Analysis
-
max time kernel
78s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 20:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe
Resource
win7-20240221-en
General
-
Target
2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe
-
Size
408KB
-
MD5
ef2a7e2ce9baee7a4d65584eb229cc35
-
SHA1
a205d264e2835d54c8b4f1a6994469611b370c21
-
SHA256
428166438360179d95d2921684c9efe3caece80bbb94df10a2de493a7ff5de52
-
SHA512
ee21ac4bd880677ead9ba39a858ee848e4deb289191c2fb10f40cc5988ecf761122de1e4a47ca388d005beccc2612d863ec63ce3663afe945c119c6bd70ea925
-
SSDEEP
6144:FznAtGqS5NjM2KbQbNYuhZ+6+eAbuQ5Zu60HnPLhDgWg4ilbz3RG+abSjthrRRTv:FTLnp+BCQ5Zu60HnP129bz33158sSg
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
Processes:
resource yara_rule behavioral2/memory/772-7-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/772-8-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/772-14-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/772-13-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/772-15-0x0000000000400000-0x000000000041A000-memory.dmp UPX behavioral2/memory/772-10-0x0000000000400000-0x000000000041A000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
Processes:
2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exepid process 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe -
Processes:
resource yara_rule behavioral2/memory/772-7-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/772-8-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/772-6-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/772-14-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/772-13-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/772-15-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/772-20-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/772-10-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424385725" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B7B222AA-28F9-11EF-9519-E20E9B62A9C1} = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exepid process 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exedescription pid process Token: SeDebugPrivilege 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4104 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4104 iexplore.exe 4104 iexplore.exe 1400 IEXPLORE.EXE 1400 IEXPLORE.EXE 1400 IEXPLORE.EXE 1400 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exepid process 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exeiexplore.exedescription pid process target process PID 1976 wrote to memory of 772 1976 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe PID 1976 wrote to memory of 772 1976 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe PID 1976 wrote to memory of 772 1976 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe PID 772 wrote to memory of 4104 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe iexplore.exe PID 772 wrote to memory of 4104 772 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe iexplore.exe PID 4104 wrote to memory of 1400 4104 iexplore.exe IEXPLORE.EXE PID 4104 wrote to memory of 1400 4104 iexplore.exe IEXPLORE.EXE PID 4104 wrote to memory of 1400 4104 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exeC:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4104 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exeFilesize
112KB
MD5795f2a9209e88f0a2d693c7ad06915b1
SHA1ab5bf0ed7e83e913fac8981f5047824840c4a859
SHA256e01112d41987115913c0599fd01921fb4ff1eab86a5b5c8e19514fdad8ec5148
SHA512fc5faddb8ce01c7d1b74f971ae0ae7f161285d93a426e3436d4395153bf553a61d981a16cf59c788d924a85b6a339aa405a2119168288bd35d6712f1efabd2b0
-
memory/772-15-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/772-19-0x0000000077BF2000-0x0000000077BF3000-memory.dmpFilesize
4KB
-
memory/772-7-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/772-8-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/772-6-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/772-14-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/772-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/772-10-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/772-13-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/772-17-0x0000000077BF2000-0x0000000077BF3000-memory.dmpFilesize
4KB
-
memory/772-11-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/772-20-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/772-16-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1976-0-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/1976-12-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB