Overview

overview

10

Static

static

3

2025-02-27...it.exe

windows7-x64

10

2025-02-27...it.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 07:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-27_e04ef63295ecda683a949ad6ac84e2d9_icedid_ramnit.exe

  • Size

    437KB

  • MD5

    e04ef63295ecda683a949ad6ac84e2d9

  • SHA1

    38738d42664fe9d82c71a7f4df3bcb665b39316e

  • SHA256

    48ec51ec5d4347dff96e2e9212fdd88f1a21d471dc40c0f98517abe784673b49

  • SHA512

    18f6653d66d17278fc73922518f916ae2eb0d985f0289738fba876e94816cdd1c9906803f3fcc9f441ccd2f3769fc31f7b1aa3aa8ae9419ff7df79d1a47b9eb5

  • SSDEEP

    12288:GRX3wK9rybO3AlLBeTWi+eO6e2dAtyK0G+pG/YI:GRX3wK9ruO3Alpi+eO6e2mt2gYI

Score
10/10
emotetramnitepoch2bankerdiscoveryspywarestealertrojanupxworm

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

64.88.202.250:80

212.51.142.238:8080

200.55.243.138:8080

104.236.246.93:8080

61.19.246.238:443

79.45.112.220:80

95.213.236.64:8080

169.239.182.217:8080

103.86.49.11:8080

87.106.139.101:8080

74.208.45.104:8080

113.160.130.116:8443

209.141.54.221:8080

203.153.216.189:7080

73.11.153.178:8080

186.208.123.210:443

37.187.72.193:8080

201.173.217.124:443

121.124.124.40:7080

24.1.189.87:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_e04ef63295ecda683a949ad6ac84e2d9_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_e04ef63295ecda683a949ad6ac84e2d9_icedid_ramnit.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_e04ef63295ecda683a949ad6ac84e2d9_icedid_ramnitmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-27_e04ef63295ecda683a949ad6ac84e2d9_icedid_ramnitmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2684
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:600
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:600 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    f7c260a443b76b9cd09c7a6838a24f1a

    SHA1

    d28c38ca57d6520bcba65b0dee77e29117319c6d

    SHA256

    1061689b1ea0604dcbce0b22a7a7c76e1bba6a1d9d245720bed0ce9bd8ab2ca4

    SHA512

    e9f2288aa4de1d78569db198b1a5a5cc7474f858f77f4020ac1900d6f004e5ce01a539965cea7a543b4b14823deb063cbaac18059b57866a8a41343212ea54d4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    105410e268f4a1a451b13cbec04fc36b

    SHA1

    343a981eddd7a2027265f69ce85ffb32c902469c

    SHA256

    5eaea8e69d104714c3f3b58425db70b4436139751837fb73e11c7eac356cd107

    SHA512

    fe91b95c893868f38a9f28b0f7b28abfda84a29f7bda12471352ce9b0e986f1a1b787c8a270167424a4ea2bf1c4a358f58235928e0ac7f160fb8ffa2dfe5011e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    82ca3c5096103cc7e12fd22188307f04

    SHA1

    e98aecce5e490c04ecddcceaec534d9b1c6a5953

    SHA256

    96464f972425bcb4a98e486201177547e9a60da1c93af7aae2e1616163f5627a

    SHA512

    1364c612edb37a7bf69f510275468a363bc4eead17d96558137800fa22948e4e815312736c8a78699fe09766a0355d34114560cc40f8a2361d471f94a331ec1d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    58356d6c53f1378e0f55108456e2f2db

    SHA1

    a338bd4e513e8116d0a54683a09ecd3e714df6e5

    SHA256

    90458e5b6e89fe2247a7c50d7d9bb7c5f16b8ebcb98fdc874654e6757ab4feeb

    SHA512

    70e27b091ef4de5ff25d6214359a0361e0c504326cd359283bc4bd3d1ac56fad0ef4db39979b98f77f1e92c200bd1d444f711a0e684368a0759070ea0589ed2f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    41215dd53d97e49f7b81eff58e8f9a13

    SHA1

    be71df519a6ee320ffc33eadf7473b0fbdb0d9dc

    SHA256

    b0729c3f5819181d7707388375d1e32c717f5a935e7f2eb4b6690fd085cc073d

    SHA512

    d5559c42f64393ac48cd1427551d9170ccae6bde440079836402ec543974618d76db9135988a0f6f0d7067018792d8333b2f6a33cd2eec58f12aebdf287e95a5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    510f087de783bd5f606130b2e36f5092

    SHA1

    ca4f0a13f1685cd4001e1db270719bc016ea401f

    SHA256

    f31c0d00d0750a42c0c1856a4ee750871371022baf13109bd0b4b078ad4e73af

    SHA512

    d6adaac0092312847e65b60950ef8143cda05ed0b82ba64f61258add333ccb56db6c9dc02b3ef5316373facb6a23c87e82a51cc74526aa1c4c631062512ccc57

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3818fec2f3a2cd7511b31532fb5194eb

    SHA1

    bbea14b444f060d65ab819db3b2699c41407c7f4

    SHA256

    6968d638de47cf4b03c0cd5060eeceb1881ac57585ba94990367403addeb6e08

    SHA512

    f4fdf26666b3a5fa070d56e61addd22531f478f4371410da0bde806c4a0d0d6726246eef5955c5584089a4d81e2b7c3815122a0f9ebd286102a9b4415ca5431b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6cb9c17b0113e249daa6cfa9399e9286

    SHA1

    d016d78d9f436832f7eb3e12d298ff63c7a4cdd8

    SHA256

    0aa599c483a3ed9ca2fd5869674f5949733162b3794ea7ff2b783f74cd569b08

    SHA512

    dfd450338d03348be9f031a8c1f4dc77df319328b4f33b5718dbe36f5daa52486a4feb80f14a85d8d2a6c70533f6dc5b38ffb5938abc7c40ad61f7507f51433e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ba597ef75b650c12f389924dbee2c039

    SHA1

    ca963a0014787177c0124ad63e0c8b5585fbd13e

    SHA256

    4107914d2a4916f7a36dd1ce05f3dc43c105152e7756da86e71be332299855a3

    SHA512

    a72c5fd2cd3aaa8f7d5bedba11f02361ae6c4738802fda93d016cb51f399d3007293755da0564a0285ee3886c1d0f7db9599041f6ce379446f4ae8dec98fe044

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8edca255c785272f3c14caeeef897b83

    SHA1

    21ec5749d96121a0983ebe656f590fe377346d5c

    SHA256

    1590fe359330ca2b6a8dbd60c3ff8f5590a870395cb507c7d136117620711c7f

    SHA512

    9fd0b4d8109400364558756aea85466facb4ca35a53c1dc20391e7bf78c4c41f85e2ce2b915f13e2bf56f514502ba402d003dcdc3d9388abf27526628ee7f6b1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    51c19424e87808bd271595f794764b4f

    SHA1

    bab62ddeb776fa96309af438d7e1cdb8b8f62c94

    SHA256

    b72d393b01a571eb936d68479ba695594c0f861bf6282fc4dc000cead08a65ba

    SHA512

    cb3f6500e859a512bdbd3d912300c385a328a4cc3aa266b48e51a5e6196b28ac3a0c4e7546b4de8dcfaad059c3c9f63cc7eb1659ccd66e18a488547ab364a579

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a057d34c19c2493d8a02a5cfe62fcb51

    SHA1

    05b967b5b97486ca02b6c6e17bb92ae8042c2ee9

    SHA256

    6626f6476083a4b7cd2dbc9393fbd07049e827a3213f47c1d0211b376936f584

    SHA512

    c8a8c16d8301d2c8aecf7814bbce4cfbfd986c2fd8f5f7cd62832b34978caff38e519cda51aab50a4281b1f3cc9bf8614f93f27dec64707003d1f2d70e88319a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9b570020f96d219874f29235848a834e

    SHA1

    8f90672300bb6f98bf92aa37789d7b5a319001ab

    SHA256

    7e0350cc67d461dc3f1f01a5e0408aac913ee98088aef9e0c4cb73e746241924

    SHA512

    a65df719985f0d78d620e7792a7c9e09f2a73815617d7d6df874e11ef9780d2bc2d3648fc3b411817dbf28870cb3df93c24f8ec1b439ed019a884451f027f698

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9bf64d204223609b3431d54a07a1e31a

    SHA1

    9253dfb135a168498f0c44d775f48b26811f860a

    SHA256

    39a9fb7fa925a3e20c90cec218ae0034880218df2b2dd2ffe5e57b1ccb613a68

    SHA512

    58426e0bae22949576749714961f788a7fe35f3064746fbd2789dd241c50bd62c334a745a91c26d8cbac8a803faedf20e46efd983dfd87927ee80b14e90926db

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2428ddd8cc508de77055d69907f5edeb

    SHA1

    d1aacfebea41a81adbbe3f33efc40f809f29ea33

    SHA256

    ad7b2a8e3486901940cb6e0255ba16e7a1245f942dba4c5e7e55a5c3123fd253

    SHA512

    72c4eb7c6a288daef2768d5865f34aa1fb0d76664937aed4363504d7f7b2c1878aa87f64bee562109936783259bf9e80679e64f5b5193b9579ea9e7820e8d121

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    aaca8685b2c986e431a4d75db388eed0

    SHA1

    fd21b23feaa73ca184493d38ddd082a103ea708c

    SHA256

    23a228932927816d5ea7a34e9f89e07f131914fe4c0c3b0f71d7497ff31c3513

    SHA512

    2ba972321209b3ac0bfaea152aea3c48ddccdc981106e6d5abdeb58f22d4204e879e262240fd287acf5306fededd7ae355deffebf78519f56946238bf0e74f09

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    35ec90bd4cd5ec5c68aa0040b38b6c7e

    SHA1

    31f4671cafb9ef6ffd40e6e240984c4b82732ab7

    SHA256

    e73cf52f021704c8a4dddbc5e72e5b92e478a1b383c81bc00afb46388b769388

    SHA512

    267d10738a9a7f53c8ac763d5931d1ae119a5469cfaa470e3fa49c8cc657c2a64faab287c768c9ffccd22b9752a298205d8119eee4a3ffc1e4496e4c63be985c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c4d3ac2bbdefe46e74e9f866b679d5ee

    SHA1

    a2dbaf927f061308f2c249bb5d95fbb9aec9cf98

    SHA256

    afba7a81161a9b99970e68607cb72292ff99c58eb7b31976ddd466f2e4594f43

    SHA512

    200ad97ae46105a9f7186ace883e3f661be87188672f81ae54bf9febb95964a30e98cb638536d5399b1b891fd054ccafe270592bcf0b5d2e5aec0999a6495540

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AFA41CF1-F4DB-11EF-854E-7ED3796B1EC0}.dat
    Filesize

    5KB

    MD5

    0f2e15c5913c065c839bb1f3b404614d

    SHA1

    c71c7237f025a50934f718ea04e7643e099d2da4

    SHA256

    8384f1154623f8d38f627c33b15f75d32209efbd7574d7a9f85947c25729086e

    SHA512

    2dcef20ff22a0a6b772e2d542865cad5661209783a745cb2c22478fa6bbe09690957b7de580f60773e9bdf53a98b9bca502963648fc3126c7d1b08fa3be6b36f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_e04ef63295ecda683a949ad6ac84e2d9_icedid_ramnitmgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabF01C.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF8F9.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • memory/332-26-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/332-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/332-12-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/332-15-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/332-13-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/332-11-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2512-0-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2512-16-0x00000000003B0000-0x00000000003BE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2512-20-0x00000000003C0000-0x00000000003CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2512-23-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2512-4-0x00000000002F0000-0x000000000034D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2512-9-0x00000000002F0000-0x000000000034D000-memory.dmp

    Filesize

    372KB

    Download