Analysis Overview
SHA256
0ef82d9f481f03f6695aeb60442b1793a30db4d7bc03110cd674d24246464f50
Threat Level: Known bad
The file 2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence was found to be: Known bad.
Malicious Activity Summary
Ramnit family
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 11:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 11:28
Reported
2024-11-15 11:31
Platform
win7-20240903-en
Max time kernel
118s
Max time network
128s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxDD93.tmp | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CA138051-A344-11EF-9B14-7ED3796B1EC0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437831999" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/276-0-0x0000000000400000-0x0000000000631000-memory.dmp
\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/276-5-0x0000000000640000-0x000000000066E000-memory.dmp
memory/1416-10-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1416-9-0x0000000000240000-0x000000000024F000-memory.dmp
memory/352-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/352-20-0x0000000000400000-0x000000000042E000-memory.dmp
memory/352-22-0x0000000000400000-0x000000000042E000-memory.dmp
memory/352-19-0x0000000000240000-0x0000000000241000-memory.dmp
memory/352-18-0x0000000000400000-0x000000000042E000-memory.dmp
memory/276-23-0x0000000000400000-0x0000000000631000-memory.dmp
memory/276-24-0x0000000000640000-0x000000000066E000-memory.dmp
memory/276-25-0x0000000000400000-0x0000000000631000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFD64.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFE24.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e0fd7db662eed8814a1448b92e73f21 |
| SHA1 | 149a8cd0d3c9a1155219886c30489bce7bfcd51a |
| SHA256 | 6b352c5f65469f3d9c03374ffc73a578424991749c1a2bd697b21a1fe38bce31 |
| SHA512 | 96a3fb5ca8409b41fd4c98b7a77b43750d296591f910649555f286c82bfadcad79412b1e6a54ac75ea2158a6356b1a06eafcb13b25bac3d474aa5629ea1f76c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6254078ca79670613a9b3c5901616d26 |
| SHA1 | 21da0b2cf3485bcc54e2bce5d61d12fbfd6a07d2 |
| SHA256 | 92c7dfdd659daae90f2c76400fb420a20eec171b1853c1ca9807276a691616a3 |
| SHA512 | 0fde4c1de4c74ee97e4d02aa4c1ebe45c485a4e318a287bf3bd7edbb3e535ee75c94f07db4c26d1bab87293313000f9848db88fd2535295f6adf76c6d3880361 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 455b1ee6e2f72e44e9faf351d44ebdfd |
| SHA1 | 7939213e4ea27fda718f9f6470c787c3a7e3d194 |
| SHA256 | 8f1f2be9cb7a9c42b088b1b00ea71cbcc2dfb9e8b17a1be7a62954b8e455f6dd |
| SHA512 | 25e606090788f6404e1e28352a98e99f7ff57cb45e47fd87240fd95d72a1abdac0a700e83b89f6f36d9bb5726c1df6fb2fbd3bb8a54825f713e7d1f77ef17722 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 248c6fd192135a441f855a970fe512d4 |
| SHA1 | da8bd876e4ad513b54e5f09517974f97692557b5 |
| SHA256 | 58bce71599c80d6e1551160e4fbd6827d48141949b0ae0a444a04c1923c85c8e |
| SHA512 | 3234766cf025544353e4c0753a5013ec378f666fdddbc66d59a05e504051487e4be74ef11e6fa58a1af6a329b1856b4c42a3760fc9eeeead77cf3546291d4686 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | deae036268b99678026cc882121e6825 |
| SHA1 | cf4c16b0ccaa9d30e4d25ce7396bc532e0b33be3 |
| SHA256 | 6c2dac67518443d1193809f2859c5e18fe3e9241811ec82cd81105a313243a39 |
| SHA512 | d433e8b71bf3938075a77a24facbf3951632968d3069763dfdb0e9174ab98504654beeab91a24095c1b7dd66930efb9a1c58516be6e85e0d18988556b71ad994 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f64637595b9d25f0a1714399a6ae21d7 |
| SHA1 | ccbb2495f82e0b3b2b950745a58eee63e79a25dc |
| SHA256 | f6c2ae8f8b38b4da75276dcf4e68c8a4ca5a0fcf6d1744ce98c727dd0e7af208 |
| SHA512 | 8e17ac4616abc3c42fa285fe28118246b15d7d783a9535cd211b7c37fa800ec324d7fc227bbe5b13fd620c45b703b1fbb5db5d429e80c0c0b381853ad9c55710 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c599fef49240d8d2870caa28b7e20afd |
| SHA1 | a536962192f2328c7de5effa6025f76d2f29fe49 |
| SHA256 | e241cbecf910ad5eda9261115d9571c49c59ed7f4fbea3d6cb797e6ad37e195d |
| SHA512 | ef23688d81b106e67068caea7a6bf80276d4770f889738864b5d5188ed0c4c97a0450b4874fcc0f624b07435aa2c046bcc00d77d3f15e441bb83ad6721265aa3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4373e761f0799ec1b25992975395eae5 |
| SHA1 | 52873c05c03d48ab558965866df20e57c1b17cbe |
| SHA256 | 943378f915ecd9fee474e7181255be3228f80719dea400a3749fe22f3e3a8149 |
| SHA512 | 5743e42c6c673c3a9fd4b177ca37d075395025b2697f4e581c96b7a5a364bba10bfa745dfc8068c7eee2d07b1758b85b26e4e6bf44c51642729607640601c648 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c8ce86013be552f550d3821a19205f66 |
| SHA1 | d131cb5f4d15241fb8e883e377c560bbaf78c7e8 |
| SHA256 | 08e9b30ba11281134e8211d497dc41fdc003bb582310fc44b5934d4b52abd2ff |
| SHA512 | 0db2c76b527bfcf8256836db35e592c2c3235c28434c9f7e26704786f8ce8c408d43d9ad01c667b43ba7ec0295306eff9d9c20eb8031f646bb68a44fb35c3750 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 36903a345e727d30355953d7718e0e55 |
| SHA1 | ba7cbb4892b1128f1569f9800e1fd25ad533d6a8 |
| SHA256 | cbb6ab78396ea685d8e7c9385891a89be52091a167459c836962be83e4ff1256 |
| SHA512 | be174169f29dd2c10e9a5b98791537269f7441b1cee22e3a2eb76ba8168256dbca5004833ea566c2aceb35bb1d2113d4dd88a7ef74fd9490b7c80e50384b39da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d293d378a06b3b955a03be5eddb75f19 |
| SHA1 | d47f6bb6cf2b93a3ee2937b4c16f4f51a7d34c37 |
| SHA256 | 2578ccd3a03e56032f585309cb9b28abf3ece7d8d1e77936c2414ceaa499b048 |
| SHA512 | f22f746cc3f96a419c6b314f471e79e1212003ddfa838b7f9329c04f329fb8d87018f42c471eb36af516c672dbeea74ef370d30fca0b322d87930900fb8eb375 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8facbb91a63cd00341f19a9a51b9c603 |
| SHA1 | b86109c691739be2cbf96c5d3a4fab33fa1b4fb6 |
| SHA256 | eed7c9f15f9fd5727e56883f854e2e1c7dc04f0a81b7bf2b041ce9cdb36d9ddb |
| SHA512 | c838419e68f25356e76dffcf3d94097511591b19c37d435ad215347f96ad8d1707ce952a551b0923b6afe9071ce95ae8a4628e5146b24e73ce6ee074a7429fd0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1de9238eed0857737883bebde58b714 |
| SHA1 | 53edf55af89b132ef742309c5018a35a4001518a |
| SHA256 | 32fc72a26ffc0e4ec547b907f9a727bd5d8a32f19ab833f3bf4a41395a3fddc0 |
| SHA512 | 6e1ca4fcf3719b724ca71f14244c5368ca5fffd92b5249ae65a1f21082e9471987dbe51a7b387e22c9250be507cf9e81dc3c613acf696dfd2732b2d16a9333f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 511390904c79d26bf0acce135ea946ed |
| SHA1 | 01d980512548fc5eeba268251930bec0e2f473af |
| SHA256 | e1f6b033914fac499de171fdbf6cdc3c8fba19eb755cefc45b02773c65b67d68 |
| SHA512 | ae0b0c5a64904026156b0a82004c0927db02f5ac31655b09d4143f123b12a31d0de1ef8485c1e4b7562a36f3242a8a13e428493b08eb6f4f35c4bba6a2a81552 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f20c2452eaade14505331e68ee023e7 |
| SHA1 | 9f9ae4c3bb5752e49dd3ebaaf3f6fe50fa0385a1 |
| SHA256 | 10612eec74ca0ee50a7a1d004e8eb48fa864f71f4f3ce92b1393682fb4951fd5 |
| SHA512 | 10054aa6c9c8b5fef1afeff121fec56196ba625167ae2e4c1555b70dc96198432768f2b2e765259f027f746c5605fd0a5591b2fc7a653f93a6811352d4f9c93e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aaf9fb1f9500bd1821c818ce7c3864a3 |
| SHA1 | 65f1cf1a6928c18a8331c9747b9734559b54b47d |
| SHA256 | ad81c9d587d6da156026166cc0f07d743289251ef038e5ef760e9f1f1f9ab397 |
| SHA512 | 1eb8992e2ae9f47d0f065e3904b9c23715ed5167887cb9b35fe693a1a83e043c3d53952b5d811b267f154422f94800f17da135cd5e39de453fe48d4cef3d788d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f2f14687b4ef6e85ae21a04941fa2c4 |
| SHA1 | 4f474aa2f208c87f60e2f78650ea2869023898ff |
| SHA256 | 81ae6c137993e99203cdb9b891ca65696fb55c1833149e26a3a523c6116f0353 |
| SHA512 | bbcbf05ceedf5105276323e2f525482bd99e1ccfd5c9f5b8e55b200cb8cdc3a03425f9a008a6048bb6c410de7208d16f483f9c7235d681a03de488d73d36cbf6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 44df94ccd50d792db2970be3472b051a |
| SHA1 | df2374546665da3fbb546fc5f039419266fb85c8 |
| SHA256 | d6bebd542b765aace257246938dc8a3f6471ccf498fc704f5f568c84a71e3976 |
| SHA512 | 2e5b74602aa35d0d92951eb6aa990a793839f112b4d6c780a66625034d046b2171d2986e86f1484369bb7bdf0681dbd531794fd28cbc554f8e69be86c8905461 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 11:28
Reported
2024-11-15 11:31
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px5A55.tmp | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2681643065" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438435107" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2678049281" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143761" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143761" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143761" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2678049281" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2681643065" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143761" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CAD47D8A-A344-11EF-AF2A-DA61A5E71E4E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3236 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/692-0-0x0000000000400000-0x0000000000631000-memory.dmp
memory/4268-4-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/4268-6-0x00000000005C0000-0x00000000005CF000-memory.dmp
memory/4268-7-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3528-12-0x0000000000570000-0x0000000000571000-memory.dmp
memory/3528-13-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3528-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/692-17-0x0000000000400000-0x0000000000631000-memory.dmp
memory/692-18-0x0000000000400000-0x0000000000631000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 29c75d1de34fd1baafd62109f453ccf8 |
| SHA1 | b310b7f4557cb08bb33e38305894831ab8864f86 |
| SHA256 | dc40e2dc6ae6c9909a9d70b18fe8c7673afdec21f62d659459cf2f3a83d692e3 |
| SHA512 | 5e9ccf88c14cbec931081d98ae1f302da82be44511da89488c95ec4803546c407330aac5a5b0f2f62d0e45b94f6cea1d47bba264e4307d52a4652a40a500d6b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 4716dbab6f2ab2afcbaf76db5f0b38c9 |
| SHA1 | 9ff921c8611055814c46c2f6040cc4212879907b |
| SHA256 | 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573 |
| SHA512 | 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD513.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |