2bd417420f1e8bfe093b494d564e75ade5e9c65d26219e12bcd999a3174d58a2

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 10:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe
Size

2.5MB
MD5

6b771c004988c47e1a8e6d668a5fad2b
SHA1

03f2f3c2eb0c454fc8021a431469c1a695b8adca
SHA256

2bd417420f1e8bfe093b494d564e75ade5e9c65d26219e12bcd999a3174d58a2
SHA512

84728c987b1c5b7facb464976e8816dfb56b35b2e5332d67db3c780ac17f71b4ab412d7f02ae95ad6319016ff4827515d7131005cb2933ff75e74b0e50b9732c
SSDEEP

49152:XmvdgqxpQzgXQ3TooLeYN/yKiZ3pWBST1W5KiZn:IZpQzgXgkoLpN/yKO8OW5KOn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2372	NJBV.PIS

Loads dropped DLL 9 IoCs

pid	Process
2632	6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe
2632	6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	NJBV.PIS
File created	C:\Windows\SysWOW64\fuzhu.dll	NJBV.PIS
File created	C:\Windows\SysWOW64\shurufa.ime	NJBV.PIS
File created	C:\Windows\SysWOW64\ESPI11.dll	NJBV.PIS

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS
2372	NJBV.PIS

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2632	6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe
2632	6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe
2372	NJBV.PIS
2372	NJBV.PIS

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2372	2632	6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe	28
PID 2632 wrote to memory of 2372	2632	6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe	28
PID 2632 wrote to memory of 2372	2632	6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe	28
PID 2632 wrote to memory of 2372	2632	6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe	28
PID 2372 wrote to memory of 2488	2372	NJBV.PIS	29
PID 2372 wrote to memory of 2488	2372	NJBV.PIS	29
PID 2372 wrote to memory of 2488	2372	NJBV.PIS	29
PID 2372 wrote to memory of 2488	2372	NJBV.PIS	29

C:\Users\Admin\AppData\Local\Temp\6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6b771c004988c47e1a8e6d668a5fad2b_hacktools_icedid_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\NJBV.PIS
  "C:\Users\Admin\AppData\Local\Temp\NJBV.PIS"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJBV.PIS

Filesize
2.5MB

MD5
b20ca5fbf353102e4bf65ade9ce45362

SHA1
892c2f55cd3064277ddb89a041b7e88756feae07

SHA256
067d67fca7b5b577720e69411e66d4dedfabc8d1fe508f14068be44fe776b402

SHA512
39238e836c5b6fc6b4e4f010ca48d39def5fcea25770406600a211431f3ad691d139ae9d50850f70a9cdd47bcb809082229eb63cdb5647973b4e94ee04ac57d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJBV.PIS

Filesize
2.5MB

MD5
b20ca5fbf353102e4bf65ade9ce45362

SHA1
892c2f55cd3064277ddb89a041b7e88756feae07

SHA256
067d67fca7b5b577720e69411e66d4dedfabc8d1fe508f14068be44fe776b402

SHA512
39238e836c5b6fc6b4e4f010ca48d39def5fcea25770406600a211431f3ad691d139ae9d50850f70a9cdd47bcb809082229eb63cdb5647973b4e94ee04ac57d5

Download Submit
C:\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
\Users\Admin\AppData\Local\Temp\NJBV.PIS

Filesize
2.5MB

MD5
b20ca5fbf353102e4bf65ade9ce45362

SHA1
892c2f55cd3064277ddb89a041b7e88756feae07

SHA256
067d67fca7b5b577720e69411e66d4dedfabc8d1fe508f14068be44fe776b402

SHA512
39238e836c5b6fc6b4e4f010ca48d39def5fcea25770406600a211431f3ad691d139ae9d50850f70a9cdd47bcb809082229eb63cdb5647973b4e94ee04ac57d5

Download Submit
\Users\Admin\AppData\Local\Temp\NJBV.PIS

Filesize
2.5MB

MD5
b20ca5fbf353102e4bf65ade9ce45362

SHA1
892c2f55cd3064277ddb89a041b7e88756feae07

SHA256
067d67fca7b5b577720e69411e66d4dedfabc8d1fe508f14068be44fe776b402

SHA512
39238e836c5b6fc6b4e4f010ca48d39def5fcea25770406600a211431f3ad691d139ae9d50850f70a9cdd47bcb809082229eb63cdb5647973b4e94ee04ac57d5

Download Submit
\Windows\SysWOW64\ESPI11.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
memory/2372-83-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download