emotet | 02c545872baa3b65bcc706534602de4872a008775f9e988cc0d39bfb8609cdb7

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe
Size

384KB
MD5

17a566a279a3d4fa681b9fe63e83a365
SHA1

4f5cfd51ac38ecbf000934378021301416bec5d4
SHA256

02c545872baa3b65bcc706534602de4872a008775f9e988cc0d39bfb8609cdb7
SHA512

c4838630c3950824f550dd4237d6d123424d7e25ae740dbf11f1b33542645f585cdbca1ce0b7a63e9a77cc322c68c213665a75e5b79bbe17eff1ad4dad464a6c
SSDEEP

6144:sD3MtP2xXEeeWFEuC3h93Fx8u2qEuIE2T9Iyo/Q0VNhEeGbfUTpYDDmu/+3fbB:sJxaUCh93FxmuIE2Vo/tdG+pG/YB

Score

10^/10

emotet ramnit epoch1 banker discovery spyware stealer trojan upx worm

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

219.92.13.25:80

91.236.4.234:443

192.241.143.52:8080

186.3.232.68:80

192.241.146.84:8080

12.162.84.2:8080

50.28.51.143:8080

221.133.46.86:443

185.94.252.27:443

114.109.179.60:80

186.33.141.88:80

172.104.169.32:8080

184.57.130.8:80

177.139.131.143:443

77.55.211.77:8080

81.169.202.3:443

72.47.248.48:7080

212.71.237.140:8080

190.229.148.144:80

178.79.163.131:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
1916	dxtmsftmgr.exe

Loads dropped DLL 4 IoCs

pid	Process
1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe
1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe
2880	dxtmsft.exe
2880	dxtmsft.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dxtmsft\dxtmsftmgr.exe	dxtmsft.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000010300-9.dat	upx
behavioral1/memory/2052-10-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2052-14-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1916-34-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1916-33-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1916-37-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2052-42-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxtmsftmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxtmsft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1048F6A1-F4D4-11EF-A5D8-F2DF7204BD4F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446799579"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1048CF91-F4D4-11EF-A5D8-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
1916	dxtmsftmgr.exe
1916	dxtmsftmgr.exe
1916	dxtmsftmgr.exe
1916	dxtmsftmgr.exe
1916	dxtmsftmgr.exe
1916	dxtmsftmgr.exe
1916	dxtmsftmgr.exe
1916	dxtmsftmgr.exe
2880	dxtmsft.exe
2880	dxtmsft.exe
2880	dxtmsft.exe
2880	dxtmsft.exe
2880	dxtmsft.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
Token: SeDebugPrivilege	1916	dxtmsftmgr.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2676	iexplore.exe
2572	iexplore.exe
2676	iexplore.exe
2676	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe
1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe
2676	iexplore.exe
2676	iexplore.exe
2572	iexplore.exe
2572	iexplore.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
2880	dxtmsft.exe
2880	dxtmsft.exe
2676	iexplore.exe
2676	iexplore.exe
2676	iexplore.exe
2676	iexplore.exe
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2052	1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe	29
PID 1540 wrote to memory of 2052	1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe	29
PID 1540 wrote to memory of 2052	1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe	29
PID 1540 wrote to memory of 2052	1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe	29
PID 2052 wrote to memory of 2676	2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe	30
PID 2052 wrote to memory of 2676	2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe	30
PID 2052 wrote to memory of 2676	2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe	30
PID 2052 wrote to memory of 2676	2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe	30
PID 2052 wrote to memory of 2572	2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe	31
PID 2052 wrote to memory of 2572	2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe	31
PID 2052 wrote to memory of 2572	2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe	31
PID 2052 wrote to memory of 2572	2052	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe	31
PID 2676 wrote to memory of 2596	2676	iexplore.exe	32
PID 2676 wrote to memory of 2596	2676	iexplore.exe	32
PID 2676 wrote to memory of 2596	2676	iexplore.exe	32
PID 2676 wrote to memory of 2596	2676	iexplore.exe	32
PID 2572 wrote to memory of 2692	2572	iexplore.exe	33
PID 2572 wrote to memory of 2692	2572	iexplore.exe	33
PID 2572 wrote to memory of 2692	2572	iexplore.exe	33
PID 2572 wrote to memory of 2692	2572	iexplore.exe	33
PID 1540 wrote to memory of 2880	1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe	34
PID 1540 wrote to memory of 2880	1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe	34
PID 1540 wrote to memory of 2880	1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe	34
PID 1540 wrote to memory of 2880	1540	2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe	34
PID 2880 wrote to memory of 1916	2880	dxtmsft.exe	35
PID 2880 wrote to memory of 1916	2880	dxtmsft.exe	35
PID 2880 wrote to memory of 1916	2880	dxtmsft.exe	35
PID 2880 wrote to memory of 1916	2880	dxtmsft.exe	35
PID 1916 wrote to memory of 1900	1916	dxtmsftmgr.exe	36
PID 1916 wrote to memory of 1900	1916	dxtmsftmgr.exe	36
PID 1916 wrote to memory of 1900	1916	dxtmsftmgr.exe	36
PID 1916 wrote to memory of 1900	1916	dxtmsftmgr.exe	36
PID 1916 wrote to memory of 692	1916	dxtmsftmgr.exe	37
PID 1916 wrote to memory of 692	1916	dxtmsftmgr.exe	37
PID 1916 wrote to memory of 692	1916	dxtmsftmgr.exe	37
PID 1916 wrote to memory of 692	1916	dxtmsftmgr.exe	37
PID 2676 wrote to memory of 1880	2676	iexplore.exe	38
PID 2676 wrote to memory of 1880	2676	iexplore.exe	38
PID 2676 wrote to memory of 1880	2676	iexplore.exe	38
PID 2676 wrote to memory of 1880	2676	iexplore.exe	38
PID 2676 wrote to memory of 2016	2676	iexplore.exe	39
PID 2676 wrote to memory of 2016	2676	iexplore.exe	39
PID 2676 wrote to memory of 2016	2676	iexplore.exe	39
PID 2676 wrote to memory of 2016	2676	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2596
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:472070 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1880
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:668675 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2016
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2692
- C:\Windows\SysWOW64\dxtmsft\dxtmsft.exe
  "C:\Windows\SysWOW64\dxtmsft\dxtmsft.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\dxtmsft\dxtmsftmgr.exe
    C:\Windows\SysWOW64\dxtmsft\dxtmsftmgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1900
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
504cc376051c7cd24db8d16e2f3312e5

SHA1
34077fdf8dcef93f99a0dba766df191a8993c21b

SHA256
004ce851ee110a3ec66856eea6590df9e9b1cd5675ea7c12d79a441c415e0f6f

SHA512
b681c928bc447bcedbbd285a0d4f1aa48b1f5453ebd361ab89d650d7362492c7ef7df0f32df419079bda82a159a70be6ab62a9cb033bc900043ed1a37338c851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dec95c3178b665f502ee10cdeda91130

SHA1
5895acfca93774d6c3a22693f14f4e2ae64643e6

SHA256
0d02fd5e87371e59becdb28afe49bfe0256517f2903725e9f7f85131fea18fbc

SHA512
234d521aa763a2c143ee37f5471ea00507f945b8025dc857dfe8608e5fa95b22f7aeff012ba662790a5c0205258539a83db15e495dcda2fd39c3dd05718fbe17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a9cbc6bff8431a59696f45a1a894e7d

SHA1
6f449ab264de1ed5c925fbf161d889473febf1eb

SHA256
a21d1ff1a7e4c10cb518ad2ea675b8a863a9e33f2efb1cde6cacd89b69479b5c

SHA512
2c473c4deaf54068ed104033fca6bf86b443f99baf61aa0b73c78f75b30c8b7ca255c7fbd29139a3e34050830cb971162aa09a2c98c0d4da4d9873262c095310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32687819268766cf0213ef8c9f2abb4b

SHA1
c1fc5d831e9c5286ed461a704afb923dde70bdd0

SHA256
964fe6b01c40be0eecb51e323272f9dcfc7a0122b5c28f47e167feb199eb96a1

SHA512
f7feb515e431ed8ba07e5dc6a4ed16aa691d12de5336095352689e3c331249c341cea59f402a62ad4cd0c614a235fef2fa16368aff1b070cb36db5072fb26080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9252b5cffaa5b7bf7227302f812d43e

SHA1
74e0440b070aaf3d294eec28b6317d3797190233

SHA256
3a75f83474479cb8c88f54a7e4a1d11b9062120730db10a265e3f80121d0180d

SHA512
9e0d5ee10d22ecbd035f8d684507c174519d5c460cacacec34304fc01d9de9939454c48b8ad20dadff17e51d1306e605bd2c81a70d07a83c206b54deacdbaf51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bc95958761fdb0abdd84e9c486cac2e

SHA1
12ae2e3dd823d6a1b95b442b32003c3395fb8be9

SHA256
76861bc3ff4ced84b87d9da64e0c04219312ade55efd623e57796752e08d90e7

SHA512
0dd7b38749ffabf104e91d425bf1b10b9b9e7dd26f560ae6f9f34a22118a47a5000741e7fae897a03a8e476df1a2ea8719decff218088ce44e743d2bc4a4a2b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5175a94cf4476d1f8958d0a1884479b5

SHA1
290e81f8489f97d3113d52f0709b06f1be5dcd36

SHA256
60f3a0ede5a87c768ea09ca8b2413f7fcf47020a4c1b36c630cd4de22db92d04

SHA512
2fdc3fef26215fab441426e7620fcf8c801cd76c505cb30124f9f9d332ec9741f438ec9ff510b51d11864acbcffac54cfa373217ba1d80d51f4067124ff41981

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee3a6d47f3247d58de6a1883b577916e

SHA1
83195b25e6ded49821923803e9b270411f3ec460

SHA256
4b9473238cca5553a834648c71e88dda9722ac18613af4a63e00bc02837ae7e2

SHA512
020741b5be38903d1e9544a6f8f28d62fdaedad29a29fb923e4fe540d9f216d27018df550cb443fcb959d5e80e48c90deca4e45533ff01c64973c4b353894879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
921e41bdd413fddc18c30dbf1f3fc5dc

SHA1
08423353519adc9f8fbc0b63fb227afdfd459e7c

SHA256
0234e6bec3650beca23a6483f82a3e53ed71cc889534e7ec5a0d0317d16a9f97

SHA512
d5cbcf9d0fa9a633a035b44226ada758e09425f2ad70224feedd84e28478a9a79dfd72be520430c2cd89ecdf47e722a477bdc678fd23ed8802b9300d7812a7e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3312a7aa2ef4612a48fc184b17c00538

SHA1
bde565c83018dbb078fc5ca50384f47bf7023394

SHA256
3fcd3e77625d3864dab4b6d47ddaa22515b9e1d5053cad94c8ce7c647f29d3e2

SHA512
22504f1a3319eff0009d6678398d8c1c16b0748f97aac3ae6715c7325ecdc5247bac5a13f49af773e28847988207548e069ca7184e5ffa6d20810371c6aa3c47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
520fd1421968d4130c2602d71103b620

SHA1
f6a554ffa0de1525b3ddcbbef1b6a6ed4e4929c8

SHA256
cf7fc536e5046d41193db99c15f8907c229ca9e788e6ab30cc9b00db6872527d

SHA512
f79064b49063194a035456c38b45c7cb1c8062effc77b3d5800693d3b869870ef4ad0cfe9ced73eeae069ae6958a7fdf2dd8967998c210583baa92aa09f3c4e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fcb26fa26c4bf77a4945ecf3dd2fd314

SHA1
b0216fc5456e82c0707e2156defb0a9d6d6f8790

SHA256
da6d4bf25295de13094847f6c8bb7319df0f3ed275d34e938e36af001727e390

SHA512
ac0f6fad0625f4b5ad4272db6b4500a3b70d5496361dec6d00324f7e52470e75c821eec1fa4444dd249f8a6bcaa177064ad098aa1ea1b9911068a556dc9e73b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ee3314b3c7ae2d9e397e29834d958b3

SHA1
6b7002c7e1b2ad927dacc86218937309c758e33e

SHA256
7cdbd18c5df469aff596880aaf34083cb4adae0e0177109ab83227d7a3a262ff

SHA512
1befa9b213eb788d1e92996d1e678e8893a6702730102f29448d7a89d5a0180b35e0c618afe6774971636dfbc8efef2012324a8d04ff23f6f001025f2e47a51f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c313c7a0638a3d148de4090b4ceefb7

SHA1
8f00d9c3680a9f6197d3c743db9304012f24b4c8

SHA256
86be9226995d3ac007d79d542f6bb6a36720544b90fa01ef19ecfc4681d9103e

SHA512
3aa21f9e421e4f60f17e3d758ca85e766253ef15bc5410155aa4455be1bb9fddae3c79bb23e3cf2d0be047b55d62e0dc6b43821ebe7cb54f8d751d7b904c3be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
634d8ab4a45560150b3c3d4eec640196

SHA1
52f854bfe446c65d705b5b88b195fb8f69aea2ba

SHA256
d0d485a5ff54bd8d80b3778bcf11980c98b7c3c7838f5ef36f037c5b7078c4ee

SHA512
f90fd7c5b728c743a463c90eee63e29c3799b011141c533d14b76200dc607c0f52275f9f4f67b2aedaaa92e4157f9602658d975c5939c498cc707f033c89fc1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fb1bdb5158b063a88b763c894bf64d9

SHA1
68bb7bc53f7733a83cecbf7d6c43bfd839fef8c3

SHA256
d2c01d11e6eb576dda2decf1cf7057c9aa354a1c7475b211e21c50f41deb8922

SHA512
128265ed7b67936a147f54232c448cbc112a3a3058ac1390db20ed92a5549cbbb496edf86cef496d8a051665f5887f8883f189a4fafe9287027dc712d5c3bf4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e81a29646e5f134bac8ab78c3212363a

SHA1
27b90bae44e3c979868e3b34cd2457f2747a8c94

SHA256
a57ff88dc0ced48fbdf21eeb72067f3a7c0e49693735b4bd880ce59134699ecb

SHA512
a44e2decd87eeea29fe0575f13ea43fe86ff4396f282c82bb01850b31e29e5af40a89f19d29aca3f832aa1de56126d1feaeacd46b953fe06921a04b188c34566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3723cc34013731f5ce48e9ce474a4b0b

SHA1
5e98176892547922ba03c8e813178fe4b81d9479

SHA256
2a0ff0eecd6477d24194374a8eb863fa7d2ecaf9c2862a9eea61b326871cb299

SHA512
fd6a7212afe4359c538c3e50f672d587651897dd86cdaf88fd344f7702331f34f39b5ce792c7a038ca285c9f5058b849804f8c9e83fefd10b3ab8e62169466ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c322198088280797817718c4403e0f8

SHA1
5f218912ad9cd8534df8becdf3d2c6717e19095d

SHA256
6b9181f668597bd8763b8afcd295074b8dd02ffe668e5f1bdfaf2ba885838b5a

SHA512
566949e9e7935927948a98bb6cd8156e672fde41bfa0fac7f8225a4efcf1bfe8a42c569686a44aaf854d9dce09d685e3bb9b5387671cbc91322b9df51f35a7a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32c87d5e7c128a4006e8b89fcbcf78ca

SHA1
215361db0ed1b388868573d89f252b8f483dd171

SHA256
ccea3b3b4736ab56c3e1c0230e705473bf4f899fde58acd4a597efcd666a6805

SHA512
0101146c7b7bc0306d85b55088029f049449ae1b9005e79efe78ec22f4943a3a39f5c76101cf661588d35d7cc93df3a5630d515f6bb9e1b3d12348b9f0131e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1048CF91-F4D4-11EF-A5D8-F2DF7204BD4F}.dat

Filesize
4KB

MD5
fba50120f0a2ef80fabd7637674e7568

SHA1
af6044aa4ff94d2338101d2af4d5e3e7d34c6b7e

SHA256
3d035cffafaf226eca14f7089f3c569ef095c68ee8ba32fd91e8a95dc5180bce

SHA512
59ff7354de312694b9ebdb2daf0157be720139ad09e67e4f4a8e5d3b0f9bba2580daa878be6fefd7c9796940cecdf5ee4265dc07903d29ed12fc426ad6a84322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1048F6A1-F4D4-11EF-A5D8-F2DF7204BD4F}.dat

Filesize
5KB

MD5
d4b9eab49850cc44de402ea4c072fd6c

SHA1
79057f66e2d9048791f85ef56bd77ae136069167

SHA256
4ec65e205d8051a19fe7eb205aec90187d53b92bed9ff0a35f93e7d260705997

SHA512
0fe70cac91c7c54b4f6492150872cc1b24653fdd5426999eabcef4076a1a95b08ea346a9121b06b2aadf2edf45f5c209eec265d5b5cc72946efe147141e3ecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-02-27_17a566a279a3d4fa681b9fe63e83a365_icedid_ramnitmgr.exe

Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1871.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1907.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
memory/1540-1-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1540-8-0x0000000001C00000-0x0000000001C5D000-memory.dmp

Filesize
372KB

Download
memory/1540-18-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1540-15-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1916-34-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1916-33-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1916-35-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1916-36-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1916-37-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2052-13-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2052-42-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2052-10-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2052-12-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2052-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2052-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2880-43-0x00000000004A0000-0x00000000004FD000-memory.dmp

Filesize
372KB

Download
memory/2880-38-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2880-22-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2880-31-0x00000000004A0000-0x00000000004FD000-memory.dmp

Filesize
372KB

Download
memory/2880-41-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2880-30-0x00000000004A0000-0x00000000004FD000-memory.dmp

Filesize
372KB

Download