cf246e7f0c50e6ed2a9d8a2e5d872e85f6d70f0a3e7a7f9386028b597f6293d0

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/08/2023, 09:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe
Size

5.2MB
MD5

4aff2e239dcd6b16196adb26706172b1
SHA1

a5a71045f12f5023e98108ab2abb1f4787153575
SHA256

cf246e7f0c50e6ed2a9d8a2e5d872e85f6d70f0a3e7a7f9386028b597f6293d0
SHA512

fc21d1826f98f24cfd6d0889fcfd27171b5f6f93359991c31ec0af2fcc3609a74251a3098c5678f58fffc048008d60613bc1c376985a7571aad3ff4b19e445fc
SSDEEP

98304:PvNWQE/pKo1BokSZ3C/jOAZVT3q3hukCV64Fm/iMA9Yf:PvNWNpKeBokSZSbXZVT63hukiVU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	autorun.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe
2672	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	autorun.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe
2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe
2672	autorun.exe
2672	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2672	2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe	28
PID 2264 wrote to memory of 2672	2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe	28
PID 2264 wrote to memory of 2672	2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe	28
PID 2264 wrote to memory of 2672	2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe	28
PID 2264 wrote to memory of 2672	2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe	28
PID 2264 wrote to memory of 2672	2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe	28
PID 2264 wrote to memory of 2672	2264	4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\4aff2e239dcd6b16196adb26706172b1_icedid_JC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg

Filesize
3KB

MD5
fc2a595f574b1ead82a6dcf06492c985

SHA1
400626784368fb9825a954ab8e14238054a277d1

SHA256
ee9a4903a8df90eff4c5b65a8073e564a3581cf73772a72eb82396e69932e769

SHA512
06506e70170a85a2d697550bfb555a19e210e93b972a38a482448cf8eca335605583d04f74f5fdd2911203c58aaca2f55b946c2dfe754ecf17c6b1763b7e37db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Botao.btn

Filesize
6KB

MD5
81670b793e381d6473f94db17d309718

SHA1
8330396df1766673818fd77b095cdc8ed2693f17

SHA256
b61eacf61dce3d734ad9a041149698687143b38fb9e5c56a9fffd1f032cb0748

SHA512
78dba1af2aa925aba2163585e50a595d6c6a91810470758b8c6c8676d77f7c1e7b07904a17fb26786418d0065ae8656ba843dc1742236492ed3bff748dfd1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Canal.btn

Filesize
115KB

MD5
30e8ef78b22b137b0630143ecc514943

SHA1
a3543fdeef09ebf439c549072dd3d9bfa7ca7b9c

SHA256
0712542d2ba1f5d5428496ede4ba26ba5f2445b3c201580923bc283d67002992

SHA512
91d1f8145cee6cbca226ef3c62e9c2db02b11837a13ccbfd0e5bc262e0ac8a26540ae7542bb593d01ff594a2655f55978e4435a179e1b167a40868a72dcea77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Background 01.png

Filesize
245KB

MD5
88e0a3de8e479f82abbfbe4191bfd7d4

SHA1
d976a82715ff0d2edfe3de057e3601eb08c7c39e

SHA256
0a8f02e71afa74155aeaba37a9019b14cdd2a8642c91c83f9e4d5ad24ae46112

SHA512
9f0edc5b6a359ae4e5b616642a82c00e2f1c10e74d36d3f9f096200d12d3edfdb721e74a4abeca6002177cc1199f4b714def3ecacdecbfdeb387b0622ce25472

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
432KB

MD5
8591640fb001bc7187ccf6161efe15bd

SHA1
9768e9c4ac20da22d786681df7d62244b2a85af9

SHA256
dc6bd6e0d381699201f3489e2645531db03bc7da91016705736ecbbdea586cb0

SHA512
8e68f5bfd1d4c59c8c834f2652db8cf846a15cd22cb36db625fb1bb0cf0a93ff92b38ed7a80cf85d025c5f9fee9923ce735517787abfdf2da351449d59d42119

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
6.1MB

MD5
0d0f3d0383f9e24c75b828dbf8a8610a

SHA1
7e3f0c47216d8e6664a32b51fbe5160a4050990c

SHA256
9dc783666a2ae09f660d115ff0ef835f5b74d77cb893c14d63f268e85176c10c

SHA512
335e33e1d88543bae0e28738ae82b0364d9d0b55ccad991418050b1f7d185fed34ca8031901fca2e91db8aec8bc47793669b01bc9890850ee439b258dfca786d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
6.1MB

MD5
0d0f3d0383f9e24c75b828dbf8a8610a

SHA1
7e3f0c47216d8e6664a32b51fbe5160a4050990c

SHA256
9dc783666a2ae09f660d115ff0ef835f5b74d77cb893c14d63f268e85176c10c

SHA512
335e33e1d88543bae0e28738ae82b0364d9d0b55ccad991418050b1f7d185fed34ca8031901fca2e91db8aec8bc47793669b01bc9890850ee439b258dfca786d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
6.1MB

MD5
0d0f3d0383f9e24c75b828dbf8a8610a

SHA1
7e3f0c47216d8e6664a32b51fbe5160a4050990c

SHA256
9dc783666a2ae09f660d115ff0ef835f5b74d77cb893c14d63f268e85176c10c

SHA512
335e33e1d88543bae0e28738ae82b0364d9d0b55ccad991418050b1f7d185fed34ca8031901fca2e91db8aec8bc47793669b01bc9890850ee439b258dfca786d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
318KB

MD5
115526815415f6a514830e37691bc59f

SHA1
e707fa9c0c3cd415d6dec22b2df10581afec9298

SHA256
b35eed0bc43c12f0953881b145732f01c6386d46d29c7429dff55922a64efc0a

SHA512
11d6b958080f92870249f4c84115c34966f0c988335d7c318c8b9f8007ba7d6dad7e58eb595c3499fca0b1f744a75a474a65159ed9a52124550a847548091dd5

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
6.1MB

MD5
0d0f3d0383f9e24c75b828dbf8a8610a

SHA1
7e3f0c47216d8e6664a32b51fbe5160a4050990c

SHA256
9dc783666a2ae09f660d115ff0ef835f5b74d77cb893c14d63f268e85176c10c

SHA512
335e33e1d88543bae0e28738ae82b0364d9d0b55ccad991418050b1f7d185fed34ca8031901fca2e91db8aec8bc47793669b01bc9890850ee439b258dfca786d

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
318KB

MD5
115526815415f6a514830e37691bc59f

SHA1
e707fa9c0c3cd415d6dec22b2df10581afec9298

SHA256
b35eed0bc43c12f0953881b145732f01c6386d46d29c7429dff55922a64efc0a

SHA512
11d6b958080f92870249f4c84115c34966f0c988335d7c318c8b9f8007ba7d6dad7e58eb595c3499fca0b1f744a75a474a65159ed9a52124550a847548091dd5

Download Submit