Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-02-2024 14:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe
Resource
win7-20231215-en
General
-
Target
2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe
-
Size
452KB
-
MD5
5a1d7a32649b3a2119ee4e5c053cd9a0
-
SHA1
01d41589d386ac6a91c24b17322125528ac3a55f
-
SHA256
7561fbd9bea06c1f703fe87da59d818c096b92d133edbce4f8c5523e6a117224
-
SHA512
5eb1c9687bddcea32b8afb25f8360ecabd6364df059675a55d2181e4770ee1b917dec80648156f0d4b33013b1588f026360b9099e0fe4009974a8159163fa79b
-
SSDEEP
6144:TvrPZDeMVjTPBlbG2Rmzd0OGKi74RWkM8ZVx4QcSahHF:35l2zdAKiuWkrxa
Malware Config
Extracted
emotet
Epoch3
77.245.12.212:80
189.134.4.209:443
1.32.54.12:8080
172.105.213.30:80
69.30.205.162:7080
50.63.13.135:8080
192.161.190.171:8080
190.5.162.204:80
50.116.78.109:8080
210.224.65.117:80
186.215.101.106:80
5.189.148.98:8080
81.82.247.216:80
139.162.185.116:443
172.104.70.207:8080
143.95.101.72:8080
190.189.79.73:80
83.110.107.243:443
82.79.244.92:80
195.201.56.68:7080
181.197.108.171:443
157.7.164.178:8081
83.99.211.160:80
46.17.6.116:8080
216.75.37.196:8080
138.197.140.163:8080
51.38.134.203:8080
211.218.105.101:80
103.122.75.218:80
198.57.217.170:8080
172.90.70.168:443
41.218.118.66:80
195.191.107.67:80
189.225.211.171:443
80.93.48.49:7080
45.129.121.222:443
23.253.207.142:8080
81.213.145.45:443
181.44.166.242:80
187.177.155.123:990
189.180.105.125:443
182.176.116.139:995
186.66.224.182:990
212.112.113.235:80
212.129.14.27:8080
119.159.150.176:443
176.58.93.123:80
187.233.220.93:443
124.150.175.133:80
83.156.88.159:80
60.53.3.153:8080
110.142.161.90:80
174.57.150.13:8080
95.216.212.157:8080
197.90.159.42:80
37.59.24.25:8080
201.196.15.79:990
221.154.59.110:80
187.250.92.82:80
78.46.87.133:8080
85.105.183.228:443
201.183.251.100:80
123.142.37.165:80
172.245.13.50:8080
181.47.235.26:993
72.69.99.47:80
177.103.201.23:80
124.150.175.129:8080
190.161.67.63:80
192.163.221.191:8080
80.102.124.98:8080
95.216.207.86:7080
190.101.87.170:80
72.27.212.209:8080
163.172.97.112:8080
191.100.24.201:50000
46.105.131.68:8080
188.230.134.205:80
193.33.38.208:443
192.241.220.183:8080
189.236.4.214:443
162.144.46.90:8080
210.111.160.220:80
113.52.135.33:7080
89.215.225.15:80
200.71.112.158:53
78.186.102.195:80
152.169.32.143:8080
192.210.217.94:8080
142.93.87.198:8080
122.11.164.183:80
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
boostspeed.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 boostspeed.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE boostspeed.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies boostspeed.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 boostspeed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
boostspeed.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix boostspeed.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" boostspeed.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" boostspeed.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
boostspeed.exepid process 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe 1408 boostspeed.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exepid process 864 2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exeboostspeed.exeboostspeed.exepid process 3672 2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe 864 2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe 1544 boostspeed.exe 1408 boostspeed.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exeboostspeed.exedescription pid process target process PID 3672 wrote to memory of 864 3672 2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe 2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe PID 3672 wrote to memory of 864 3672 2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe 2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe PID 3672 wrote to memory of 864 3672 2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe 2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe PID 1544 wrote to memory of 1408 1544 boostspeed.exe boostspeed.exe PID 1544 wrote to memory of 1408 1544 boostspeed.exe boostspeed.exe PID 1544 wrote to memory of 1408 1544 boostspeed.exe boostspeed.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe--25d98d1e2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\boostspeed.exe"C:\Windows\SysWOW64\boostspeed.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\boostspeed.exe--5bdc74162⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/864-6-0x0000000002160000-0x0000000002177000-memory.dmpFilesize
92KB
-
memory/1408-16-0x0000000000620000-0x0000000000637000-memory.dmpFilesize
92KB
-
memory/1544-11-0x0000000000A10000-0x0000000000A27000-memory.dmpFilesize
92KB
-
memory/3672-0-0x0000000000780000-0x0000000000797000-memory.dmpFilesize
92KB
-
memory/3672-5-0x0000000000760000-0x0000000000771000-memory.dmpFilesize
68KB