Analysis Overview
SHA256
868fb51e2ac813658c149757ebc267475ebe3f05e45925600b12b7a28635dfe6
Threat Level: Known bad
The file 2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit was found to be: Known bad.
Malicious Activity Summary
Ramnit
Ramnit family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 11:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 11:26
Reported
2024-11-15 11:29
Platform
win7-20241010-en
Max time kernel
149s
Max time network
133s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px9A2D.tmp | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437831857" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74DBFAE1-A344-11EF-B985-56CF32F83AF3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1688-0-0x0000000000400000-0x00000000004EA000-memory.dmp
memory/1688-3-0x0000000000250000-0x000000000027E000-memory.dmp
\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/1128-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1128-8-0x0000000000230000-0x000000000023F000-memory.dmp
memory/1128-15-0x0000000000240000-0x000000000026E000-memory.dmp
memory/3000-18-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3000-19-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1688-20-0x0000000000400000-0x00000000004EA000-memory.dmp
memory/3000-22-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB290.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1128-37-0x0000000000240000-0x000000000026E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarB39C.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 349ae89991a7caac4c13a84beb4aca10 |
| SHA1 | d78190e12caddc88e8b07abac43914708dd844c4 |
| SHA256 | a3ab7ece1232f61f1ddb86bd072e99b40eb18c6923609a354c97b401c3efadfa |
| SHA512 | 47a7abae3cfb60963fbe528d01d5ab8f6c8e39aef5ce52d30879597e1cb4ff1b13c2f57d92f6fc270d840a7026a6e3f27eee9272d30fe38e88459aab3539f64d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8777b57d5cfed84c7d8f1928f49a02c3 |
| SHA1 | ed7537b526380a63b05eee85ab3af3cffd8a3711 |
| SHA256 | 2840e4c6d20c59d9911109510655e7857849d6631bcba81b47a333de72d43569 |
| SHA512 | b250f570e449d25185a77dd129a4c068044700e6a49ad2f604fe587ef11284c81bc5a8e0fad12ff0e953277df56e58c446704102ddcc5d9946fb7e97256509b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57ff0b4f37a616fc70ac02f14f89d4d7 |
| SHA1 | adf70bb7026d80785e3d5ab7dbc422f46a787d9b |
| SHA256 | 389b6da089db961ac6d9cbc7dd7a9491a2606cf9370515de41de9a42e249b0ac |
| SHA512 | 7541fbe0b575e8bc777ea7b984598b9647a06bbb54586d52f46ebaf19baa7cd52c622ab39b789a5842628dd1f13ff9cac3db65e47106656f2388ff6445a332ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 216e46b545e0170f9412e72fd08fe1ab |
| SHA1 | 5bd72ace7c3508998cf381f82f9b92100ce961ee |
| SHA256 | 0bbf6f5f47913849604b51fb8c54f388afadcac2ea78c531ecf3f8125bffd61e |
| SHA512 | 5f8f9582c0878d4d429ffac546744454d0f30a80047bad6963a07c11d0887dd805401d90e1f71b187f265c95482ed7dc49ffbaa1d950d987b97c95d0ae2bebc2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81fa75707d863c47b0cde3f4e22d9e2f |
| SHA1 | 1819d51959d959c3fb4cc71dacbe9e96f60ac18f |
| SHA256 | 57e52a1c45b406fe5bb0e06f5686fb42802894b293059f2554acb10e302d66dc |
| SHA512 | f35ff98fb7d515d9f9cf85407b6df00d59ca1db3ca7b8481127391821b51e9cc844782af2095caf28548cbe2140ef79eaf2949418059e3ca49b4f53ca4efab4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 988ae9827dd19bc574d39f0753326255 |
| SHA1 | adaddff3ba02408745b3bc5c7df079bdaad4da7b |
| SHA256 | e245359297c6e40a45e24fbec3b8e6de9098015a95ad3338014f30f85e4c6402 |
| SHA512 | 89d3f43b2caf994c413fa942d3d241a3a9bba73cc38a7137ef62277e529c4dda7e0352a219caafcca6d3de1489a6f32ce99602dfabc6bedbf544e552d4066271 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 62cf0771ad1f334c94a68b6e5537d7c9 |
| SHA1 | 7211b50de57846b0fda967597017f00ee6d82f6e |
| SHA256 | f32d8498979ca511b45c5ece3bb42c5e521aee60b91c566cc0c782d51a84171a |
| SHA512 | a8fb16ee6533750b3f4f621e110e1cde90cc3bc765c4ac02a46089042b1ac2a4519dd00c5b4fa3da44d7a34e108afb7f8602782bf2fbd5389e07d2d981771246 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 416dd6600375377e5e08d1bebc6b2dc9 |
| SHA1 | 9651dea084e2415ef01681c9d0d657c49efbc95b |
| SHA256 | db3a87f21cab3339b20fd6210b4338de6e1ac7d81ec693bc18b08f193711e54f |
| SHA512 | dacfc0ddf897e8dfac6dd82906c3d87b7f539b1fd54a386d3cfa40951ff68eda5be9f3547d02b40ea59ea3e49d2e351b8e98c7f22913dfce4142139e0e4d219f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 717dc83c6435ed810eaed108284a56a1 |
| SHA1 | 903cafb69e0b9d083476f22bb522e833364e8b53 |
| SHA256 | 977ae08451bc6f42eb873741b301aa479f4dd4f18590fe2eea12f4e09f178cf0 |
| SHA512 | e3e93556ed16cdb1a7b4f36d39c483d42dc0ac6c7e77f00941babadce6f9c51d63e7d389dd8aef1848f8c92f932d0963523e46dca706b36d349f9a6141f0495c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | efaf1bb2fdddf534023258231e82e1a4 |
| SHA1 | f4d1ded1b32c0d76b230289c0e6ff249f435623c |
| SHA256 | 358f3f407a860377f6d7e9d721c46f40b9e4edd2d8dfedc704d7933358c13bf6 |
| SHA512 | 46225a156d8de86e8048c8a16ac45ed07597f3bdcf5a7b6ff945276771a939b8513f3dca12aca2dcab0817630e24449100083aadc19069ba8d4ddd37832a1430 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffaccdc3fd3bf45c13929a2f92ad8bb8 |
| SHA1 | d82962d3fa579f743d7442c68b480ada79dbefca |
| SHA256 | a08c1f0dfc579f7c41cfc723ab576e710ca1ce786ab718b1c4d9ef5ed3ff64b2 |
| SHA512 | 56f0a17b6a159e7495b759a63d627503e36316a7f788571759827eccd23040f16b07e45d08236d499e6cd4e7c61e2069308691c31d4a4bd63087ae8571a4928c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 361aee717ec4ea028b24f98fa1844fc0 |
| SHA1 | a401eb15d579c0280314f19ed3ea92ec742dcfbb |
| SHA256 | c73ee44a799a5f3668eba219445949ea9f8a1174bda6ff2b8972b802cc2b5025 |
| SHA512 | 015de14fc48157e885c4caa310f3722ebc4e0cdbfc576c50a8bc57e7dacc5dd5fa4b53ff2adfcb6cddb5599210561b06e08505e3a636bcead8e1385ccb6b45b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a1e3bf78427496510c69f8830cdcb43a |
| SHA1 | 85d6483c5b642e3261e7d2174825a3ef143953e7 |
| SHA256 | e9ee870d32efa76c625ce3eba3b7998245c7bf959b1b8de74fd9d4f8ca7f3fd9 |
| SHA512 | c27b7c752c62fc482927e934f8772ac2413f79d507553539725986c6c13fa5243c0e97e6396e67ff728b01f7d0b9568c4d6afcf1c26be5dcf370de4da45cc061 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b3b68585c7607a959c014a983d4d708 |
| SHA1 | 07de6521c6d08177101a6d82496cf9b277c9e0a5 |
| SHA256 | d7c0ba55d3887a7fbc41076e3602a3c945757195628443f562af983d2455fd04 |
| SHA512 | aa816de9b5a2ce2f7bbc7b467465c4c2ef4a42b02923192f98009fbc76d4bfcfd364fd003288c5bfa13f25cfb318d1d22b6993c99350a89e40f3d30dd52b69d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 844e18e268372f989a52ec718620d1ab |
| SHA1 | 415f398421a730fe07563fdfc32df136cc567e51 |
| SHA256 | 848bd4921b53ede1559ab7fecfb966ae79153b227aa591cc8a0483f6b211f9bd |
| SHA512 | d27f2ab650793ec800272e02b5217141e802ff3a5163857fb4bdc1ca6f1ae85499f9b55bac7f3b64948005d773f01191b2af914a2ad3fa51fdfe4f108c612acf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 63feefa57831c7c426bc58119e09c18e |
| SHA1 | 1b8c62c5760984acdb0a1ca5554efd4ce98bc5eb |
| SHA256 | f931d875076d3b968eae12a94d545f47487e74e29be0cfed47c07c3a457159e0 |
| SHA512 | 40f4d2308c8d99b33b20a0ef3736670cb4bb6134a51d8e8564c2690dc374b513d17d5cc4d3bcfea0c8012ea926a437fd44de8f6e37f2dc1d927c1a8f5bd209aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78670e7384123d4179e9268c1061472c |
| SHA1 | 7f6d4bea4f67ac4e77f76e2c141c0ea1e2b61c72 |
| SHA256 | adb79b176a698dedf1301b87539e3bdc1c23e6e9bcea5d3a90bb81107b3ee831 |
| SHA512 | 1f0c7effa64c7ca2c11a06b65d3018c3396f3b51adbee9daf5ffbaefe6106a51056998ee5c339d29aefd060fccc242d101441c21690f6bbdb1481f8ab862754a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c288896502833d7af07ac85189d812e |
| SHA1 | c49d8cd21a535595154ac758f1ce9639d1c98be6 |
| SHA256 | cb2583da2fdd098fdf8c3105ccc25c236005961a042c143e49c793436a079ae9 |
| SHA512 | 9e931545110e356df30e2c8f6af76ac8d3ac49fb2b44046445adbb6b66a8f828f3909d9047e2ca84d655d8db4b3f46a49da29fd37d0b5f3d15abaa37e4c07917 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0a9266d1e892309e80abd979cb595915 |
| SHA1 | dd0cfdafa1da55d43f817e351725ee3778948a1e |
| SHA256 | e95ea9dce49496bd640a30f412d6570d9e84b7285a8958582155834bc7ac1197 |
| SHA512 | 431a531a87b99c1042ac204889a46a7007a57c7d3f9ccabfba15449e4e4907e476c7bf5b7d6f64ee8eff70369c64e49b211a11cbb5e1ce2f3264c0174fdc9c0d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 11:26
Reported
2024-11-15 11:28
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px8750.tmp | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1218289201" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1212351417" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{73C6665D-A344-11EF-BDBF-E6FB6C85BB83} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1212351417" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438434961" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143761" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143761" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143761" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3944 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
memory/572-0-0x0000000000400000-0x00000000004EA000-memory.dmp
memory/2924-4-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2924-6-0x00000000004D0000-0x00000000004DF000-memory.dmp
memory/2924-7-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3468-13-0x0000000001F10000-0x0000000001F11000-memory.dmp
memory/3468-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3468-14-0x0000000000400000-0x000000000042E000-memory.dmp
memory/572-17-0x0000000000400000-0x00000000004EA000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4716dbab6f2ab2afcbaf76db5f0b38c9 |
| SHA1 | 9ff921c8611055814c46c2f6040cc4212879907b |
| SHA256 | 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573 |
| SHA512 | 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | f7456e426cc56c9b2348550b86d03ecd |
| SHA1 | 4fb9662399b26660d3872ef20f116639d8f65ebf |
| SHA256 | 3c5955c3f72cdc54e6f2e43e753f7f1cf4643912cdadc84d3883d7b486943b4e |
| SHA512 | 0fc8e081d60b12c59117a5c7557a4205d896b9742f5f721399fac6f6d4ea37c5a9655369f201a0c69b2c5c1fc280217a5e0f547d15eb1e117959f6d1dc63b9c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |