Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230824-en -
resource tags
arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2023 19:49
Static task
static1
Behavioral task
behavioral1
Sample
ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe
Resource
win7-20230712-en
General
-
Target
ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe
-
Size
272KB
-
MD5
ee7b8d7ea2079b2caccf61227fe17b57
-
SHA1
fe9055fe172abb22ac3cec65df7aeb1454210f78
-
SHA256
9b6c77630d8501359b4231ce03fbf34b123abba06f4bec2c8e3d6662a2cf0bda
-
SHA512
d10b1f22d2afe99ec42519a51b569495b0fd541d0bc398054b88d407d19ee482ffb3f00071a36bef55a0ad529ab440c50c8b2f81495da897b7941b44a0048654
-
SSDEEP
6144:sWIr7BmCNyXHhGVDfF6TREmvZbHzFxYClHg5U:VE7BmSkHEV56vvZbHzjlA5
Malware Config
Extracted
emotet
Epoch2
192.158.216.73:80
85.214.28.226:8080
142.44.137.67:443
162.241.242.173:8080
85.152.162.105:80
62.30.7.67:443
78.24.219.147:8080
74.120.55.163:80
169.239.182.217:8080
216.208.76.186:80
95.213.236.64:8080
200.114.213.233:8080
104.131.44.150:8080
70.121.172.89:80
75.139.38.211:80
185.94.252.104:443
97.82.79.83:80
103.86.49.11:8080
79.98.24.39:8080
83.169.36.251:8080
188.219.31.12:80
74.208.45.104:8080
137.59.187.107:8080
174.45.13.118:80
194.187.133.160:443
50.81.3.113:80
201.173.217.124:443
139.99.158.11:443
68.188.112.97:80
113.160.130.116:8443
173.62.217.22:443
139.130.242.43:80
190.160.53.126:80
137.119.36.33:80
209.141.54.221:8080
24.179.13.119:80
120.150.60.189:80
107.5.122.110:80
121.124.124.40:7080
203.153.216.189:7080
157.245.99.39:8080
85.105.205.77:8080
173.81.218.65:80
110.145.77.103:80
47.144.21.12:443
95.179.229.244:8080
187.161.206.24:80
46.105.131.79:8080
189.212.199.126:443
168.235.67.138:7080
24.137.76.62:80
85.66.181.138:80
200.41.121.90:80
5.39.91.110:7080
104.236.246.93:8080
172.91.208.86:80
99.224.14.125:80
37.139.21.175:8080
109.74.5.95:8080
1.221.254.82:80
61.19.246.238:443
5.196.74.210:8080
67.205.85.243:8080
79.137.83.50:443
94.200.114.161:80
70.180.43.7:80
190.55.181.54:443
47.146.117.214:80
89.205.113.80:80
37.187.72.193:8080
84.39.182.7:80
104.131.11.150:443
139.162.108.71:8080
87.106.136.232:8080
153.232.188.106:80
37.70.8.161:80
112.185.64.233:80
87.106.139.101:8080
94.23.237.171:443
24.43.99.75:80
203.117.253.142:80
98.109.204.230:80
93.147.212.206:80
91.211.88.52:7080
139.59.60.244:8080
176.111.60.55:8080
180.92.239.110:8080
62.75.141.82:80
174.102.48.180:443
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
fvecerts.exepid process 4156 fvecerts.exe -
Drops file in System32 directory 1 IoCs
Processes:
ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exedescription ioc process File opened for modification C:\Windows\SysWOW64\NtlmShared\fvecerts.exe ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
fvecerts.exepid process 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe 4156 fvecerts.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exepid process 4272 ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exefvecerts.exepid process 4272 ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe 4272 ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe 4156 fvecerts.exe 4156 fvecerts.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exedescription pid process target process PID 4272 wrote to memory of 4156 4272 ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe fvecerts.exe PID 4272 wrote to memory of 4156 4272 ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe fvecerts.exe PID 4272 wrote to memory of 4156 4272 ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe fvecerts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe"C:\Users\Admin\AppData\Local\Temp\ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NtlmShared\fvecerts.exe"C:\Windows\SysWOW64\NtlmShared\fvecerts.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\NtlmShared\fvecerts.exeFilesize
272KB
MD5ee7b8d7ea2079b2caccf61227fe17b57
SHA1fe9055fe172abb22ac3cec65df7aeb1454210f78
SHA2569b6c77630d8501359b4231ce03fbf34b123abba06f4bec2c8e3d6662a2cf0bda
SHA512d10b1f22d2afe99ec42519a51b569495b0fd541d0bc398054b88d407d19ee482ffb3f00071a36bef55a0ad529ab440c50c8b2f81495da897b7941b44a0048654
-
memory/4156-9-0x0000000002160000-0x000000000216E000-memory.dmpFilesize
56KB
-
memory/4156-13-0x0000000002170000-0x000000000217C000-memory.dmpFilesize
48KB
-
memory/4272-1-0x0000000002260000-0x000000000226E000-memory.dmpFilesize
56KB
-
memory/4272-0-0x0000000002250000-0x000000000225B000-memory.dmpFilesize
44KB
-
memory/4272-5-0x0000000002270000-0x000000000227C000-memory.dmpFilesize
48KB