Overview

overview

10

Static

static

3

2024-09-26...it.exe

windows7-x64

10

2024-09-26...it.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2024, 00:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-26_c5e8350dca8ec1ac3db0e4af9b4df289_icedid_ramnit.exe

  • Size

    592KB

  • MD5

    c5e8350dca8ec1ac3db0e4af9b4df289

  • SHA1

    e746f6e659cb794549b82c922d0ba3f289dd67c5

  • SHA256

    34684017d19d2f7b106da522a22f34bb55848808213f8b25b9acb1d174e9e32d

  • SHA512

    4866acffd0ee956e4f793feaf20fb08eb366fdbcc533c305ef3679741851153525334c6182343ec523ec9ab60cbf499bb032f0c6bcf870e6dade4377bed16c4d

  • SSDEEP

    6144:yfqGm/TYtUcxGDaFIJyYLBDCzAUtpvhM1sdLhtloVWNV6a0hsp:yC5/M6uGW0ybnviaKYNVusp

Score
10/10
bdaejecramnitaspackv2backdoorbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-26_c5e8350dca8ec1ac3db0e4af9b4df289_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-26_c5e8350dca8ec1ac3db0e4af9b4df289_icedid_ramnit.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Users\Admin\AppData\Local\Temp\2024-09-26_c5e8350dca8ec1ac3db0e4af9b4df289_icedid_ramnitmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2024-09-26_c5e8350dca8ec1ac3db0e4af9b4df289_icedid_ramnitmgr.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 492
        3⤵
        • Program crash
        PID:2744
    • C:\Users\Admin\AppData\Local\Temp\jynrxZ.exe
      C:\Users\Admin\AppData\Local\Temp\jynrxZ.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\50bb69db.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4156
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4460 -ip 4460
    1⤵
      PID:4628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\k2[1].rar
      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2024-09-26_c5e8350dca8ec1ac3db0e4af9b4df289_icedid_ramnitmgr.exe
      Filesize

      354KB

      MD5

      a8245f71e4e4aff10e574300abd2bcc2

      SHA1

      7ea3ae53a0697e526c6bc877b103b390af042d7a

      SHA256

      7bf945e4d87567106bfe8980b4fe1e6482578ab91fa9d82426c804ae5c3f2546

      SHA512

      8c32f1f55c0475ce06ddbd3db80d529addb401089bd61491641d2e2c0c36020eabc5a947735388ae7a90514c543cb29450afa13b1e3f90387e432b62d4628978

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\391F4C93.exe
      Filesize

      4B

      MD5

      20879c987e2f9a916e578386d499f629

      SHA1

      c7b33ddcc42361fdb847036fc07e880b81935d5d

      SHA256

      9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

      SHA512

      bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\50bb69db.bat
      Filesize

      187B

      MD5

      ef8aa5ddd42d3a6cc1de0f9ca03da30e

      SHA1

      019f109ff1bd7e5978c80f37c091c20cdab25e98

      SHA256

      c7981a72e89d246aa54fec9706bb961a5354b499b9a946122464eaf7b0874ea6

      SHA512

      c37ab8bc04923aa91f6514d05bd72661d80fcdf763e2e942abd322494294cd10ebecd014205cfea07f85626cbc9734d9caee44ec6ab147eccaab618fecf73752

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jynrxZ.exe
      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~TMBA28.tmp
      Filesize

      1.6MB

      MD5

      4f3387277ccbd6d1f21ac5c07fe4ca68

      SHA1

      e16506f662dc92023bf82def1d621497c8ab5890

      SHA256

      767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

      SHA512

      9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

      Download Submit

    • memory/960-0-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/960-16-0x0000000000400000-0x0000000000498000-memory.dmp

      Filesize

      608KB

      Download

    • memory/4460-7-0x0000000000400000-0x000000000045C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/4460-11-0x0000000000400000-0x000000000045C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/4588-10-0x0000000000150000-0x0000000000159000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4588-59-0x0000000000150000-0x0000000000159000-memory.dmp

      Filesize

      36KB

      Download