Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2023 13:53
Static task
static1
Behavioral task
behavioral1
Sample
28aeeb0903fb2cea43e845c927530497_icedid_JC.exe
Resource
win7-20230712-en
General
-
Target
28aeeb0903fb2cea43e845c927530497_icedid_JC.exe
-
Size
474KB
-
MD5
28aeeb0903fb2cea43e845c927530497
-
SHA1
66b493eb993c30be7a6cd60a9d46cc698ce49117
-
SHA256
64c9a41b2f16689af7fae059f62d5c3f1199345cf2d2e47f7e7a6994215fedb0
-
SHA512
8b4dd897eee328cda3bbbaa8ba5e8385ef37844a55ba38a0400576568aea3408e1d2d3dbfe964986fcc4635a4ba21307f66fefbc43a247679e265cd418347c50
-
SSDEEP
6144:VD99OStAg28gqOGJCvcWP1xoyoYU0KYfAVquv6B2wnO8fHERVDJNZa5ioy:mg2mJCk6xofYVATU9pQVDlUs
Malware Config
Extracted
trickbot
100008
mor7
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
28aeeb0903fb2cea43e845c927530497_icedid_JC.exedescription ioc process File opened for modification C:\Windows\explorer.exe 28aeeb0903fb2cea43e845c927530497_icedid_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3576 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
28aeeb0903fb2cea43e845c927530497_icedid_JC.exepid process 5108 28aeeb0903fb2cea43e845c927530497_icedid_JC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
28aeeb0903fb2cea43e845c927530497_icedid_JC.exedescription pid process target process PID 5108 wrote to memory of 3576 5108 28aeeb0903fb2cea43e845c927530497_icedid_JC.exe wermgr.exe PID 5108 wrote to memory of 3576 5108 28aeeb0903fb2cea43e845c927530497_icedid_JC.exe wermgr.exe PID 5108 wrote to memory of 3576 5108 28aeeb0903fb2cea43e845c927530497_icedid_JC.exe wermgr.exe PID 5108 wrote to memory of 3576 5108 28aeeb0903fb2cea43e845c927530497_icedid_JC.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28aeeb0903fb2cea43e845c927530497_icedid_JC.exe"C:\Users\Admin\AppData\Local\Temp\28aeeb0903fb2cea43e845c927530497_icedid_JC.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3576-218-0x0000016CDCBC0000-0x0000016CDCBC1000-memory.dmpFilesize
4KB
-
memory/3576-217-0x0000016CDC920000-0x0000016CDC948000-memory.dmpFilesize
160KB
-
memory/3576-220-0x0000016CDC920000-0x0000016CDC948000-memory.dmpFilesize
160KB
-
memory/5108-134-0x00000000022B0000-0x00000000022EE000-memory.dmpFilesize
248KB
-
memory/5108-133-0x00000000022F0000-0x0000000002330000-memory.dmpFilesize
256KB
-
memory/5108-138-0x0000000002330000-0x000000000236C000-memory.dmpFilesize
240KB
-
memory/5108-139-0x0000000002330000-0x000000000236C000-memory.dmpFilesize
240KB
-
memory/5108-174-0x0000000002330000-0x000000000236C000-memory.dmpFilesize
240KB
-
memory/5108-215-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB
-
memory/5108-216-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/5108-219-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/5108-221-0x0000000002330000-0x000000000236C000-memory.dmpFilesize
240KB