d794bc5b7

    SHA512

    fac7a2f38d350e8b2cef3fd87da3dfee12c701d0bef89a1e453d2076e24f2df1b3c21c11fc5cea6fd60dec51cbf10616ce937dbb96f5e36a25ab0368a83a2837

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cdd3440fd948a06ae0b6b2270b6bc6c7

    SHA1

    4b6811de46c5af30f7c65611835b4e9c4ab997d6

    SHA256

    3c93dc5a7585f8e72c1b21a6ff11a3c3ba1a65c91aba3a8dce67c6c17d9d0d2f

    SHA512

    f9bb65da9c9d3159a21a4e4702e2e58899de657154e166bcbe6056a0509b1c106299e064dc34cbff82b74804d752b3256a1158b1ad723a514c4a2431a5040f61

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cdb60334acffc9df7c2e156498f532ec

    SHA1

    b56c6112e6b163caa326ca0fca2f12c6eaa1bdb8

    SHA256

    d7cc4bcca95484ddac346da386430cfe830005d1058fa184559fb20e3428ee11

    SHA512

    f5632c737f6d2d7c582e40b9bf6a80329b457f51120718b1c2888aac2370c13c179c14761d6d57d964e2e0d37ffa3e2c0e50f903213da4804a64b476d6afc549

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    286b1102f6b1bc7c6bff148a05d2653f

    SHA1

    8d7cebe26dc566de343c956005ede8fef77d5f2f

    SHA256

    fb0eee772925a42dfeff822ba34982ca05a5f8a304e7f99fb3811eed1b4a2cc8

    SHA512

    7c118d0d5211c7211502beb0ed731eb45395448839fa6339a22e5f84f0f2c994657e5d7922b0bc5a340be196df7c0185a2d78868666bdef585086a3fc8d42134

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4ab748a249f379b4c51fff74bdde61f6

    SHA1

    1f931549a7c381d2bc3130f1bd2f0da7f66a66db

    SHA256

    98a3a973aa62ba90c4daafda4791e699e1dcbbea9febfd4ae975f51329e304ec

    SHA512

    dce400e44f6f8e426026957f31c4bfe46eb27a901461a6242b961a9e53c4cc26c55253f55adc0817237b9589a653f930dbf1e0cbcfc7bce3082066462b1f3f69

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a8cc5701ba15adadbcf3cc091335ed50

    SHA1

    b03110c10ccf1d30a9c3c4baad712c5f80429fda

    SHA256

    617e394ea10c6dc3846ddd7fad4c15f43d7923d92510f6c0810f719ca1673def

    SHA512

    9e4cddfb16c0be0cb7a0a6e5dbd765b94cd834e3a5acff53ecb318e739650ad0508b08057b158425fb8b3d048afe97148eaac711cf1c1e26e42cf07804420b53

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    61d4d78006b87c00d1887e1450a18eda

    SHA1

    3d3b2496a285f48cb28643d3a16efcead24693e4

    SHA256

    2e889e47205330e4d7143901fb53a7402e0122f6c4ee2641884ca4c17ad9169a

    SHA512

    bf8b43981c77d855430894e948795c2e8ec11310f0879c12247f6ed5f386515f35f9e262499c057d6237ede811f4eddc1f38b055efc2b3f72d428ac18f5f44d9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    01eca728862a7ea6ba022884badbb484

    SHA1

    17c2c916c3f2c4b8280c48178a6ffdce73b34379

    SHA256

    1788a0a923b4e60e07f78d3442f9e1216a56c6c2fbf64cf356ea5ebf80bc2a41

    SHA512

    98b0d74d09fe66bb75c44a0f7557ab6f864a27a181b0c2b572326a7245b74a8c1aa1807ac92c7a590635a55d923c950049d4eb8aafe1a07b8c78d17fbfc5a3d3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    00ea6b28e2d9e6de4b66c879e31f960b

    SHA1

    1a3180b16077166f22dffe830df90598e604874c

    SHA256

    7cd31c96e88460ba6cbe32b05269bc2f523e9bcf71898372f2439695d2c65b26

    SHA512

    4137963ca4dcf9e75e88547d5345a37d760ff54648ae4c3770e6e84bbf9971246dbece13cfae05919b83f2f0d9e18094a94df7e747dcfa5980726bfb6ea95b38

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4971441c09fcd0449904ef7ac43d18ed

    SHA1

    41069d163e48541cec7992b4e8d004402e90ee71

    SHA256

    743625fb37fe9c130b91bef34ebfe2e231a16dba9b3122a14807668b5befdb2b

    SHA512

    bc9d06974ec61049f7b33a38ce72ee8166176665729a9d1474e860a7df94d85b578bf5e18a6204006c6661b7335a99102d6b0070fad0afc7a6cb73ca17f49f48

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d6a946b5a7f63b8df42e7d00dadefc84

    SHA1

    2685e29ce70a19559644e7ad813c7e69800cb7fd

    SHA256

    e0b9f451a8d5a227257d2867d2e964aaf6e4ec7fdf736d90c732a3a73761635b

    SHA512

    c54dec50606f2115ca68dd5b5c687d50c54b7be41bd34a58e0ac77d62a6dfeb07f87a01a14af8efb630e7518e601ee8973bb62301e070ffbe31ab74b1e59968f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5cd0962733c0c1bb3c9cae8a4d63a20e

    SHA1

    37d4603463bc4e276951cc49b81cf9c93b898eb8

    SHA256

    25b406ab56c8a3ad45fe243e5d04bcf54c1a52a346fe05f13b2565b8df62e5b3

    SHA512

    cb7aef8038b0a794c184fd475f176fb4e3400550f197be026613b5a6c05bffd699e074f66c07083646dbecd9e8ac91ade80a2376932aca41b1828a6cab6af840

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8e6983fe07d8376b4638948478cb4792

    SHA1

    e9cfe6903da964eeb1747bc11c430a90aba5e3af

    SHA256

    c80e1c53c0ad7dad667f6163e465a31114a554d3bbac035a02793273b4876c77

    SHA512

    9d8868fe54a1b8f452c3b532247d04a4b14706d811e9f114f010fea913bfe61a9b7faf7288c0af09234468a90c973992acc5ffef0017699a72a16a90080b3dea

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    18e98894f339fa051c21ae9f9af49d56

    SHA1

    1a92ad62ecf24816d15f3a1076039497b15f8db3

    SHA256

    3ef6cd998ed4638541120647bd283eb5f6f92e6f7a13aa15ab289c4c464df1dd

    SHA512

    afc798f0eaf7b0018e6c1ff7c1b1588e9d1d1a088dc1b4478ec018ec91ce9b0b0f62efe9272ed124125f4f0929c689366c59ce3fbc1d78a4f76896896058a04f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    002ecdfca55473352267504f9d5cc336

    SHA1

    00851c3806ccae654eefdd416e2979510147fd97

    SHA256

    1f306f198702841b12e0acd2e941dc845fea4531a9bf47a6febbb59af6049320

    SHA512

    a7c83146b02506c2d5de90b8518cf920d7eeb504cb30f625f6c3d85a9a5e44f46b27b84ee18c4be73bed6ab93f6ed113410d992d8f7a530fc0c319bd25631694

  • C:\Users\Admin\AppData\Local\Temp\Cab321B.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar330C.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
    Filesize

    112KB

    MD5

    795f2a9209e88f0a2d693c7ad06915b1

    SHA1

    ab5bf0ed7e83e913fac8981f5047824840c4a859

    SHA256

    e01112d41987115913c0599fd01921fb4ff1eab86a5b5c8e19514fdad8ec5148

    SHA512

    fc5faddb8ce01c7d1b74f971ae0ae7f161285d93a426e3436d4395153bf553a61d981a16cf59c788d924a85b6a339aa405a2119168288bd35d6712f1efabd2b0

  • memory/2300-25-0x0000000000400000-0x000000000046E000-memory.dmp
    Filesize

    440KB

  • memory/2300-0-0x0000000000400000-0x000000000046E000-memory.dmp
    Filesize

    440KB

  • memory/2300-10-0x0000000000240000-0x0000000000252000-memory.dmp
    Filesize

    72KB

  • memory/2300-9-0x0000000000240000-0x0000000000252000-memory.dmp
    Filesize

    72KB

  • memory/2516-16-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

  • memory/2516-15-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

  • memory/2516-17-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

  • memory/2516-11-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

  • memory/2516-12-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

  • memory/2516-14-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

  • memory/2516-20-0x0000000077B3F000-0x0000000077B40000-memory.dmp
    Filesize

    4KB

  • memory/2516-22-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

  • memory/2516-24-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

  • memory/2516-21-0x0000000000350000-0x0000000000351000-memory.dmp
    Filesize

    4KB

  • memory/2516-13-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

  • memory/2516-18-0x00000000003F0000-0x00000000003F1000-memory.dmp
    Filesize

    4KB