Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 20:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe
Resource
win7-20231215-en
General
-
Target
2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe
-
Size
372KB
-
MD5
0c3b8231021238b9a4c07fd5cb581531
-
SHA1
7d4f97193dd23061d2af8bb58b6b000558e28147
-
SHA256
cd58b312e2dcc727db92eb067690393f84d54fc7e27fa1c45cc85f168138a1d6
-
SHA512
03555707304a500318307126cda286656d9fb91d5ec52d128b758b5057b0d9a116f76d8a9f30b5c4847703fc7abc4ab2e69f20aeb1008ba4062f60491a902034
-
SSDEEP
6144:QeDpdjhQx9ULnOH+ROshO52s2ZpFWQaXnNXBbEJh/sEla4:Ej4OH+R02VZpFGnNxsU4
Malware Config
Extracted
emotet
Epoch2
12.176.19.218:80
66.76.63.99:80
100.14.117.137:80
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
176.106.183.253:8080
31.172.240.91:8080
139.130.241.252:443
188.152.7.140:80
110.142.38.16:80
200.71.148.138:8080
87.106.139.101:8080
91.187.80.246:80
195.244.215.206:80
93.147.141.5:80
104.131.11.150:8080
104.236.246.93:8080
181.57.193.14:80
101.187.247.29:80
159.65.25.128:8080
178.209.71.63:8080
87.230.19.21:8080
91.231.166.126:8080
185.159.102.74:80
192.241.255.77:8080
58.171.42.66:8080
78.24.219.147:8080
149.202.153.252:8080
181.143.194.138:443
209.97.168.52:8080
183.102.238.69:465
59.103.164.174:80
116.48.142.21:443
209.141.54.221:8080
206.189.112.148:8080
165.227.156.155:443
165.228.24.197:80
167.114.242.226:8080
110.143.57.109:80
173.70.81.77:80
120.150.246.241:80
62.75.187.192:8080
83.136.245.190:8080
101.187.134.207:443
217.160.182.191:8080
45.51.40.140:80
144.139.247.220:80
91.205.215.66:8080
212.129.24.79:8080
169.239.182.217:8080
108.191.2.72:80
73.11.153.178:8080
197.254.221.174:80
80.11.163.139:21
107.170.24.125:8080
31.31.77.83:443
190.12.119.180:443
211.63.71.72:8080
189.209.217.49:80
167.71.10.37:8080
80.21.182.46:80
212.186.191.177:80
167.99.105.223:7080
186.75.241.230:80
104.131.44.150:8080
1.33.230.137:80
67.225.179.64:8080
37.157.194.134:443
190.56.255.118:80
190.226.44.20:21
201.173.217.124:443
92.186.52.193:80
24.45.193.161:7080
5.196.74.210:8080
201.184.105.242:443
200.7.243.108:443
87.106.136.232:8080
107.2.2.28:80
74.105.102.97:8080
178.210.51.222:8080
190.147.215.53:22
206.81.10.215:8080
92.222.216.44:8080
128.65.154.183:443
91.242.138.5:80
181.31.213.158:8080
212.64.171.206:80
173.13.135.102:80
182.176.132.213:8090
86.98.156.239:443
45.33.49.124:443
50.116.86.205:8080
164.68.101.171:80
176.31.200.130:8080
190.53.135.159:21
190.211.207.11:443
12.229.155.122:80
95.128.43.213:8080
5.88.182.250:80
210.6.85.121:80
70.175.171.251:80
91.73.197.90:80
46.105.131.87:80
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
footerpublish.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 footerpublish.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE footerpublish.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies footerpublish.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 footerpublish.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
footerpublish.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" footerpublish.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" footerpublish.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix footerpublish.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
footerpublish.exepid process 4544 footerpublish.exe 4544 footerpublish.exe 4544 footerpublish.exe 4544 footerpublish.exe 4544 footerpublish.exe 4544 footerpublish.exe 4544 footerpublish.exe 4544 footerpublish.exe 4544 footerpublish.exe 4544 footerpublish.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exepid process 2240 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exefooterpublish.exefooterpublish.exepid process 4320 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe 4320 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe 2240 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe 2240 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe 3012 footerpublish.exe 3012 footerpublish.exe 4544 footerpublish.exe 4544 footerpublish.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exefooterpublish.exedescription pid process target process PID 4320 wrote to memory of 2240 4320 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe PID 4320 wrote to memory of 2240 4320 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe PID 4320 wrote to memory of 2240 4320 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe 2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe PID 3012 wrote to memory of 4544 3012 footerpublish.exe footerpublish.exe PID 3012 wrote to memory of 4544 3012 footerpublish.exe footerpublish.exe PID 3012 wrote to memory of 4544 3012 footerpublish.exe footerpublish.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_0c3b8231021238b9a4c07fd5cb581531_icedid.exe--1b074ae02⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\footerpublish.exe"C:\Windows\SysWOW64\footerpublish.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\footerpublish.exe--410f7daa2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2240-6-0x00000000021C0000-0x00000000021D7000-memory.dmpFilesize
92KB
-
memory/3012-11-0x0000000000E30000-0x0000000000E47000-memory.dmpFilesize
92KB
-
memory/4320-0-0x00000000022F0000-0x0000000002307000-memory.dmpFilesize
92KB
-
memory/4320-4-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/4544-16-0x0000000000E20000-0x0000000000E37000-memory.dmpFilesize
92KB