emotet | 49eb3d77a83f3494b5933b60ce11ab6075b8d6a2674419d0373e4db4b393d6f4

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe
Size

340KB
MD5

16f607f50c71eef0d907a0ddef51485e
SHA1

de1506f087ff03dab72c0a68157c5e9fadbf53e2
SHA256

49eb3d77a83f3494b5933b60ce11ab6075b8d6a2674419d0373e4db4b393d6f4
SHA512

c1bcb48f1a72eb4dba8c5a8a4e59a5110eee13be08851d3939274d48f93e6b8a3259cd1b1f56601f45ad22b3917a69e7e126092e95a50b540687ddff7f21e617
SSDEEP

6144:u5FFvya+l8bhG88U5Q4BfbQg7Iuxdu0ZeGbfUTpYDDmu/+3fb7:sbya+l8b/5lEg7PvAG+pG/Y7

Score

10^/10

emotet ramnit epoch1 banker discovery spyware stealer trojan upx worm

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

219.92.13.25:80

91.236.4.234:443

192.241.143.52:8080

186.3.232.68:80

192.241.146.84:8080

12.162.84.2:8080

50.28.51.143:8080

221.133.46.86:443

185.94.252.27:443

114.109.179.60:80

186.33.141.88:80

172.104.169.32:8080

184.57.130.8:80

177.139.131.143:443

77.55.211.77:8080

81.169.202.3:443

72.47.248.48:7080

212.71.237.140:8080

190.229.148.144:80

178.79.163.131:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
2656	shfoldermgr.exe

Loads dropped DLL 4 IoCs

pid	Process
2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe
2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe
2720	shfolder.exe
2720	shfolder.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shfolder\shfoldermgr.exe	shfolder.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012101-2.dat	upx
behavioral1/memory/2156-10-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2156-14-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2656-31-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2656-35-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2656-33-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2156-40-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shfolder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shfoldermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "447481029"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B00C5AF1-FB06-11EF-9C86-EA7747D117E6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B00EF301-FB06-11EF-9C86-EA7747D117E6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
2656	shfoldermgr.exe
2656	shfoldermgr.exe
2656	shfoldermgr.exe
2656	shfoldermgr.exe
2656	shfoldermgr.exe
2656	shfoldermgr.exe
2656	shfoldermgr.exe
2656	shfoldermgr.exe
2720	shfolder.exe
2720	shfolder.exe
2720	shfolder.exe
2720	shfolder.exe
2720	shfolder.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
Token: SeDebugPrivilege	2656	shfoldermgr.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1916	iexplore.exe
1820	iexplore.exe
1820	iexplore.exe
1820	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe
2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe
1916	iexplore.exe
1916	iexplore.exe
1820	iexplore.exe
1820	iexplore.exe
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2720	shfolder.exe
2720	shfolder.exe
1820	iexplore.exe
1820	iexplore.exe
1820	iexplore.exe
1820	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2156	2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe	30
PID 2436 wrote to memory of 2156	2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe	30
PID 2436 wrote to memory of 2156	2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe	30
PID 2436 wrote to memory of 2156	2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe	30
PID 2156 wrote to memory of 1820	2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe	31
PID 2156 wrote to memory of 1820	2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe	31
PID 2156 wrote to memory of 1820	2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe	31
PID 2156 wrote to memory of 1820	2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe	31
PID 2156 wrote to memory of 1916	2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe	32
PID 2156 wrote to memory of 1916	2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe	32
PID 2156 wrote to memory of 1916	2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe	32
PID 2156 wrote to memory of 1916	2156	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe	32
PID 1916 wrote to memory of 2200	1916	iexplore.exe	33
PID 1916 wrote to memory of 2200	1916	iexplore.exe	33
PID 1916 wrote to memory of 2200	1916	iexplore.exe	33
PID 1916 wrote to memory of 2200	1916	iexplore.exe	33
PID 1820 wrote to memory of 2740	1820	iexplore.exe	34
PID 1820 wrote to memory of 2740	1820	iexplore.exe	34
PID 1820 wrote to memory of 2740	1820	iexplore.exe	34
PID 1820 wrote to memory of 2740	1820	iexplore.exe	34
PID 2436 wrote to memory of 2720	2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe	35
PID 2436 wrote to memory of 2720	2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe	35
PID 2436 wrote to memory of 2720	2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe	35
PID 2436 wrote to memory of 2720	2436	2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe	35
PID 2720 wrote to memory of 2656	2720	shfolder.exe	36
PID 2720 wrote to memory of 2656	2720	shfolder.exe	36
PID 2720 wrote to memory of 2656	2720	shfolder.exe	36
PID 2720 wrote to memory of 2656	2720	shfolder.exe	36
PID 2656 wrote to memory of 1000	2656	shfoldermgr.exe	37
PID 2656 wrote to memory of 1000	2656	shfoldermgr.exe	37
PID 2656 wrote to memory of 1000	2656	shfoldermgr.exe	37
PID 2656 wrote to memory of 1000	2656	shfoldermgr.exe	37
PID 2656 wrote to memory of 1592	2656	shfoldermgr.exe	38
PID 2656 wrote to memory of 1592	2656	shfoldermgr.exe	38
PID 2656 wrote to memory of 1592	2656	shfoldermgr.exe	38
PID 2656 wrote to memory of 1592	2656	shfoldermgr.exe	38
PID 1820 wrote to memory of 2920	1820	iexplore.exe	39
PID 1820 wrote to memory of 2920	1820	iexplore.exe	39
PID 1820 wrote to memory of 2920	1820	iexplore.exe	39
PID 1820 wrote to memory of 2920	1820	iexplore.exe	39
PID 1820 wrote to memory of 952	1820	iexplore.exe	40
PID 1820 wrote to memory of 952	1820	iexplore.exe	40
PID 1820 wrote to memory of 952	1820	iexplore.exe	40
PID 1820 wrote to memory of 952	1820	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2740
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275464 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2920
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:668676 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:952
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2200
- C:\Windows\SysWOW64\shfolder\shfolder.exe
  "C:\Windows\SysWOW64\shfolder\shfolder.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\shfolder\shfoldermgr.exe
    C:\Windows\SysWOW64\shfolder\shfoldermgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6eea324500f79b0382dd951a39ee70a5

SHA1
56a8218651362fa64af495bb3383ecd990b98d29

SHA256
3bdf219e3f18399e0557eae9274fcf7cf3cae6e235197139d0890b2efe03ce21

SHA512
c187a74978eb51fba5fc2967b8217da7b868e62573087992c37956828e753c19e65e4138c5e82ad748884bad8d367f8de7c14455b35230018c98882d86c80809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0dfe7e60ce30a2308352ec852b5cc6a3

SHA1
35e5ec468cb7468b2c576f5fbaf2aa4cd89f6f6c

SHA256
5298fbc7e7e3d6738b8209dbd2bb136293535cbe0d27674864932728b140cd26

SHA512
7c8fa24e53371904b148d367007b7976eb72ea57788e1c3bb34e2a18afb91dba7c8384c13d622ee32cd6d7ffae8844a8e20bd023e30c2ce808db64e3da7a378f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba98e17dc8debaa7c45a55cd714c0f86

SHA1
5f50d7a0a1500be8e3948dca734adc86572f7ea1

SHA256
10e3acb80b55cc5f2c040d7be3d98f77a279173435b85527622a810f5ca7a74d

SHA512
b0ce045740c6ff2974c4b5527110bfc38e235647a10466cbda5cc28e219ffeae2c02cb5d2d50c5012e89ae7fa341be28721455b12bb4f07dbb63823e235fc535

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb7925f7283b6d9cf800a517a0e831e6

SHA1
e13ee5638b9e25907595c07f0ed75634a69d71c5

SHA256
f18eee6328ef60c7702c8ba5e100d6f89443ce55db0f2274ed5f853d6619422c

SHA512
6aee549106d6edda1c7695bdb170bbd945d2205e03ee4ddbca0142e6e8815c73d656eccadc8f3d444338d8fe13daa5a8cd31c9ad06ab9bb49a6455a0811333f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
acdfef29186589a4a4c84608dc91c344

SHA1
fc19c702428b9a8d3f1c567b8e5398305abaa6a7

SHA256
0890265baf8f0cc2721f6768b702000243a4a7755743ea0b6a6ed3227bbbed2d

SHA512
84d1d3ccd4df25b2165eee6cc2c85f725e4c4113c83eae356232f95e6ae064d02ccf302b9005295945d3a932768fe17d4e213f49e5ecd06993be83dd5ca7ec60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19a05ada56bfca98855ae951c3a7a6f4

SHA1
364e3cdb698a0b573fa53ab7b82024bae11bd693

SHA256
71269e035505492469399578162e7fbb90b9be39831e9733ab5629468d8c14e0

SHA512
ddaace356dc44bdc1ac25f8ca31a3157227a093bddc4f2647253b6bb07a8ccdd805e670b563f0314858d73ab6dcdbe22136cac60c93f459503e8c67498a11912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3193905156191194e6ffba0fcb8b65ac

SHA1
7e271a99b15716f8f8e815f33900703685d417c2

SHA256
abf91c71450f55c4a1055476baa85c306f45369d0ea9edb93a081b53cb42e83f

SHA512
68520d102a8803fca5edbfe7ce8d12e3135d6e968f237fea81c3bee11cd0c93592d33e77dfbdae8e7e919752dca011dec2a2e34dcc4bfa9bc7846491dad00e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afb447e6fc3fa839a9f1721d4a2baff8

SHA1
4996a49f4759b5373012dd08a600a5210fa51c4b

SHA256
8c3e7fe0d29b760d4954600a2101078b7530fc4ba71e6c185d8d254a4de42312

SHA512
700d368d956d340db43ebd3192d90349960cff2e6a0547e91c8e716c0aa0f92c038cc5e4098c6c2dc18904fcee09979f73ac0cc8c6393b5f1dea7e57539a23b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62e7d3f2b9c39f212e0b4015f3fcf76a

SHA1
38edcd0af276d08c253001e00e1818db09857ac8

SHA256
a251c7f6f1889969f96ffb76995e969ca4409415030d205a90cbdde5cdbefc07

SHA512
9cc01b324fed13f8c4ab1faf1efbdfddbc2b7a7c0e30dec46c5b78274d04d1de716e664be931875b1561acfed19e00d6bd4c1d2147db2906d2edcd639a265a69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18591b6bf4b8b952830b26d1e97f1d8e

SHA1
0ad12653819d3abe3591e82201e4c005dbf56329

SHA256
a2aa41c7041aa1ddebeb99dd15759e770985deac75afca15a7d504dbe363fa35

SHA512
9decf3b53da76a6952adb3f1e9019712889f74000a7612679dd6e97f27de0e665e539b2108cb8ca377123349c51b74f7ade36237baed03a9609603da7c402254

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c49c35aedd90fa7a17384232fb560124

SHA1
3bef659c6444959705cd182674ec7ab89ead7b91

SHA256
c5f034817bf89067f3bff55382e256a41a39b357349b644d6c2bffbf4eab7ed1

SHA512
f6e21fbb3384e02db6450b241e33406bf87fa4cf22c7d7ed4c095a08bd7d6663772718a9a7b4f91e1967314dac57f4e50d73a7203298024d9a46fb93d8b69b0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d54c14ce56d5901d30e9bf1008a3540

SHA1
7b13e73e12b525088687fc67ff528e32ef064c76

SHA256
36e378bb496434d5c960128b630f297ddd47da1c5c98393f5ea3836c5035ed5b

SHA512
0a6275a7a8ca994c92df82123244f9d43333a65addd2a1ea5efa9663fb594c3fb8c6a3d7b98a2e58260be21f76ba56458fcf9400dd24e02ce92720190d8a70f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
114be228611ea9b288f9982f9491e2ca

SHA1
beda4d250facd9554d81d6aff8e7624d996589d6

SHA256
61586b5222e2dce8ce0c5199421baa8b6de5ed004c18f031aaf83570310a361a

SHA512
d534fcc27d6d96c731f76a6da07baeb20f92547ba3153252be8f7d7978b10ad640d65798560b131d5a4a006584710686981f01f0f7bea9bf75005fc7822fa693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4803441e7ed91acc947e0043b090c62e

SHA1
92c9d068e864f675590ab37af119b288e6d94568

SHA256
4a0650e785c8cf24e3de3e53c5e7df4d1e14c4a66f08b61845cd8b811db0c198

SHA512
5ac5862514dcf361a836d24a8f9334d38b50ca0e7fa1930ad06a8f648ab30ed8390dfa454e3c9fc087a739018174cc04ae5280dc28cfae8a6c1eab425d9181a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35338449fafaad0b4078ec6288fe6c9f

SHA1
44a92e9285ae34d7670a5463bca6e70bb29aca21

SHA256
ae3e613a3cdb9081606be4ec85c3c7dfa1a5911370a03629781f1e572fca42ec

SHA512
e0b580c864ecbccdab889bda997e952834bb1199d74b96cb0bfcfe4b7a60139255dba664c1035ae67a7df458193a07a39da8a07b2c50c1a7ce6a765520744d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4cfdf3bcfa6ad0b5deb7e0cbd6a2b16

SHA1
fd9d3c25c8baecf80fb22c0c3db7ef77453597c6

SHA256
5cd18faa0d99657cf2d55a838aef8ffffb7967e8ca99b3e88e7c5a94fcd24575

SHA512
dd522b0d1cc72134645cb3a4eafba5e33f418f7d34b70ec855381b89e3169cc63d3de4f282c196eb9c951e53b2b75cd304ff29360dfa277ab85a1e3f18e1d44b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
726d46bef2353a7655d0e236d1ad5dd6

SHA1
be17b83df99cfa04e70013258b45093c6d3cfd55

SHA256
85249a64461ab8b80e2af55cc11241902c7705d9684abc88af5495d3b2cd149d

SHA512
566a890a8c39ddcd0eac96b3140590a0ee9cb76a2466d1adccce16c120d8f6faa7b6aeb71140cf5361335107af225e2acd943cef06e5a8e38751ba6225fcd93b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B00C5AF1-FB06-11EF-9C86-EA7747D117E6}.dat

Filesize
5KB

MD5
b3c800b385e7d166705553c211e1c86b

SHA1
0f7cade4d4191e7b50501199f4c84e448c16dd3c

SHA256
601b948288acfb058f2488c62001bcc11c4c8c69d440d2d0965820254fdbf1a9

SHA512
470e1a4c21b7f048006359d2ca98a7a96dcbf1a201ddae75ae2c5fc379316e2455c1025fe8a359a3910d72ec94d2ce75e107778acab5e883dbd047576bc1cd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB906.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB9C3.tmp

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB9F7.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
\Users\Admin\AppData\Local\Temp\2025-03-07_16f607f50c71eef0d907a0ddef51485e_icedid_ramnitmgr.exe

Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
memory/2156-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2156-40-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2156-10-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2156-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2156-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2156-12-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2436-18-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2436-4-0x0000000000320000-0x000000000037D000-memory.dmp

Filesize
372KB

Download
memory/2436-21-0x0000000002ED0000-0x0000000002F29000-memory.dmp

Filesize
356KB

Download
memory/2436-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2436-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2656-32-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2656-31-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2656-35-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2656-34-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2656-33-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2720-22-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2720-36-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2720-41-0x00000000002B0000-0x000000000030D000-memory.dmp

Filesize
372KB

Download
memory/2720-39-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download