Overview

overview

10

Static

static

3

2025-02-27...it.exe

windows7-x64

10

2025-02-27...it.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 06:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnit.exe

  • Size

    867KB

  • MD5

    2d5e92d6c90ef3ec07d26b04c5a3a1fd

  • SHA1

    30c554d183c709b2701cc91b4527775abb33ab74

  • SHA256

    d27cb7a2bf0aa4d7d49c68555084595f433897992b39a8b61f59b9056b74287b

  • SHA512

    0953e2a402ea8b71708de4bd3df365de135bb7bcebcb5e53919acff4c88cd881b898a057eddac156f057560158057a65c4d051db955a0b1e915565d3a4588fa2

  • SSDEEP

    12288:MASJCsqQtu95V4WUA+6dH1G0p+MU7bo24wmLsG/RgRQrUrF2ClG+pG/YR:MACeQO5V4WUA+6dHN+l9ZL5rF2igYR

Score
10/10
goziramnit5020bankerdiscoveryisfbspywarestealertrojanupxworm

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214131

Extracted

Family

gozi

Botnet

5020

C2

settings-win.data.microsoft.com

accrualdewd.xyz
Attributes
  • build

    214131

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnit.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnitmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnitmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275458 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2560
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:341001 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2880
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    60de78b01aa4ffea87a100311d54d1ea

    SHA1

    ec2086bfaec2582542d68390b0f0441531639b6d

    SHA256

    68bdc0ca02cfe5d2d4e50863c9ccbe404ff29ddade86b00c7a00b73b958ff887

    SHA512

    82749ccf8c7790dbfd5d92593823ec379f892eb050b6f8aab06bf1d3f6976ccb68f927009a578c1aec34e1a84a2d1ba316f6fe07c99552dbbf7493c551744d08

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    11a51f56b631d30a4f1bb95a8c2e2e29

    SHA1

    69df6ea420fbdda89f1ed3595bd5eee7472f68d8

    SHA256

    b0e139ff6ffcbb6a1f18a262d39ea68f7944b549ee96444cfcc04b0401ec79bf

    SHA512

    01095466dc262861911a54ba62e0213e2db8048c296b06a99eb8cd05d0e8516fa73e39ec04b7f715b34230059f25643d58afd9f66c9244b27be9dec9e18bf61a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d7795e9cea72d772a505025e3dce7d38

    SHA1

    99a0d188b3d1c04348c6daf1d0917dea730f7ce0

    SHA256

    df42c2f4b0c55a2ec9dc1dd4c5d71780b9e343c7e728a9e5064987365a4f6d48

    SHA512

    28470d1b3c6f38414bb433737b0edb1040a4057641624f7ca8052e77ce37d7ca522ff750f9ba5b6bce9ffd11d2033c152bf2f5cdd1093c5878eb90d3664ad505

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c6b353fcef10b961e5ae713e6d49925e

    SHA1

    ca1e8af07e01ab6f9273c3290d7b7ad72a35eee2

    SHA256

    6be42c1cb124566b61f5a6346d7e5a507f822ed545b638cdac36d9b9247b155e

    SHA512

    6a6058e5ce333290e7a094a680833d19ccc9ac5fcf97b72433e8a0492022b8dccd9c288713595f1ed420dfa9b2f7e8c31ec27a0d066dea0f8954ebbe88cce762

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    761012822f5148ee41343ae41a66786f

    SHA1

    96f8d485f1022de9a1bfb0c4ed392e143bc84b08

    SHA256

    c78c3a5b43ee7c9260f9e1fc761ad990eac29fa460e6e2fea3876b528a9a7252

    SHA512

    511c2073203c8153d35d26669479536c5a389a27f1f34adae44de4afe888b2f73014553826a7d7f8ce06bfeef50ca913988cf447ae20a8fc0110649b5ad870e6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e2b4ffb5ab9326bf4baa2e4955b6ceb2

    SHA1

    3efb9c8a964f678d52996e26fce71f59ca321877

    SHA256

    c9ef56dabaa2f2210f2c78aba5c47fb6717970ae3ebe9c3d0f1f302d904d4de1

    SHA512

    1d941f79cccbe3ce06ba230d995f5fa66252bfb4b8e4e20767f152ffdc707577416ef96faa0639cfa4e39071c65f77c53b6c762fe2eebfb4ac47fdcd6d169abd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    993360a6637d034ec69ded44dbb1a526

    SHA1

    b9813d3e362c936f8ecb66fffd4a2b8fbaf3a690

    SHA256

    44459dddeaa541e5c18d0d639bd72c4c0abdb460ba879af9ec84c3b7923d99dc

    SHA512

    9b0aa9fb25e83c4abc9b47edac1ba81db75ca9e717aa1a2125632201294c19f2815716c3a05487a0d46535bb6f79ca647415131b1a075dc2cdf823eec2b332a9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    16648422b2605fbf9938b4a6b9714739

    SHA1

    b8d7d7fc065391eb260c63f187a49ac941d02728

    SHA256

    03e322bb4f54044cfb4db0600d9546cf3f65469d2c5e902235e6dbe51b45c665

    SHA512

    bcf710b7383364d854546328441bd147ecbf739bae4436cf90150ca7aea0139640efd5225a0f76e0729687ce2dec4b6cc3c722c318d9233f49bcc928555266f8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7383f67ee0b789ed3393e59631ebd5fb

    SHA1

    414b7e3be0aa70910b9f41b9dfe4bb07dd7c28cc

    SHA256

    ff45fd3b2e2928ec02545d96b54513ace9bc60666a18c49c61147c6e7abc055e

    SHA512

    e6fbe322d85ea7bce7b0b324033c182062a65702cafd794db53697dfbf5df4071a5c3e79cbc5d6666fb61bfe48bf89333cd13bf9fc28276e658c56d6a50eebda

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    87ea17c44ec1f4bc7c6866d946314984

    SHA1

    25e3aa07d69b27a3f3ba90e2c1e6810f417091f0

    SHA256

    2517754210b55fb047042fda811ad163ae98221be0f94b2a6bb111b85142604c

    SHA512

    5f9ee14e040a95da8737420b5184bae1ef4b487f3387133966ac8fb9ab85b21414351464439f9833772fd4186747cde4fb24cfc9a90ba358d9d9b98da1fe19dc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8eca26d5b090327681572e219a549f9d

    SHA1

    fc802d1d8f19f891bc5888ddaa74a22a19aec9bb

    SHA256

    ed2fa934bd1eaa2e9418e53833b7e9da7bfce89aa61ac824ebb8af6b741eb938

    SHA512

    1e69407d60408c076f72f8d5a1defa73dec6bf18539be2ac0c90d8b66d1e573e1a7b3a96a544e6d45bc06920eab75c905304294143f0e779813a658c5e77d20b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5655606f1f07135c4f60dd8080e95776

    SHA1

    822e92d33fbdf6529071ecf8f05960454d3dfb0d

    SHA256

    297557532f2aad4daa8cda62890a82cf8891f0243fb01d7b5e69d2db3ba3157d

    SHA512

    c47a95b45d0b0b63a02f61d5f8c75812d48c1d576f869cd015ce2a96a71092813a33d1b4f9678385964d657a1ac3ef42a784acb070e108f5172584f7077c2790

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e816ddf4298a61fac1659c83a7001f90

    SHA1

    76ef74e846593f45d1dd9cd4e2a4a4faa39d4182

    SHA256

    efd569e3097720f8ae90afb4bbf2b7ddbac7896f3c052a487a205921fc56f668

    SHA512

    8bb6adf059bd6becd8d9d0dc9063f47420eb5eef7988425824160164ae00f760e2c74f830561328397f0b7331d457d2a028a819b4157a4341f2eb78637ff519e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    068243e0f0d76db6d8d4ecac84b78a3a

    SHA1

    5c27c8f543abb6f35420e973f83b973407da319e

    SHA256

    6df21d9aa712bcf4900122aa7048e296f7b970c40eeddd9b6cd5c229b4430717

    SHA512

    d629fcdfdfe0874425929e2360a6bae88a13ebe12081062b449a2e7f65db51cb4c10c2259f7620fa02a2017b351e586800612a7e25e711eaa2c60cfb27b82b9c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    81b194b4e49f9d96953a108fc6131f85

    SHA1

    d48fc06242459305bc83064f7271d744e99ec872

    SHA256

    4913503ee991504b1466598cc7f310a9eaaeb8e1de7cb755de73980bcfb28651

    SHA512

    77aba44a96b6dca5ef42b8d278e77b4f08652d3ba9072d8653f3370e0a1af24e7e370295196b5cc6c11ee0c98498c2fe32da4f92172d61c870fda7464029f5ef

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b8a95194ee451dabe5dc60d64f2fe17d

    SHA1

    491feb631ffc53c523f38a43396800e251269695

    SHA256

    2e214032d00ff862debab3f1ad4cc59eff4a010225814008214cae6c135e209a

    SHA512

    c45b8513c0f41b03e13504c11b8942bbb9d950a8d10cc411256f2ace45d09330e80d73de48eb956321e96a1f9abab59b006a3ffd27c749b94c410399c43e70b8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    01022324ddcd9da9fcb47577e63fc318

    SHA1

    546f2d87d3bc012914c5502bf9eabe1e6a0f2096

    SHA256

    dd2dddd5a0d173379fe69791dbc03ef7b7fcd07b440d9dd8105e95132c07c4d9

    SHA512

    6a06175d6f3bb5d00794e58844aad4304d1aa3cfe3db5a835f2125e7ad223f4fb79360a95ecb9ef5f3b13f91f0bc7b9bd7133318d3eca21536988c17bee626a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fe731bab08ac34374fe33a588ac769f1

    SHA1

    f29998195c0a44b7bc845ec663fbd0a3bd0fa152

    SHA256

    ac5f79f097feac0b3f04db3bebcea721349dbf74970518f94df2fdb5cf0fdc96

    SHA512

    b69ea69d9fb3e0f83282ba0d11cc715de9ad9ff8d13e93bf7722705a35e0fa6fbe9e3453657c59617adf44464fc5c21ddc7d0ba563fb202ba908d1e16a08df9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{58F6DF31-F4D8-11EF-8B74-7694D31B45CA}.dat
    Filesize

    5KB

    MD5

    81b23ea694e98b57e8a6d3de50e9f52e

    SHA1

    373dba1f7caa1d6a5ae6ae37b71ed23405755ea7

    SHA256

    b14866b1e81a707b98808973d7184de91ef92df14db180b8a7754fa4d18fea44

    SHA512

    5e531f4ee7a952c2086d803167aba05a36784f82120e985565797a03b36e777b8042fbfdca70004674c877635c355ac3a029cb2de880c6ad086858fbd409fa1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnitmgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab7FD.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar94E.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • memory/2228-16-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-14-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-11-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2228-12-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-13-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2228-20-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2228-15-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2228-17-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2892-499-0x00000000002A0000-0x00000000002AF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2892-4-0x0000000000240000-0x000000000029D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2892-0-0x0000000000400000-0x00000000004F6000-memory.dmp

    Filesize

    984KB

    Download

  • memory/2892-503-0x0000000002280000-0x0000000002282000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2892-502-0x0000000000400000-0x00000000004F6000-memory.dmp

    Filesize

    984KB

    Download

  • memory/2892-496-0x0000000000400000-0x00000000004F6000-memory.dmp

    Filesize

    984KB

    Download

  • memory/2892-497-0x0000000000400000-0x00000000004F6000-memory.dmp

    Filesize

    984KB

    Download

  • memory/2892-9-0x0000000000240000-0x000000000029D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2892-495-0x0000000000400000-0x00000000004F6000-memory.dmp

    Filesize

    984KB

    Download

  • memory/2892-988-0x0000000000400000-0x00000000004F6000-memory.dmp

    Filesize

    984KB

    Download