Malware Analysis Report

2024-09-09 16:53

Sample ID 240612-y6pa3ssfmr
Target 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit
SHA256 428166438360179d95d2921684c9efe3caece80bbb94df10a2de493a7ff5de52
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

428166438360179d95d2921684c9efe3caece80bbb94df10a2de493a7ff5de52

Threat Level: Known bad

The file 2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 20:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 20:24

Reported

2024-06-12 20:26

Platform

win10v2004-20240508-en

Max time kernel

78s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424385725" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B7B222AA-28F9-11EF-9519-E20E9B62A9C1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
PID 1976 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
PID 1976 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
PID 772 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 772 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 1400 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4104 wrote to memory of 1400 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4104 wrote to memory of 1400 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4104 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/1976-0-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe

MD5 795f2a9209e88f0a2d693c7ad06915b1
SHA1 ab5bf0ed7e83e913fac8981f5047824840c4a859
SHA256 e01112d41987115913c0599fd01921fb4ff1eab86a5b5c8e19514fdad8ec5148
SHA512 fc5faddb8ce01c7d1b74f971ae0ae7f161285d93a426e3436d4395153bf553a61d981a16cf59c788d924a85b6a339aa405a2119168288bd35d6712f1efabd2b0

memory/772-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/772-7-0x0000000000400000-0x000000000041A000-memory.dmp

memory/772-8-0x0000000000400000-0x000000000041A000-memory.dmp

memory/772-6-0x0000000000400000-0x000000000041A000-memory.dmp

memory/772-14-0x0000000000400000-0x000000000041A000-memory.dmp

memory/772-13-0x0000000000400000-0x000000000041A000-memory.dmp

memory/772-15-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1976-12-0x0000000000400000-0x000000000046E000-memory.dmp

memory/772-17-0x0000000077BF2000-0x0000000077BF3000-memory.dmp

memory/772-19-0x0000000077BF2000-0x0000000077BF3000-memory.dmp

memory/772-20-0x0000000000400000-0x0000000000412000-memory.dmp

memory/772-16-0x0000000000060000-0x0000000000061000-memory.dmp

memory/772-11-0x0000000000690000-0x0000000000691000-memory.dmp

memory/772-10-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 20:24

Reported

2024-06-12 20:26

Platform

win7-20240221-en

Max time kernel

134s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B7B2D161-28F9-11EF-87C3-6E6327E9C5D7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424385714" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
PID 2300 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
PID 2300 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
PID 2300 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe
PID 2516 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1700 wrote to memory of 2660 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1700 wrote to memory of 2660 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1700 wrote to memory of 2660 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1700 wrote to memory of 2660 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2300-0-0x0000000000400000-0x000000000046E000-memory.dmp

\Users\Admin\AppData\Local\Temp\2024-06-12_ef2a7e2ce9baee7a4d65584eb229cc35_icedid_ramnitmgr.exe

MD5 795f2a9209e88f0a2d693c7ad06915b1
SHA1 ab5bf0ed7e83e913fac8981f5047824840c4a859
SHA256 e01112d41987115913c0599fd01921fb4ff1eab86a5b5c8e19514fdad8ec5148
SHA512 fc5faddb8ce01c7d1b74f971ae0ae7f161285d93a426e3436d4395153bf553a61d981a16cf59c788d924a85b6a339aa405a2119168288bd35d6712f1efabd2b0

memory/2516-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2300-10-0x0000000000240000-0x0000000000252000-memory.dmp

memory/2300-9-0x0000000000240000-0x0000000000252000-memory.dmp

memory/2516-15-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2516-17-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2516-16-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2516-14-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2516-18-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2516-13-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2516-21-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2516-24-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2516-22-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2516-20-0x0000000077B3F000-0x0000000077B40000-memory.dmp

memory/2300-25-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2516-12-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab321B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar330C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e6983fe07d8376b4638948478cb4792
SHA1 e9cfe6903da964eeb1747bc11c430a90aba5e3af
SHA256 c80e1c53c0ad7dad667f6163e465a31114a554d3bbac035a02793273b4876c77
SHA512 9d8868fe54a1b8f452c3b532247d04a4b14706d811e9f114f010fea913bfe61a9b7faf7288c0af09234468a90c973992acc5ffef0017699a72a16a90080b3dea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9de83f535e7c3db89465dc8de558ed2
SHA1 56973984b7d854b26774f29098259491a98c3fcd
SHA256 262939e00155ed44c58000cf1707ff85fd1fea3c087578e47640afb65eea072a
SHA512 1aced377729e04d73290632825fccebccd4450cdfae67669a1ddb34a33a41a48fca248ce657293a025237447d3da9870c060a8cc18b59fb92c4a22c0a1534b00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee99c195e69c026e8316439dd9f73eca
SHA1 c303d3dd2873f3fa93be42d1710a6f4f4c25b05d
SHA256 ebdd20cc5acea081baa2d0ddcffc2c58b472ce1716c491503d9ceef8bca0887e
SHA512 86d273fbbd3ee37da79465b0f74658cac9cc65e86cea77dc121fb07b88223945c879170f3033b1b042ab420645601dd2709b3a2229dedc1d7a33f66db2e68e00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4aadb67a35b9691379cc77723044197e
SHA1 8a25d31985f569d33208cda41c8d0f573354b620
SHA256 b7d7c461ba38dc126eb653e467da67fee7d28ba3857d485c5f895aabfb57f2f7
SHA512 bc7d6047c4aaccfa42c2e1599458609988bf20b3831eea728cf10ffeff6412b26d4823a54347a2ab6f34954991fc27fd01b6a0be19cf4fec9e4dd894625c889f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59944bb02333fb9916d480e418856445
SHA1 0cbd73bbf999d7290d2e64c3450e629aa8e9d0ac
SHA256 ad18fa6bb1db5d003adb45bbca52f7ceaafa5b8664f6792416cf5b0165874695
SHA512 f661c107644d85052129f254d7119933f47c95b4a2eb3c7eb925f68be9efe8d9d82e2d259d9735876b78f17a15fae00f844139ce132a5ebfbeb43cc79c64fafa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d6c3677ab0cec5a27622076890f6231
SHA1 9b43debc58bfd833d727350299c81ccf67baff22
SHA256 c1f9ea9f5ff5ea34faa7ed0214e00cc596165c4d9d1d041c5647fd0d794bc5b7
SHA512 fac7a2f38d350e8b2cef3fd87da3dfee12c701d0bef89a1e453d2076e24f2df1b3c21c11fc5cea6fd60dec51cbf10616ce937dbb96f5e36a25ab0368a83a2837

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdd3440fd948a06ae0b6b2270b6bc6c7
SHA1 4b6811de46c5af30f7c65611835b4e9c4ab997d6
SHA256 3c93dc5a7585f8e72c1b21a6ff11a3c3ba1a65c91aba3a8dce67c6c17d9d0d2f
SHA512 f9bb65da9c9d3159a21a4e4702e2e58899de657154e166bcbe6056a0509b1c106299e064dc34cbff82b74804d752b3256a1158b1ad723a514c4a2431a5040f61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdb60334acffc9df7c2e156498f532ec
SHA1 b56c6112e6b163caa326ca0fca2f12c6eaa1bdb8
SHA256 d7cc4bcca95484ddac346da386430cfe830005d1058fa184559fb20e3428ee11
SHA512 f5632c737f6d2d7c582e40b9bf6a80329b457f51120718b1c2888aac2370c13c179c14761d6d57d964e2e0d37ffa3e2c0e50f903213da4804a64b476d6afc549

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 286b1102f6b1bc7c6bff148a05d2653f
SHA1 8d7cebe26dc566de343c956005ede8fef77d5f2f
SHA256 fb0eee772925a42dfeff822ba34982ca05a5f8a304e7f99fb3811eed1b4a2cc8
SHA512 7c118d0d5211c7211502beb0ed731eb45395448839fa6339a22e5f84f0f2c994657e5d7922b0bc5a340be196df7c0185a2d78868666bdef585086a3fc8d42134

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ab748a249f379b4c51fff74bdde61f6
SHA1 1f931549a7c381d2bc3130f1bd2f0da7f66a66db
SHA256 98a3a973aa62ba90c4daafda4791e699e1dcbbea9febfd4ae975f51329e304ec
SHA512 dce400e44f6f8e426026957f31c4bfe46eb27a901461a6242b961a9e53c4cc26c55253f55adc0817237b9589a653f930dbf1e0cbcfc7bce3082066462b1f3f69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8cc5701ba15adadbcf3cc091335ed50
SHA1 b03110c10ccf1d30a9c3c4baad712c5f80429fda
SHA256 617e394ea10c6dc3846ddd7fad4c15f43d7923d92510f6c0810f719ca1673def
SHA512 9e4cddfb16c0be0cb7a0a6e5dbd765b94cd834e3a5acff53ecb318e739650ad0508b08057b158425fb8b3d048afe97148eaac711cf1c1e26e42cf07804420b53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61d4d78006b87c00d1887e1450a18eda
SHA1 3d3b2496a285f48cb28643d3a16efcead24693e4
SHA256 2e889e47205330e4d7143901fb53a7402e0122f6c4ee2641884ca4c17ad9169a
SHA512 bf8b43981c77d855430894e948795c2e8ec11310f0879c12247f6ed5f386515f35f9e262499c057d6237ede811f4eddc1f38b055efc2b3f72d428ac18f5f44d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01eca728862a7ea6ba022884badbb484
SHA1 17c2c916c3f2c4b8280c48178a6ffdce73b34379
SHA256 1788a0a923b4e60e07f78d3442f9e1216a56c6c2fbf64cf356ea5ebf80bc2a41
SHA512 98b0d74d09fe66bb75c44a0f7557ab6f864a27a181b0c2b572326a7245b74a8c1aa1807ac92c7a590635a55d923c950049d4eb8aafe1a07b8c78d17fbfc5a3d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00ea6b28e2d9e6de4b66c879e31f960b
SHA1 1a3180b16077166f22dffe830df90598e604874c
SHA256 7cd31c96e88460ba6cbe32b05269bc2f523e9bcf71898372f2439695d2c65b26
SHA512 4137963ca4dcf9e75e88547d5345a37d760ff54648ae4c3770e6e84bbf9971246dbece13cfae05919b83f2f0d9e18094a94df7e747dcfa5980726bfb6ea95b38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4971441c09fcd0449904ef7ac43d18ed
SHA1 41069d163e48541cec7992b4e8d004402e90ee71
SHA256 743625fb37fe9c130b91bef34ebfe2e231a16dba9b3122a14807668b5befdb2b
SHA512 bc9d06974ec61049f7b33a38ce72ee8166176665729a9d1474e860a7df94d85b578bf5e18a6204006c6661b7335a99102d6b0070fad0afc7a6cb73ca17f49f48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6a946b5a7f63b8df42e7d00dadefc84
SHA1 2685e29ce70a19559644e7ad813c7e69800cb7fd
SHA256 e0b9f451a8d5a227257d2867d2e964aaf6e4ec7fdf736d90c732a3a73761635b
SHA512 c54dec50606f2115ca68dd5b5c687d50c54b7be41bd34a58e0ac77d62a6dfeb07f87a01a14af8efb630e7518e601ee8973bb62301e070ffbe31ab74b1e59968f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cd0962733c0c1bb3c9cae8a4d63a20e
SHA1 37d4603463bc4e276951cc49b81cf9c93b898eb8
SHA256 25b406ab56c8a3ad45fe243e5d04bcf54c1a52a346fe05f13b2565b8df62e5b3
SHA512 cb7aef8038b0a794c184fd475f176fb4e3400550f197be026613b5a6c05bffd699e074f66c07083646dbecd9e8ac91ade80a2376932aca41b1828a6cab6af840

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18e98894f339fa051c21ae9f9af49d56
SHA1 1a92ad62ecf24816d15f3a1076039497b15f8db3
SHA256 3ef6cd998ed4638541120647bd283eb5f6f92e6f7a13aa15ab289c4c464df1dd
SHA512 afc798f0eaf7b0018e6c1ff7c1b1588e9d1d1a088dc1b4478ec018ec91ce9b0b0f62efe9272ed124125f4f0929c689366c59ce3fbc1d78a4f76896896058a04f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 002ecdfca55473352267504f9d5cc336
SHA1 00851c3806ccae654eefdd416e2979510147fd97
SHA256 1f306f198702841b12e0acd2e941dc845fea4531a9bf47a6febbb59af6049320
SHA512 a7c83146b02506c2d5de90b8518cf920d7eeb504cb30f625f6c3d85a9a5e44f46b27b84ee18c4be73bed6ab93f6ed113410d992d8f7a530fc0c319bd25631694