Overview

overview

9

Static

static

3

2024-02-02...id.exe

windows7-x64

9

2024-02-02...id.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02/02/2024, 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-02_676d66435bbe899f7c53de8b4729c471_icedid.exe

  • Size

    701KB

  • MD5

    676d66435bbe899f7c53de8b4729c471

  • SHA1

    a1b2186b40c06d96633069c741dd2cf3fb6d35f3

  • SHA256

    b12810726fbd344b28ad8906c84737c648e978d584e7d90e035dca070d2a1e06

  • SHA512

    d2a57dcb2acf3f6ce2305230c1fa508c23e1535e34fd614145e9da4eb8d0b86a5f3dd7e0664bb562349630cc3295b6de0692d016d99ff6669e0729b74e5940b2

  • SSDEEP

    12288:p7bSAcO9nmofU3f5JblvsXWhW3FPOlNTHlGvYPlP5IzC1fshUQCvLo2k:5HnmlJblvSdFP8THlhqe1kh7

Score
9/10

Malware Config

Signatures

  • Detects executables built or packed with MPress PE compressor 12 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-02_676d66435bbe899f7c53de8b4729c471_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-02_676d66435bbe899f7c53de8b4729c471_icedid.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\2024-02-02_676d66435bbe899f7c53de8b4729c471_icedid.exe
      2⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\8002.vbs"
        3⤵
        • Deletes itself
        PID:2676
  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\8002.vbs
    Filesize

    500B

    MD5

    57afaa83e32e314ffb54d838b894da6d

    SHA1

    493a632b267dc65c5cbcf9f9cc0ab498a82c0bec

    SHA256

    191ce9b84e8f7a39f76a54d36c47541e25c47a6d887a21003b5956bdbee9e4e1

    SHA512

    52953fbd5598318b6a92c7d93089304bbb1d65a54fdcbbdb583bc93dbbd3f3ec60c062950f451878e097da652e7d02b0bbcecc8b9c699a917ba07d6546b96008

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    1.2MB

    MD5

    e8f4aab48c09793eb2d2c3dcb4d97cff

    SHA1

    ef533d01dcf826e3c7903c7297d9d05fd148ccce

    SHA256

    d4e760945331fd902f7da389aea8f4ba4cb7540f6ec22aec23ff320c8caf3537

    SHA512

    b5f8ac7f48d46ad1cbf75465141ddc9a339e09befd80dae9723a8b30437f18292b77c843a5a4db6e1a4d5da3765550617b6d4ca8893d8ba7326ce776bb446a4d

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    254KB

    MD5

    29ed245869f7a5a40657c0652ce4b617

    SHA1

    9fbf9fb8f060ec9ff1a4a73cfb8175a045450cb9

    SHA256

    d7459a7f404d0fbd59f934f34a65eb8eb75253988974a43d2c809e62a5fab36a

    SHA512

    620308f7132b928d37318bd93db1c0abcc47f11edf252f40802485694055e20358274639791628529151e5e216fe77aca56762edf9d1532f1ce0d0d4ebb2c1e9

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    104KB

    MD5

    8b83708470e0999b4363a90b52696349

    SHA1

    e156fdd28a4f17ad215eac9de95aa58bcb6e081c

    SHA256

    c3c9a54ba742b551cf006fce34edde8515d95ccad3c4413e7e9f68f3cb6bae04

    SHA512

    9fdf69f01d851fe1d146e41208908ebe488822d1c1d8dc7298462ca63ed23b5f76226e9e96363a73e78576010d8beef11379773dfd6bd1391d84cd42ffb0cdb8

    Download Submit

  • \Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    190KB

    MD5

    0a7fbf3c6609750c97f33b822fc36ca2

    SHA1

    ad9afd48fd424e3f65a742c88143e8b921ed0cfe

    SHA256

    07e70e5ce35fb6fba43a36f0dc1cd8f75cb6ac66701f4f5413361bf600abf145

    SHA512

    c54a4cec7d0f28690461ee3019df81e8c3bd2e05c28bca3c8c0719f56cede705f03d535952ab4f1ee7a6334b0d441170274271dd9e0bef296c4fa3c75454ca38

    Download Submit

  • \Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    79KB

    MD5

    bf9de902291627e48bba0bfe785b2a19

    SHA1

    79f19fd8189c9685c979e6561b5a64a9d7fedbcb

    SHA256

    42636c9fa01fa8751caa51e2dbe04daec7e67b6f4cfcca2b37c4116bbed98116

    SHA512

    82193ac73ca7e25a86ffa164ddd55e6cb503dbbdcb4803316f1f48d73f80a00ea7857779a5364997ca11256f2b19063d8c764b4b6d50f6e41fe0f7aa61d7464c

    Download Submit

  • \Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    154KB

    MD5

    0b94bfe2a18a73768132dbe34e391a14

    SHA1

    8da324ab3b507816d2300fc01d8678c186056e88

    SHA256

    9e07b918492aa309a38c49b31857990476e694db3d3a857d7f49bf1e97536b10

    SHA512

    94095cf9ac4e45e9d2e6d4b65a15fd73fa04862f2b141180fafead321d744fa7c9d0fcafb1169f96ba2a4158463094e2133e91352cf6a0661f8de7db363b4065

    Download Submit

  • memory/2340-4-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-37-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-11-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-9-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-7-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-6-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-13-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-2-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-10-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2340-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-36-0x0000000000410000-0x0000000000591000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2768-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2768-35-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2768-39-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2768-41-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2768-45-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download