General

  • Target

    2024-04-09_7614d445d8d8bad2945a552c61fbb6f4_hacktools_icedid_mimikatz

  • Size

    7.0MB

  • Sample

    240409-b5vp5sae75

  • MD5

    7614d445d8d8bad2945a552c61fbb6f4

  • SHA1

    f3021a26ab5b6df18baab3897f14efa5996674f1

  • SHA256

    abdf999ddf5f6685336cce47436bb4835e5db4b11b182fe777628f6589976154

  • SHA512

    359c21422cebefb7627a56a4b3392339c40d29148d166e7e42eb77fca1711f130ec979fca76649242a177b297528543d20b2132e59d8ffd1ad1f847bd1043ee2

  • SSDEEP

    196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Malware Config

Targets

    • Target

      2024-04-09_7614d445d8d8bad2945a552c61fbb6f4_hacktools_icedid_mimikatz

    • Size

      7.0MB

    • MD5

      7614d445d8d8bad2945a552c61fbb6f4

    • SHA1

      f3021a26ab5b6df18baab3897f14efa5996674f1

    • SHA256

      abdf999ddf5f6685336cce47436bb4835e5db4b11b182fe777628f6589976154

    • SHA512

      359c21422cebefb7627a56a4b3392339c40d29148d166e7e42eb77fca1711f130ec979fca76649242a177b297528543d20b2132e59d8ffd1ad1f847bd1043ee2

    • SSDEEP

      196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Contacts a large (25608) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Detects executables containing SQL queries to confidential data stores. Observed in infostealers

    • UPX dump on OEP (original entry point)

    • XMRig Miner payload

    • mimikatz is an open source tool to dump credentials on Windows

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks