Overview

overview

10

Static

static

3

2025-02-27...it.exe

windows7-x64

10

2025-02-27...it.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-27_de5fec8605a9a097c4c4924001c07c3b_icedid_ramnit.exe

  • Size

    388KB

  • MD5

    de5fec8605a9a097c4c4924001c07c3b

  • SHA1

    cf994cded4b55c27b8ee6e22ff02ee0276bdc5c7

  • SHA256

    501d2c6c805985cf0c636469c9a18648431d069c6815ab7d94fd037c39b5ed31

  • SHA512

    d7727d59f6c9836d365d1bbfe147e329d939786269d54c0dd25f7f8ce6264796259a1bfd7e53f49198b34a3105164a884099eadaaf39a11bf91582e0476bf401

  • SSDEEP

    6144:PBsIbV9lPUQhC2H+R1gFm0zBT+kjV1oR1eGbfUTpYDDmu/+3fbF:WQV9lMQH+R1z0Vv1oR4G+pG/YF

Score
10/10
emotetramnitepoch2bankerdiscoveryspywarestealertrojanupxworm

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

79.7.158.208:80

46.105.131.87:80

209.141.54.221:8080

78.189.165.52:8080

37.139.21.175:8080

98.15.140.226:80

103.86.49.11:8080

41.60.200.34:80

190.55.181.54:443

120.151.135.224:80

162.154.38.103:80

60.130.173.117:80

5.196.74.210:8080

46.105.131.79:8080

168.235.67.138:7080

24.1.189.87:8080

95.213.236.64:8080

74.208.45.104:8080

41.215.92.157:80

87.106.139.101:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_de5fec8605a9a097c4c4924001c07c3b_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_de5fec8605a9a097c4c4924001c07c3b_icedid_ramnit.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_de5fec8605a9a097c4c4924001c07c3b_icedid_ramnitmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-27_de5fec8605a9a097c4c4924001c07c3b_icedid_ramnitmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2560
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0fa53f4f2892daab644cb8bda82b5eb4

    SHA1

    72b79fff7c0d8ac557342e2662a7c730e8a61740

    SHA256

    7a20800a256bfc87b710760933b50154e102bec6da69beef25c0c47e4e33ba84

    SHA512

    5eb6ec71d45eab4aa9cfc66185cf30d2918a84ddf06640fafbb36744637162ba0425ca5c43a9c869fb59a5335baf8f4606c454be9af40181f0d884e09d5d40ec

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7e2d80dc03246a3afd5102c48e0a70a0

    SHA1

    4cfcd78dae5815331f5bd4f98b1c02dec151b0e5

    SHA256

    d160c863d108c4283f07d19a6e3510d06b542550fff34609eced607bb10e2a5a

    SHA512

    72cbff65bd19a03d5a0b2f14fa719a1b1ee56d3d2ed72eca5d839834134f2a57babcd98e15f73a9fac1f34203e183e8c793981ed230414b7f7c99e41da47fd95

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2ebf5a6977b5e1b910e2b7029cacbaae

    SHA1

    d76228aeb92dd1a88ab5a5349d7e7f1ce6b403aa

    SHA256

    94440d4981664ef681b3c2300df60512053bbcb464ccab1547104fe414366a71

    SHA512

    105ac71e4f83a9bb4910a7b0756a482461eba7ea8d227e50294df812445d67d7b6f1d76b921f1e90a22df0c026dd0ca968ec7677d3bd011db2b7b501180d2f71

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    28acfb8ce62352f8e4ae5df226980a19

    SHA1

    7ff1209270dbdb730fbd9799672577523c931440

    SHA256

    de64a9fd7564e123378102af75f86b12d0e8345d3e13e3f9987e76a462aa5884

    SHA512

    d93bdf3abc1965aaae99d51482f1161c8e424a1bcf8d48726a5f496d27f13b5a0b57db5e9fe89bc0648176163a1887686ffbd9aaead07a103fb539c044f8e2d7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1e706332d1bf94d8f5b321fee30d7657

    SHA1

    c34e948c012d8b8310a54b70ddc5bf2e3c04256f

    SHA256

    64464674bf1f102b34e6741634e51bb13d90b78d550b65af5def760b775f496f

    SHA512

    67ae760606a06d8c31feded8f426ab73adfbd1ac88fbe725cc359cf4036c0c64983f7f531a50b6f16f3c50353bd47c4a993273ce891a5f79f59c58ee837c47d0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    949e958a502fa263283b061bf20b8f9f

    SHA1

    f3e146ab428fe4e07780bbcb8e468d3984f1ee04

    SHA256

    fd61c345857457a415abd4dee72642d847082d6ff557ad95a7edc5cc6f980c5a

    SHA512

    b8f72dff8bcd16ac0e406b8cc7f52219f21b3a5908f7caa9c2abae0962adb4a0126d2e61fe2c3562de358d600a7752bf61ae1dd84d6187e667ff8d1c034deaef

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    02ee7c4751eea32af87d2623efbf1435

    SHA1

    362ddd2aa11ce012edf90afdfc25a5375981a75e

    SHA256

    6867d9abc1e38bc0d0437f36031551df0e008fac45233e86ee22da9d1f7a6274

    SHA512

    d2380f9c4d586ac39beabd8746eebf45efdb7ca7810aa997bcd77e4720ae1dcf2cb9d5fa3794bb04e5d9c398405759fd84faef8a0e0316367b246dc3740a54ed

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    56d7b81c5a68becbb215ccd3309f3915

    SHA1

    b807308fd222260d4770fa337f86361e513e6b7e

    SHA256

    ac53af579fee253047509c05af6a4305103382ac5d7d37b5dd8df67db90bf8cf

    SHA512

    f59d2cede6362bae187416713ed4f4472fe3773bd1c98a4f0edace8d95af14b3d88e91e4e41fccb504fcfcd5119f981ae1db51fca36eb1d8514a88b8c05c7f89

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    444132d2ed8b7dd7d59b85596b67306e

    SHA1

    71a45341670a890d7c62aee27af470fd139ae6b5

    SHA256

    08c12fd2fc297a8c9231216654ac61805bcda47653b19f47b5ef7067966d82a5

    SHA512

    de658b276a75813b78033ac275dc0d4bf18753d4a4af8fd0bdd9b9b95d81eab7a76fa49623512e2be5d05725ca9f756a164cd806b8df36834e086c87a0559131

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e90ccba743b221af8bbd8f856945d42c

    SHA1

    f24df0514c081e07020b45ba77974de4fae2df07

    SHA256

    26ddfaa1fe22d0cdb4b2a883d0ef3b58d8cdb6cd3831f1c37c1ca5d8d2f04ffd

    SHA512

    8f884b239acfadbbbfda5aa6be260556a0221bc8dd4d4123beeb1bdcaa8c0c503b19793ff50c779165d35db71269c9b53bb9a8c929d7052ca960e53dc1dfda74

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4c53c1032b98d5894b79ecf9bad18bfe

    SHA1

    5a21183c81bad60165ad3750e2233a8693221c4c

    SHA256

    9f30eca7993bed6f0990765eca890ce1a11f0959ac668e2d755e6a6c9cbbe858

    SHA512

    5e6d8bff4a9be78a54116c93cf2837fe9a36418017f84ab18d3bcb7b75b04b21225c1ee36133ced714a38b0c16b02fc93e3606a64b60cd23ed87104f50c79d51

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9289f8757eb2d168686e9cc3ed47c94d

    SHA1

    4c83ff0a30e4f7a5daf4932750684e9afa054943

    SHA256

    97a28bf64feb880eaf2961c1fb94073a4d60c4e69c030b2e9113400d82fe340c

    SHA512

    e3fc5d31efbe16a2f3cbd98e7d338d32c05aeb8fc3a95697862b5b6e10e2a6ab83d0870021a9b7d1736a8bc3c359e3b8aad6a022bd0d77603ec511222c6c4329

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5bea75a930ff19b09d3e2004cc1a2b16

    SHA1

    b39dd51e4edc748d9a0b2f152fb236cedfe2410a

    SHA256

    6f16b76852564fff18306b421c12d46fc57529f35c31f5f1292ca59895ea54bd

    SHA512

    1df0a787a0e3e46a61d56af2f2f69a51720311945b3788b9af5aa3b9fee247915de78f3f1fcba3ee4be32eae74552b4b9312af66fb5ee0f5979d4945d7a097ec

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2b4d5d685f66643b62ab69e2626b55e9

    SHA1

    14ef4a493cda683a679461b222b01612de79fa3f

    SHA256

    b209ece773a689b0433757c09cef75b14d1b50fe539c51e8f1a69ccac8d5f473

    SHA512

    cbf754def3f555d94f63ba543da14418cf3c1ed47ff01700df359a95588bbe4d76f54df922f8e78307fdee7d44507de3fc0ecef9d354a07d036b6f4c9eca4ae4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5385675922e1ca79494ea05766da2498

    SHA1

    1608b151448f93d624818831e7d5ba2c8ea887a6

    SHA256

    87e09889677f4c8942cf41a82d655c03f30cf3917f7ce208c3d9db6b4f9d197c

    SHA512

    ca1e1454c718f87e467737bac0e02c7e68afe394cfd4f0b63b254d467cf1bf296c4b1f4e6885ddc49d511cb8e5c381dbb73c1d162b210479104d58a414f8f1b6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6b89d13d8950c4f80b1014a7b93e3893

    SHA1

    ccaf8e655ca3a720929bbf58c77462fd2f650a26

    SHA256

    743ca3ed4824f4df105c01051d4176cedd67928359c3e595b30d6c87ef9bd2de

    SHA512

    14c282d36716e77c0a6f1466828507d9070ae9ff83713e5d3a31cf94b3b0eaf564f84ad166f91dafb8686c6bf3f4c8ea65a6b5feac2a7459889446468da30231

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b6de502d2d3f4fc8c78a8ee8781c479c

    SHA1

    cff9c57a18957516a81a012df943770dc33ae21f

    SHA256

    f130f001d37065658d8721bd5674b864899b87545142fb6432ca70ce32516a88

    SHA512

    3220e0096c0f80033cd3690845d7458b4900bf606a05868ffbd6f3d61d3239f82b5bc5d161623922a4761c20fae1a59fb8d2bda134c3133d58f94b28e729562b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2f44b0be6d1e6498aa3430a45fba4837

    SHA1

    acf76d4bf7700ecec38bbf77d63cd964b449e4fd

    SHA256

    c954bc5346933bd1dd86919fe1adf866a18e3c3ec5942ebd22965e8e36c614cc

    SHA512

    d1eb9445d6ad8369842fa04be0aabc830aa7e7283cdb7724127fb40be11ccc9ccb5b23fd225a0fe14ae91ade44fb23bebfdac56041fc1b7936944977414c0ae8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    88c10b77757ccb1e51357751378c5e43

    SHA1

    78dc423605de3d4fda7f377ea09db111333f96f2

    SHA256

    211031926efedbc17fecda12878e3ef57edbc293001d9ca6a5b7e898c0beddb1

    SHA512

    ec37663247ef855878e44e5543cd5f92de1bb7360709c6d35307e3038f37e0e176794b7cbc02bda18ec763b8b03293672e4c51db2fde2ac0aac215a41cc025f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9FA8C621-F4DB-11EF-8F55-D60C98DC526F}.dat
    Filesize

    3KB

    MD5

    696de958d6e73362b331dc02e770c5a9

    SHA1

    0dd1f188cd0d3498e566aeaa8c137add0a64c02f

    SHA256

    5b008439b019547d6052e984996e3df07d5f7cb69628366d93133bafd7a2c433

    SHA512

    f728d60213ef1c42f1615b6014e07eca785dbf8c01eb8ec6d275bafeb00a25a7d6084ce181464d94ee00b64a13c61e080cc003c2cb2026fe2b47f4c7eb50f80b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9FA9D791-F4DB-11EF-8F55-D60C98DC526F}.dat
    Filesize

    5KB

    MD5

    bf5b0b1010743217a1daae5ec59fe620

    SHA1

    c3efe059ee7c74ce49e1b81a68e34441c6b46af8

    SHA256

    a55ef7e162ad86374ad47061880a8ef578ea049cdc54b70461f50079cd35ff84

    SHA512

    f7e718da613abdf8de3b39d9582504d90b39dbbee13d854c66208c224fe269ea58281fa6c7d03a9136895277081ef911d5ff9cb3b15e88a6389496cc158771ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_de5fec8605a9a097c4c4924001c07c3b_icedid_ramnitmgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab17A.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar21D.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • memory/2196-21-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2196-13-0x0000000000390000-0x000000000039E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2196-9-0x0000000000220000-0x000000000027D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2196-17-0x00000000003A0000-0x00000000003AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2196-0-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2692-10-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2692-20-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2692-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-25-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2692-12-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download