9701949f6feff9efc4f5ffb49ec8da30711fd2daae2efcdc9b920323edb6c5ce

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06-08-2023 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe
Size

2.5MB
MD5

8cbf890575e594d7900f873e9366ab4c
SHA1

144fdf596dfb89018cf220c6f39293cb4afa81b6
SHA256

9701949f6feff9efc4f5ffb49ec8da30711fd2daae2efcdc9b920323edb6c5ce
SHA512

a0c3dcf75f788553c48d68c36215b94f9a5706ed13f6a558ced83221b048cf3cb3b10e4d01abd5e4df6fb6f2ba778995e9e0e5a2a2204fe3dc57194f521c3b1e
SSDEEP

49152:XmvdgqxpQzgXQ3TooLeYN/yKiZ3pWBST1W5KiZY:IZpQzgXgkoLpN/yKO8OW5KOY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2400	VVOM.OYFA

Loads dropped DLL 9 IoCs

pid	Process
2912	8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe
2912	8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shurufa.ime	VVOM.OYFA
File created	C:\Windows\SysWOW64\ESPI11.dll	VVOM.OYFA
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	VVOM.OYFA
File created	C:\Windows\SysWOW64\fuzhu.dll	VVOM.OYFA

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA
2400	VVOM.OYFA

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2912	8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe
2912	8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe
2400	VVOM.OYFA
2400	VVOM.OYFA

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2400	2912	8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe	28
PID 2912 wrote to memory of 2400	2912	8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe	28
PID 2912 wrote to memory of 2400	2912	8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe	28
PID 2912 wrote to memory of 2400	2912	8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe	28
PID 2400 wrote to memory of 1352	2400	VVOM.OYFA	29
PID 2400 wrote to memory of 1352	2400	VVOM.OYFA	29
PID 2400 wrote to memory of 1352	2400	VVOM.OYFA	29
PID 2400 wrote to memory of 1352	2400	VVOM.OYFA	29

C:\Users\Admin\AppData\Local\Temp\8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8cbf890575e594d7900f873e9366ab4c_hacktools_icedid_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\VVOM.OYFA
  "C:\Users\Admin\AppData\Local\Temp\VVOM.OYFA"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\VVOM.OYFA

Filesize
2.5MB

MD5
bf4778b9fc5abcc051402eae2adfa9a8

SHA1
228017aaa41b45e3567c6ea509f0095c615ae215

SHA256
b131bf369d9453bad6ed8d3502a4f843f55d0b7db617f90bb412ae385f0d8399

SHA512
d0ea9ed264c9b5051911f900b188bb7b12dd37a93f072a6b16d8c3115d98c81f86ef87976b2cf697bc174e71bfeddf36ba84ac9915b9006cca76cc69226ec25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VVOM.OYFA

Filesize
2.5MB

MD5
bf4778b9fc5abcc051402eae2adfa9a8

SHA1
228017aaa41b45e3567c6ea509f0095c615ae215

SHA256
b131bf369d9453bad6ed8d3502a4f843f55d0b7db617f90bb412ae385f0d8399

SHA512
d0ea9ed264c9b5051911f900b188bb7b12dd37a93f072a6b16d8c3115d98c81f86ef87976b2cf697bc174e71bfeddf36ba84ac9915b9006cca76cc69226ec25b

Download Submit
C:\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
\Users\Admin\AppData\Local\Temp\VVOM.OYFA

Filesize
2.5MB

MD5
bf4778b9fc5abcc051402eae2adfa9a8

SHA1
228017aaa41b45e3567c6ea509f0095c615ae215

SHA256
b131bf369d9453bad6ed8d3502a4f843f55d0b7db617f90bb412ae385f0d8399

SHA512
d0ea9ed264c9b5051911f900b188bb7b12dd37a93f072a6b16d8c3115d98c81f86ef87976b2cf697bc174e71bfeddf36ba84ac9915b9006cca76cc69226ec25b

Download Submit
\Users\Admin\AppData\Local\Temp\VVOM.OYFA

Filesize
2.5MB

MD5
bf4778b9fc5abcc051402eae2adfa9a8

SHA1
228017aaa41b45e3567c6ea509f0095c615ae215

SHA256
b131bf369d9453bad6ed8d3502a4f843f55d0b7db617f90bb412ae385f0d8399

SHA512
d0ea9ed264c9b5051911f900b188bb7b12dd37a93f072a6b16d8c3115d98c81f86ef87976b2cf697bc174e71bfeddf36ba84ac9915b9006cca76cc69226ec25b

Download Submit
\Windows\SysWOW64\ESPI11.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
memory/2400-83-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download