Overview

overview

10

Static

static

3

2025-02-27...it.exe

windows7-x64

10

2025-02-27...it.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-27_1754da651c93a95229d9a0d1eb630d2e_icedid_ramnit.exe

  • Size

    983KB

  • MD5

    1754da651c93a95229d9a0d1eb630d2e

  • SHA1

    327cad13da8d5aee3039a0752ecfdd8b0e71f49e

  • SHA256

    c43c5a8737c374e992fe42d48e47afebc332808ae67c3cb518a6bd423e01de0c

  • SHA512

    c84029e04ebf3a6ae7a9e3aa4276b422f9e5eef46580ab35ed0ad484de9e72ec4b5493237832a01401c45aba8553d729247b49c7d0b19f01e930183183f5b565

  • SSDEEP

    24576:QXpbIepQsZap5bUT5DOUY0xSZyqjTJRP/nsweyBVoxGqv/53rpGO5+MiG8juEgYr:QX+4QsZapWTNOcUyqUEgW

Score
10/10
emotetramnitepoch2bankerdiscoveryspywarestealertrojanupxworm

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

68.44.137.144:443

82.223.70.24:8080

101.187.104.105:80

178.20.74.212:80

98.15.140.226:80

209.97.168.52:8080

74.208.45.104:8080

169.239.182.217:8080

176.111.60.55:8080

87.106.136.232:8080

46.105.131.69:443

93.51.50.171:8080

62.75.187.192:8080

185.94.252.104:443

190.160.53.126:80

50.116.86.205:8080

80.102.134.174:8080

110.145.77.103:80

113.160.130.116:8443

60.130.173.117:80
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_1754da651c93a95229d9a0d1eb630d2e_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_1754da651c93a95229d9a0d1eb630d2e_icedid_ramnit.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_1754da651c93a95229d9a0d1eb630d2e_icedid_ramnitmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-27_1754da651c93a95229d9a0d1eb630d2e_icedid_ramnitmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2952
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8dabe0d5e1e7aee064207b2d0f49b16e

    SHA1

    48ae0c7a10a71a615b0e8aec5261f659ce503dd8

    SHA256

    4a5711b5271c195b97a4eb6ced1759c096c25216a48019abc122e7b8c7a19d37

    SHA512

    1d151d216aee36d97c3fa64c50c7afa35bc43809cf5111b4ec1e22dc2582da497c793c2aaf354b72c091386664286287260949a3d68456107dcf64f63c09ecd1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e277d6de0ad82dfb8a824eff2fb3dae2

    SHA1

    3ce0a41a644a54b5f118c9075857745ecbda2c9f

    SHA256

    9c02876dad2574119ef85f8d0353ca8a70e7711ada001635c8279fd138dfd92a

    SHA512

    00e42e01f30157aa1b09ae3a0823658bdc074a1d3a30f5acc2fe12e34c93b1e06b019e0a14ea46ada96f5e2314b140aec4597a1e0f0c5cf6cdbb92326808fef3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9ca66ef28b0edcbcf152278e5183064c

    SHA1

    9dc766b729337e496b47f71819079c6658bd0fb9

    SHA256

    4e45df74415108545f687cced53c1bd060b6d1077dc16e4662f54084577ad5e0

    SHA512

    3c251540510fdce23bbb0f4f5a1ca888fdaaad754eb12653bf1b1c328d0e0cd806f1f8282507ba281c79457c1ca8e5861c71d6e7b2b2afb5df0a51adc58d494c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d3f37800614b526ada0a4300f70e0ec9

    SHA1

    37b1a75d8edd7e34fb60d1a4ecb3f03569de3e15

    SHA256

    4b45280ad4bb5e37425592ee21132ef49f09a4a19c7e670bb97e5c6a774d4d42

    SHA512

    0a9c3eac344c3437d42119182ce1d90c890f373f010c32b51128308fb23b45574d110e6b5d2df8fbd94b28a0f9db67979b97149862a4de7a93bfa7010ebc829b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e01fb66465003d378e75d9ad6c453837

    SHA1

    0d2e5df4bab4574ff607ddc084aadf6e5ae7e7ad

    SHA256

    2ca2970018e24f65257382423da4ab95077e8c5114a1e1c97e3ec34a8cd31ce3

    SHA512

    9166a818310e5b3ccf8d862c9a346e353f5244e414f7e512e368494b29ecd80dd1aeaaa162abb0af2be5e0255586635e418770708592f70e5206a872fa32d404

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    42bd83cd64b9549e378d278a99a5352e

    SHA1

    552b7dadeed65d48ec7fa176a6069c39aeb6550c

    SHA256

    d983906224d94d09bdb047921225392013768d158d913897d55b651601aa9157

    SHA512

    d16f92e337ef2b7eb8e039935e13c3346973ea7a4012528dccc772db9ee33cab842ff2bd30fd816d72c500017ec08f2cbacdc24c0b9f877846ad2350dda21785

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7ad91a8f07d116a3e288d8037f1de857

    SHA1

    99292fb08df8f7d1eff0992773ff928b3e40e7b4

    SHA256

    dbf7b9f9a27a6c62b42fffd18f400a4bd89caea5d3151c57e5629a0c45ce9a81

    SHA512

    e03ab27a272737a24c1a151fb93ad282e55f3647b47968831657315f877fab316a5f9f4ad40f375597ed35fbdeae1180b21f62dcd55dc221f4d593567f67ee62

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ff0bd219f0d492b4cc0673d2b4e308ed

    SHA1

    3f062e4995966f96a766b8184ea8629b1e7fc33a

    SHA256

    72e86b7e07a7ef342576b4195ba81d8f69daab37ce1af09e6e231e5997c7a3a6

    SHA512

    949742c725c91db8016aa21a62c524df5a0880070c1d2db494e010bc1e517a8e171d661d24e0f34258156d32016f0e5c9d9a7d2ddc38098eb443810d950327a9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5fc1fe5d5a655859518aec023adfa574

    SHA1

    2d4c75f86949ef09e5bd54c774fc70e58ecc2e5f

    SHA256

    1e6d628d9fe57cad17bdf12dde3e8c94fb8a0f9dcee97221d2fe326f47ba4cc3

    SHA512

    bb3aac2031e5f1a7cd657c5ca7606d2fce9a7c926e5c74aea0a0127ab911d5da46570db013f49b0c55be73d3260704eb70e6f571e8d79879feba943df69f7de1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8b86a9726cda7f912c4698a51e09a360

    SHA1

    af32ef66b1da84f54b654022586f69665106669b

    SHA256

    0673fb0a1f4c24de9b98ee0eaa028a73df1a9de25aa280e2c524f8eee6ad1292

    SHA512

    22209f01672568901febaed5724713c2f868ee405d2e1c43c0e9ce1f55d096b7b93365aa3424ac0a8b7cd241b468f45b9a475c93993d2e45e8a701cecdc97b6a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e236a247ca5734af827b5881cdb174bc

    SHA1

    02127885bbaebbcabe51e11b1d1696bef8d6ea5d

    SHA256

    0f7afdf649e8bf4aeb0b8905e05963200749b45ae307dc2a93a51fed27bb60ce

    SHA512

    2bb819193c33e689e462f96b54d453231b4c49dbc068bd19c39c7740bb10b77f79c0dde9eb379ef131c6061da45be7ed7c3855c5ee407cc471e852a4076cb018

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    29d4db4aee5cf365e91c09c062a768b5

    SHA1

    f64203cc764fcf7a2d540ce51c6f3cd80bcf51ca

    SHA256

    857b6f8720a2692d76656d69406b7c5ce04dbd45a97823980041c8447d104020

    SHA512

    9d22933ad93b69b25b1fe9c76067034c1a5da3c87434c4e00508747db08352d254f535b3e0d2739637807ec9fe91f38549cc490e44417072089bfc289dd15b88

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    36102d688516d94d16dd16dad34d0203

    SHA1

    ca70b95c5fd2c9728700f4adb4aad20fb89c9682

    SHA256

    7144f66dfa76f0102adcb8bba23831fc2b505573a89ad5bc1f675dbebde7e00f

    SHA512

    f6805050f67ec6a5c3054f6b576a3ba5fa0a59a720aa4204c99d751f0e399e7ec2d56345a7c3d7acf665a53a13cb2dd21a947f043a8a73f6fd17ce7d4dcd0f40

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    57adada2511d9a183d112d6e61dd237e

    SHA1

    e70b8c5376e4af706958454bb018d9f250216ae7

    SHA256

    9fd66d80ba6b4e3590c9f2499dc7672d0a595db4a175a6733bec903c0030cbfd

    SHA512

    e2e088eca701434dc2b12af336473577ca01b0f22112716edae85929cef8c5af2a00ec3193f78fa71500676c046997e44cbf49f90bf80b61f2349a017cbb45f9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    60898a1170fc9949ab9123cd0e30fa0a

    SHA1

    337f68ba582a756d117846014f3b7acbb87fb46d

    SHA256

    7be561f568453773c7607c179b151355204cefc13f59d63370fc4c4e8afbf383

    SHA512

    a1bc25a0f649f6752ec3f1afd7f1b56a48217756df8516908c0f49dcff9336cf198c06803f80992a516c6826a4205e7328e0bb2e8188b31ce7aec5a6ef9611a9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1fdd08a96399a5e7964a773e960f47a7

    SHA1

    7c3e2e6e61e7a1e3d62a844ea5b9f97120bac1b3

    SHA256

    75d451a33caa0d1d3d29431d0a319bfb7725e5271a6202ff8a94b6ad524e82be

    SHA512

    c64efb1bd4c2655a0939c1ebe6a5262ff50944c27ba923a4093abc3ecefb97a7abcd06b73a117e8a9b8b9480c945f89f015197796cf1ce3521061b5f12c78e10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4070ef04c795a4041ec3e4c37f4cf902

    SHA1

    db229aeb2f67b79eb64aa5348756744c06ad766a

    SHA256

    cfc5264edeef8be7ef6e4c67457db56393a88d862529c27fd0a75ee7e05b4a00

    SHA512

    d8624c571c0a140d355a71f68b196644eb28247cbc522823477a3f3edf72552fdee8cde0c73b15ef4e2014b28e9c582d82499790393a9c2e6c9d286eab9e2843

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    00914a34b15a7bddc689a24ce1edcb4f

    SHA1

    230f47389c8a04fc547520ae92a67a14eb5d9503

    SHA256

    a94697cba37afde78494e7fb121793f3b87e1daa731f1933311d710c0afbb46f

    SHA512

    69089430c026466d61886e36e8cc2ff806aaaca41e797f4c62e697754e024f10856fc83ef170261893297dcd690826ca98e70937362662e4373921e438f662df

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{087583D1-F4D4-11EF-B20A-C60424AAF5E1}.dat
    Filesize

    5KB

    MD5

    ec7ec92edae094304908f5f7f4970d96

    SHA1

    ed04e84d8c49a95fc144ce597151beb3b939f1b3

    SHA256

    77ec39072b8db58b9e2e0cbe1a9d27e82958648f43ef5048f06661d24f2c28d7

    SHA512

    da6feea5c5f1d8f976e0669fdcd1b78b4abd96b3d41a2090262c155839d376d34a1e615ea47a145beb84324fd18f0632a6786a0e4d542784736c9a964b2e5bdc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{087A4691-F4D4-11EF-B20A-C60424AAF5E1}.dat
    Filesize

    5KB

    MD5

    6bad32015969f9283a8e2d44964413d5

    SHA1

    72d6cc12a3bf879e1c6e8ded6ee2c923d5e28727

    SHA256

    3ef47ac67d4ae3cf5ead3da16c8ed14e39c856529fec6acd367667d2497b3068

    SHA512

    3758408222007511f496b3feb3b8aa98085564c57d1d057f163fa69761574e5ab79b5c735694e851ff742cf0989f06f621cc0f1e392b6cb9755dd4e18a119c96

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE4D6.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE5A8.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55
    Filesize

    1KB

    MD5

    6722446aef6407603a6834ff012cfd10

    SHA1

    3c19bc1ef9b60b1f6e002c6c51e8ccb824d07f63

    SHA256

    efc0f6ded2042030251a84420ee8b2fcf62ec94c91c720f9e333845b92449145

    SHA512

    a6b56973fbfe66b34226f8e32c0621a4e34c06b4e20aa8f735dfafb7ecd7909c5517a3374c4f91fdee8e781e085263132f52aa6a5de3896ed5b4605080ea2a3a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2025-02-27_1754da651c93a95229d9a0d1eb630d2e_icedid_ramnitmgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • memory/2080-12-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-13-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-11-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2080-15-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2080-31-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2080-14-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2552-8-0x0000000001C40000-0x0000000001C9D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2552-7-0x0000000000400000-0x00000000004FC000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/2552-23-0x00000000003F0000-0x00000000003FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2552-9-0x0000000001C40000-0x0000000001C9D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2552-30-0x00000000003F0000-0x00000000003FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2552-27-0x0000000000400000-0x00000000004FC000-memory.dmp

    Filesize

    1008KB

    Download