Overview

overview

9

Static

static

3

2024-02-02...id.exe

windows7-x64

9

2024-02-02...id.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2024, 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-02_676d66435bbe899f7c53de8b4729c471_icedid.exe

  • Size

    701KB

  • MD5

    676d66435bbe899f7c53de8b4729c471

  • SHA1

    a1b2186b40c06d96633069c741dd2cf3fb6d35f3

  • SHA256

    b12810726fbd344b28ad8906c84737c648e978d584e7d90e035dca070d2a1e06

  • SHA512

    d2a57dcb2acf3f6ce2305230c1fa508c23e1535e34fd614145e9da4eb8d0b86a5f3dd7e0664bb562349630cc3295b6de0692d016d99ff6669e0729b74e5940b2

  • SSDEEP

    12288:p7bSAcO9nmofU3f5JblvsXWhW3FPOlNTHlGvYPlP5IzC1fshUQCvLo2k:5HnmlJblvSdFP8THlhqe1kh7

Score
9/10

Malware Config

Signatures

  • Detects executables built or packed with MPress PE compressor 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-02_676d66435bbe899f7c53de8b4729c471_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-02_676d66435bbe899f7c53de8b4729c471_icedid.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:240
    • C:\Users\Admin\AppData\Local\Temp\2024-02-02_676d66435bbe899f7c53de8b4729c471_icedid.exe
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\927.vbs"
        3⤵
        • Deletes itself
        PID:2464
  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
      2⤵
      • Executes dropped EXE
      PID:3628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\927.vbs
    Filesize

    500B

    MD5

    57afaa83e32e314ffb54d838b894da6d

    SHA1

    493a632b267dc65c5cbcf9f9cc0ab498a82c0bec

    SHA256

    191ce9b84e8f7a39f76a54d36c47541e25c47a6d887a21003b5956bdbee9e4e1

    SHA512

    52953fbd5598318b6a92c7d93089304bbb1d65a54fdcbbdb583bc93dbbd3f3ec60c062950f451878e097da652e7d02b0bbcecc8b9c699a917ba07d6546b96008

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    2.9MB

    MD5

    f5125ddcf83af4234b11f19a76fcc353

    SHA1

    c946106e63c94836061ffec40986c505bf219232

    SHA256

    dc239491c64c174d59d7c173f1c795ef180c637fef34a9041873c48908bf80a0

    SHA512

    6abfc3df584e8a1dc3e711f6af33f525a179059eed88ce29cdd2123dee22a30f1860c0b781931d7b72ce44076df6de44530ae90bcfb6757586275993755021ea

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    2.4MB

    MD5

    f5a905f57cf2c2e3893fa6dff9042e37

    SHA1

    99f6e472e870dab8f5576d4162c87c5c51e67cf9

    SHA256

    d84f0f5ddecb0621fd37b09d4ecbe79cb576edd2b62e87fa518a142ef469f710

    SHA512

    c680e2cf16be4f4a68b348bab0a6ecd3b717675cba278b4b912115e0e0a776522714023738f62fd84fb5a8f83ebf3c444f9b3343d0792a9a1c6f660942e8447d

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
    Filesize

    2.3MB

    MD5

    7982471cd37fb693a045d857e1646b66

    SHA1

    cf412930fa00d34cf07433d88902f0f7ef194f43

    SHA256

    c92b877ec43ab9ccc77275a548fa1f0376e8a6435253956d4ca2f0c2f3d0e6c7

    SHA512

    c9a524ea1793a30e3fa8be0c8090a57b6c6ede46c50d7deab41209a912d01a3b510368d1b0d896ebb46c9a3516337c7800db9b01f03e210b765de090525016d0

    Download Submit

  • memory/3168-5-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3168-7-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3168-4-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3168-0-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3168-2-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3168-25-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3168-24-0x0000000000410000-0x00000000004D9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/3628-21-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3628-27-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3628-29-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3628-33-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download