emotet | 11009dab22a9e856caf446d89ef09a5905d67165f409e4f7f8dca572dada2a6e

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe
Size

384KB
MD5

e31325905017b1904803fba42993bbfd
SHA1

f0692747e142da8762e0d7ebb8b2440f3cfab980
SHA256

11009dab22a9e856caf446d89ef09a5905d67165f409e4f7f8dca572dada2a6e
SHA512

448e230c67a1f3977c47b53589eab8ae9338fa8f2778767583cf5867e9349b008354073fa96c4a2a31f998ab70919bfc7cf5b9291b0e6b56edcb881e087f1ab0
SSDEEP

6144:so3MtP2xXEeeWFEuC3h93Fx8u2qEuIE2T9Iy3kNT1keGbfUTpYDDmu/+3fbH:sUxaUCh93FxmuIE2VE19G+pG/YH

Score

10^/10

emotet ramnit epoch3 banker discovery spyware stealer trojan upx worm

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

41.169.20.147:8090

72.10.33.195:8080

177.0.241.28:80

82.165.15.188:8080

190.111.215.4:8080

46.49.124.53:80

190.63.7.166:8080

45.118.136.92:8080

220.128.125.18:80

178.153.214.228:80

139.59.12.63:8080

163.172.107.70:8080

190.251.235.239:80

46.32.229.152:8080

78.188.170.128:80

110.44.113.2:8080

77.74.78.80:443

37.70.131.107:80

188.0.135.237:80

188.251.213.180:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
3060	Wpcmgr.exe

Loads dropped DLL 4 IoCs

pid	Process
2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe
2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe
2340	Wpc.exe
2340	Wpc.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Wpc\Wpcmgr.exe	Wpc.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-4-0x0000000000250000-0x00000000002AD000-memory.dmp	upx
behavioral1/files/0x000c00000001226a-2.dat	upx
behavioral1/memory/2748-16-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2748-14-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2748-11-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-33-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2748-40-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wpcmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446802947"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7BAFFF1-F4DB-11EF-9F7F-EAF82BEC9AF0} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7B89E91-F4DB-11EF-9F7F-EAF82BEC9AF0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
3060	Wpcmgr.exe
3060	Wpcmgr.exe
3060	Wpcmgr.exe
3060	Wpcmgr.exe
3060	Wpcmgr.exe
3060	Wpcmgr.exe
3060	Wpcmgr.exe
3060	Wpcmgr.exe
2340	Wpc.exe
2340	Wpc.exe
2340	Wpc.exe
2340	Wpc.exe
2340	Wpc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
Token: SeDebugPrivilege	3060	Wpcmgr.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2752	iexplore.exe
2776	iexplore.exe
2752	iexplore.exe
2752	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe
2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe
2752	iexplore.exe
2752	iexplore.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2776	iexplore.exe
2776	iexplore.exe
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2340	Wpc.exe
2340	Wpc.exe
2752	iexplore.exe
2752	iexplore.exe
2752	iexplore.exe
2752	iexplore.exe
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2748	2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe	30
PID 2208 wrote to memory of 2748	2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe	30
PID 2208 wrote to memory of 2748	2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe	30
PID 2208 wrote to memory of 2748	2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe	30
PID 2748 wrote to memory of 2752	2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe	31
PID 2748 wrote to memory of 2752	2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe	31
PID 2748 wrote to memory of 2752	2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe	31
PID 2748 wrote to memory of 2752	2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe	31
PID 2748 wrote to memory of 2776	2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe	32
PID 2748 wrote to memory of 2776	2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe	32
PID 2748 wrote to memory of 2776	2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe	32
PID 2748 wrote to memory of 2776	2748	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe	32
PID 2752 wrote to memory of 2572	2752	iexplore.exe	33
PID 2752 wrote to memory of 2572	2752	iexplore.exe	33
PID 2752 wrote to memory of 2572	2752	iexplore.exe	33
PID 2752 wrote to memory of 2572	2752	iexplore.exe	33
PID 2776 wrote to memory of 2228	2776	iexplore.exe	34
PID 2776 wrote to memory of 2228	2776	iexplore.exe	34
PID 2776 wrote to memory of 2228	2776	iexplore.exe	34
PID 2776 wrote to memory of 2228	2776	iexplore.exe	34
PID 2208 wrote to memory of 2340	2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe	35
PID 2208 wrote to memory of 2340	2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe	35
PID 2208 wrote to memory of 2340	2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe	35
PID 2208 wrote to memory of 2340	2208	2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe	35
PID 2340 wrote to memory of 3060	2340	Wpc.exe	36
PID 2340 wrote to memory of 3060	2340	Wpc.exe	36
PID 2340 wrote to memory of 3060	2340	Wpc.exe	36
PID 2340 wrote to memory of 3060	2340	Wpc.exe	36
PID 3060 wrote to memory of 2608	3060	Wpcmgr.exe	37
PID 3060 wrote to memory of 2608	3060	Wpcmgr.exe	37
PID 3060 wrote to memory of 2608	3060	Wpcmgr.exe	37
PID 3060 wrote to memory of 2608	3060	Wpcmgr.exe	37
PID 3060 wrote to memory of 2728	3060	Wpcmgr.exe	38
PID 3060 wrote to memory of 2728	3060	Wpcmgr.exe	38
PID 3060 wrote to memory of 2728	3060	Wpcmgr.exe	38
PID 3060 wrote to memory of 2728	3060	Wpcmgr.exe	38
PID 2752 wrote to memory of 1656	2752	iexplore.exe	39
PID 2752 wrote to memory of 1656	2752	iexplore.exe	39
PID 2752 wrote to memory of 1656	2752	iexplore.exe	39
PID 2752 wrote to memory of 1656	2752	iexplore.exe	39
PID 2752 wrote to memory of 2140	2752	iexplore.exe	40
PID 2752 wrote to memory of 2140	2752	iexplore.exe	40
PID 2752 wrote to memory of 2140	2752	iexplore.exe	40
PID 2752 wrote to memory of 2140	2752	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275458 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2572
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275467 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1656
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:472069 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2140
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2228
- C:\Windows\SysWOW64\Wpc\Wpc.exe
  "C:\Windows\SysWOW64\Wpc\Wpc.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Wpc\Wpcmgr.exe
    C:\Windows\SysWOW64\Wpc\Wpcmgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2608
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33483f92a112659e2ddc2e474effec96

SHA1
e0fc29d218b6c89e58c0c0c3ad2d5b681068c6d8

SHA256
aaa500742ec56a5647c0fc66a44fd8497510484c38dfc47b20faf6261022f10a

SHA512
3ea54ff743819d0b62dfb4e499974ca466f8c91ab096203b7df97fb56b0886566017144385c07a9a77a1b3e9f61a334227f59442f999580f9fa7de2de2a5ea99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e328eaed43d5c796ed7c651ceb1d108

SHA1
b861c0570eedc2e8ae4841537d71c00a0bfb1558

SHA256
858b3ed1cf6ded872271dc2f88dfc289c9a5a78517d6fe364c79029cd3c62db8

SHA512
9eb07c6f096c2e877407cc4315d20001d63dc062b3a7faef87482f0d7adb98196f028df7598b7b9618b927c599c74f3fbdda81614fb91d8f5502166e78ec18aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
adade9527cbad58a79ad1e251fd5ddb3

SHA1
34cc33505619a5c2615eb64fe0658c23939ea8ab

SHA256
61454bf2b05055c0a455842df7b4533769dc0a3d93e739f79e56a6e1e6a19616

SHA512
c9c2c008bbd339990027b360ae05b36b7e5e4056445064d8d70e68a55b5bc9e1258140b573a6a0ffe26c3a0074bb069b9c297efb7aeb78c45271eb3b0ccdb267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5469e84ed759f5a57c5ed7b8ba292e70

SHA1
b747c5ca85f3ece8140bfafdb4101bed2ef88970

SHA256
beeb72862644211510f065f8017b8878d3a062fde942b13cadb1bd9398273bf0

SHA512
d10f9ca239cbd9af179d73cc0861e567c9df427e0f3f30509b76473f3c43fd76e1dee179e513a18bf55ed8c67ac0d560d48a1c6290aef9319ad27b9530bd406b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3d884ad18764bd48b50f5d0387307ef

SHA1
62bd988eedb3b142035d237f4458ce417a4e8146

SHA256
f57c395f56575ab9cae1ac82f92ae3a20cf8f67e8f06cae3b94a872f191b5466

SHA512
075b4a2d3840c5803731c20234a774a9dcdf40fcabe5d23f555de049aa31bc77f35254f1772e6843e0f6d75f83122230b6fc81e147e546a5ed58846526b737cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
206a07d2d2f6b568a1ee3de5c1742110

SHA1
44517d32f0b6782453276ff6d9d74179ecb964bf

SHA256
b5056ad418bb49e8c0c94aa83865192840a05d8f1fbe0650a95f846b2d5f4a68

SHA512
fe2f61a03406ddd7276a94dfef723d559f363287a72fc4c88de2394479091928fd3112fc82da6f6982d3747e94cf6eb6f73707802b738d7bbb49969235623fe8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e3c8681929556d3cd7afeea02a454b1

SHA1
09c7d3f46f9204f566def3c58fa7f667d22ac7a9

SHA256
0b4752ff0d493dcbf4b2cbd670a74970caa0a00cdb2bb4cd61d202c82cb1b0eb

SHA512
29474cb224a88862ffbf96a754bba849d523579b9eb39311cddb494e89607227975c61c2045214b6c1c4c4489f0c6bf8af5d85937d5f1ae8ee1bb602b13670f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb07f7093549453df62f1a2a4390d4b3

SHA1
b496b0bf0c61852c1310041f3cc15792d82e68cb

SHA256
5943550624950d93ed5b1e9d390b51146515857b3290518ed6568c9d282d33e7

SHA512
acd6fdc6d4f8d8b39a922f71a7312bfb6bc1576c081beea9b77c75b96b81f216d7695fa11f1ee18c40c1fde4f91ef84e7ad61c948a05bdbd4bdddb0b240f964f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4c2570f805ac96f382422972a13f825

SHA1
90d2cd5be1a7e91b09d47cfd9d7e8b5b62bcf59a

SHA256
3e2144b9b12616111e2fcebe4e2067b56c400a1ffe1c463eddd6c4d57d3c9109

SHA512
1d0590f80356a1bd14ab3b41fb23bf0e2bf6b7d8d8b93d3ff9c6869e745c38f46b061bfb9ea862df2d52a87095497455ca702d8ad70d86cb42a62e691c84093b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9d6bbf3e10818cf2e2f325d6a1fca7b

SHA1
6d1463a9986a3bde2535ca4883ea6b966a4979c1

SHA256
c72468d19e2b93582a8ae153839a65b9be72c254b744e13e8e215162d963723d

SHA512
0048e2c69c500af9c37be78c2d7f88eb68b437c7bca55ce477de12b7b7883820f1ec3321d36109c4afb4a5cf6c56ccda1ef4fca516fe1e62f008273cb373eb8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c45ed439232e248522a6940510256ab6

SHA1
43f420cf793f7cc0195d4fecf93b8acb91e06cc4

SHA256
80e971d6abbf2305b548a3077ee6917c8c6ae67d05494a993a9fb5b1a63fe6c5

SHA512
d10bb0f69234b4d644bc63e1e3b85b20f2e8f384b21b32d70cf3fd741485d9759f88a1e9c1bf122b243a68560a4f6db90635c297e13b1c6c2a5f8ea0f3491806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ca04561caf7fc737fd25ac57fd128f6

SHA1
f7cee55ad5183564feac30ecc8ed0015969ca139

SHA256
bd5858bcfc1d488d20e13eae8ff842afbde874170eed0bba79ebe404150b5173

SHA512
84c5d5e66c17002507b0c9fa6dc0949d6ecd869567348e29025c8aadd89040d4d58ef161bb4df5b67c44de0238fb4b362d2b597712cddbf7fa15c16f7f4fbfc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5989696a712ba5a14df70ad32364eef9

SHA1
79e13d112cb438adf7426730ff3a18585d02d1be

SHA256
8b4c680b9308d0c6dcb16afdb3a09776fa92d55ebaead28c51f1b30c844583b1

SHA512
805e115b5072e288f16ca8702e14e14ab07b2a7602fa521c9d5a83c58e8c3177eb280a06819e4b72758eb8ccdb2b5bfc0cc51e840ba83d0f6272b6b9e80e6ff5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6411d7e7507d93d38d9aa397ee7badf

SHA1
6be2fad04db0ada3483b9b6e90b744b2991e8dcd

SHA256
bdf5c1e581f1d73f320ac182c75dc67dbe72f23687c79626fbe9e428db994779

SHA512
b1314b6d6d7d815f42e273fce88bdebe7af82c6bacbc0e5c845e343c1f4850e84c4436c322e30a231f301b58c3dfca7acd206170b062b026bdd129b2e604b399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99d364fbc828b313272fd3fb5486ea73

SHA1
7d0a7bb91b6eb2d86b60fb782466cfbcd43ba8c0

SHA256
1ce4fec60465b99c755872295ceb8114fc7625708dffd2c47035d80ea8bc45f6

SHA512
a3cb80238415fd920d060cc5bb1afe56ae76c1aa09e9059ac28503dba0b295d44d5afaa72bbddaa3930df04fa5b5d6e436fdcc015b50f417df7e5ac3651f8a47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa26638b9e0dd193b6146b4dff4484a4

SHA1
656a5f522f353241a3d09dcca4a0442d7e9cc740

SHA256
63b9397a18220376d1277fda44a291050967376620f8f18700ef7bd439432851

SHA512
0372fbe94a47a8f12d4c2a16de9c68f2b01a1d568f06dac715d08c79240462503347dc03951586871c2ec96e2059003ba62b2b38405839a5af6d9bd5ddb9310b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
061c43586e927ed9d5378a13ea8c8535

SHA1
3ba416393c0007ed7cab624ebe529aa4597b10fc

SHA256
ca78e130b0dfdca76ae7945275166f24bf6f0d4d0fe103bf124e34f2ef20d034

SHA512
1251e67da782219a31a53345a9490132dd4780ea2e9ee939c15b168f944b5407f2ad4911bc73e129b317ce6f5145273cff58df612265d818b4aed0752182f372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b67fe367de1313d3d392307ec2363856

SHA1
3cf0ab6ad8dbf418a39a28fb37ae3d18ae9416d0

SHA256
27b53ff18dac33ce52f8f9dc23d65d6e185d45918c98788fbb74a83f3a7ca8be

SHA512
b5376b381b674e5873da03169083ee88cdabd9644690477ac6f5d503cc5d54e0bf7d5c697e47c14da53aacfa2fefae3ae30ac1a8a740f654452fc0ec1f1ee2f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f02a2a0d55f2dc66cbf422bfbfe5e7e

SHA1
d8906b60554766df565582c646ae94897440a4cc

SHA256
151b7846f1c0f30b685a31e46f62f5a6a2cf57717d571295090b44fedb6341fe

SHA512
b46718e6736016a61298c18611d16445bab9c99ec1a45e3418e02401757f22c917106ee06e6a234272f4b747cb54d0ec7a5397b87c71035d5cecb4a61ddf44c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E7B89E91-F4DB-11EF-9F7F-EAF82BEC9AF0}.dat

Filesize
5KB

MD5
ae11376bc852103025e931f68028e643

SHA1
e71c94b4a039a24dac4da73f62136770e8ee13af

SHA256
7b40b532b23d46e05806d3e75ee68b393fe918ee26f6ddb65c7f3341040705f6

SHA512
a7f2d1dc7c62737086bdc485d76ea1a0815d61114f1373e222f9ac188be2733c42c2c96d1891f2358cc63a099c070d083c38f9dbbc6e6c3836d75b33a950e8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6D76.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6E28.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
\Users\Admin\AppData\Local\Temp\2025-02-27_e31325905017b1904803fba42993bbfd_icedid_ramnitmgr.exe

Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
memory/2208-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2208-23-0x0000000002F10000-0x0000000002F74000-memory.dmp

Filesize
400KB

Download
memory/2208-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2208-20-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2208-9-0x0000000000250000-0x00000000002AD000-memory.dmp

Filesize
372KB

Download
memory/2208-4-0x0000000000250000-0x00000000002AD000-memory.dmp

Filesize
372KB

Download
memory/2340-36-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2340-424-0x0000000000280000-0x00000000002DD000-memory.dmp

Filesize
372KB

Download
memory/2340-39-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2340-31-0x0000000000280000-0x00000000002DD000-memory.dmp

Filesize
372KB

Download
memory/2748-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2748-16-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2748-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2748-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2748-11-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2748-40-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2748-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/3060-33-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download