6bd37be86b2ceba33154473812c889e0cd2fcf15eefc1b75ea820a8e128231bf

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe
Size

2.5MB
MD5

9c4f4169ef3e09b5a5d15052df406ed9
SHA1

3e9c9dc245e579acca2f4530d17d8a13a98658b1
SHA256

6bd37be86b2ceba33154473812c889e0cd2fcf15eefc1b75ea820a8e128231bf
SHA512

7bf11b1a6aa6912a9710b8d8dec912470766af4acabf10eda6f1a960903945ddcc1de499e0d4de3494440184deb2637ec44c9f7a2d18e0184f8c3dd4d86f96af
SSDEEP

49152:XmvdgqxpQzgXQ3TooLeYN/yKiZ3pWBST1W5KiZV:IZpQzgXgkoLpN/yKO8OW5KOV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	GHGI.FBT

Loads dropped DLL 9 IoCs

pid	Process
1212	9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe
1212	9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ESPI11.dll	GHGI.FBT
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	GHGI.FBT
File created	C:\Windows\SysWOW64\fuzhu.dll	GHGI.FBT
File created	C:\Windows\SysWOW64\shurufa.ime	GHGI.FBT

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT
2160	GHGI.FBT

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1212	9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe
1212	9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe
2160	GHGI.FBT
2160	GHGI.FBT

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2160	1212	9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe	28
PID 1212 wrote to memory of 2160	1212	9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe	28
PID 1212 wrote to memory of 2160	1212	9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe	28
PID 1212 wrote to memory of 2160	1212	9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe	28
PID 2160 wrote to memory of 1408	2160	GHGI.FBT	29
PID 2160 wrote to memory of 1408	2160	GHGI.FBT	29
PID 2160 wrote to memory of 1408	2160	GHGI.FBT	29
PID 2160 wrote to memory of 1408	2160	GHGI.FBT	29

C:\Users\Admin\AppData\Local\Temp\9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9c4f4169ef3e09b5a5d15052df406ed9_hacktools_icedid_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\GHGI.FBT
  "C:\Users\Admin\AppData\Local\Temp\GHGI.FBT"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHGI.FBT

Filesize
2.5MB

MD5
2c12dc1ff6680f00b5a59e31469a9ddf

SHA1
7873b73f927a7b965438d5017b77a4d67d17dd91

SHA256
af3aecda4ede272f17de413272b3ad1173704ceeb381718eda27f23244b5bf95

SHA512
a1bcc39d2a683c3b80e2ccf72512b6060642e27471100decf132cb9bcc6cd06ab3c40fe347ce4e510e419475d0d28ab5fee83181de12cb47d8970ab180bbeb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHGI.FBT

Filesize
2.5MB

MD5
2c12dc1ff6680f00b5a59e31469a9ddf

SHA1
7873b73f927a7b965438d5017b77a4d67d17dd91

SHA256
af3aecda4ede272f17de413272b3ad1173704ceeb381718eda27f23244b5bf95

SHA512
a1bcc39d2a683c3b80e2ccf72512b6060642e27471100decf132cb9bcc6cd06ab3c40fe347ce4e510e419475d0d28ab5fee83181de12cb47d8970ab180bbeb57

Download Submit
C:\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
\Users\Admin\AppData\Local\Temp\GHGI.FBT

Filesize
2.5MB

MD5
2c12dc1ff6680f00b5a59e31469a9ddf

SHA1
7873b73f927a7b965438d5017b77a4d67d17dd91

SHA256
af3aecda4ede272f17de413272b3ad1173704ceeb381718eda27f23244b5bf95

SHA512
a1bcc39d2a683c3b80e2ccf72512b6060642e27471100decf132cb9bcc6cd06ab3c40fe347ce4e510e419475d0d28ab5fee83181de12cb47d8970ab180bbeb57

Download Submit
\Users\Admin\AppData\Local\Temp\GHGI.FBT

Filesize
2.5MB

MD5
2c12dc1ff6680f00b5a59e31469a9ddf

SHA1
7873b73f927a7b965438d5017b77a4d67d17dd91

SHA256
af3aecda4ede272f17de413272b3ad1173704ceeb381718eda27f23244b5bf95

SHA512
a1bcc39d2a683c3b80e2ccf72512b6060642e27471100decf132cb9bcc6cd06ab3c40fe347ce4e510e419475d0d28ab5fee83181de12cb47d8970ab180bbeb57

Download Submit
\Windows\SysWOW64\ESPI11.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
memory/2160-84-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download