Analysis
-
max time kernel
156s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-04-2022 18:02
Static task
static1
Behavioral task
behavioral1
Sample
b73f8697.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
b73f8697.exe
-
Size
36KB
-
MD5
3e849d9099875258dd84050b9ea2623c
-
SHA1
f9911bbd98816cb29d03780e4f749cbd876b2f7e
-
SHA256
0ed6e961a7bcebf37764de044209710dc23a004a9e2e51fe8e778df87e64819b
-
SHA512
56c58462607b47926024b68fc9932326565113c5bd491bfec3f0a426cd70d6307a3abd97646220d870591c61d17982bd7c56e351166469dd90ca0b0931876ec2
Malware Config
Extracted
Family
icedid
C2
dekeoipsi.top
Signatures
-
IcedID First Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral2/memory/408-130-0x0000000000550000-0x0000000000556000-memory.dmp IcedidFirstLoader behavioral2/memory/408-133-0x0000000000540000-0x0000000000543000-memory.dmp IcedidFirstLoader -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0A835BC2-5A99-4161-A861-A816A7B18388}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AD3BAFD4-E1B5-4491-BBBA-9EF104278C6C}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EF78B6CE-2631-4D13-877F-8F8990BBD2E7}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8756B741-1501-4C73-82B8-BF4698322925}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9577B919-8D4F-4A68-84E9-8B4194EE8EB3}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7E30D7CD-E09B-406A-8910-A26C06A88E28}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b73f8697.exe"C:\Users\Admin\AppData\Local\Temp\b73f8697.exe"1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry