Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2024 03:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe
Resource
win7-20240221-en
General
-
Target
2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe
-
Size
273KB
-
MD5
5b7d91515a4b65d243ef074eac657505
-
SHA1
8a2928272ac430bbc69bf4634dc089c87a1f3200
-
SHA256
e9973029a4b7112be1c157ce1c60439bff0d5aaa1d61728e42e2347ce69baff7
-
SHA512
744505a1baabd627f46a90f7768cdc2f7c708615a5adca8f4fca77de30e5147f468f1e368303f865b1a034a0f244fafb709e7afc38e56478c2bf12d6a2055ca8
-
SSDEEP
6144:aGj5A9/6y8mGw8jArXM1qa9fjLI/cywmYYdxxx:aG9sgjALM1qYCcVwxH
Malware Config
Extracted
emotet
Epoch2
109.117.53.230:443
212.51.142.238:8080
190.160.53.126:80
139.59.60.244:8080
91.211.88.52:7080
190.108.228.62:443
186.208.123.210:443
46.105.131.87:80
173.91.22.41:80
222.214.218.37:4143
31.31.77.83:443
62.75.141.82:80
93.156.165.186:80
93.51.50.171:8080
185.94.252.104:443
78.189.165.52:8080
95.179.229.244:8080
73.11.153.178:8080
203.153.216.189:7080
95.213.236.64:8080
79.98.24.39:8080
41.60.200.34:80
61.19.246.238:443
104.131.11.150:443
162.241.92.219:8080
104.131.44.150:8080
58.153.68.176:80
153.126.210.205:7080
62.138.26.28:8080
168.235.67.138:7080
103.86.49.11:8080
116.203.32.252:8080
87.106.139.101:8080
101.187.97.173:80
113.160.130.116:8443
75.139.38.211:80
201.173.217.124:443
60.130.173.117:80
139.130.242.43:80
110.143.151.194:80
46.105.131.79:8080
162.154.38.103:80
121.124.124.40:7080
137.59.187.107:8080
81.2.235.111:8080
110.145.77.103:80
109.74.5.95:8080
200.41.121.90:80
91.205.215.66:443
108.48.41.69:80
176.111.60.55:8080
24.1.189.87:8080
190.144.18.198:80
87.106.136.232:8080
5.196.74.210:8080
209.141.54.221:8080
50.116.86.205:8080
78.24.219.147:8080
210.165.156.91:80
37.187.72.193:8080
157.245.99.39:8080
190.55.181.54:443
37.139.21.175:8080
169.239.182.217:8080
104.236.246.93:8080
200.55.243.138:8080
74.208.45.104:8080
5.39.91.110:7080
79.7.158.208:80
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1224-0-0x00000000022D0000-0x00000000022DC000-memory.dmp emotet behavioral2/memory/1224-4-0x00000000022C0000-0x00000000022C9000-memory.dmp emotet behavioral2/memory/4860-7-0x0000000002180000-0x000000000218C000-memory.dmp emotet behavioral2/memory/4860-11-0x0000000002180000-0x000000000218C000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
wmidcom.exepid process 4860 wmidcom.exe -
Drops file in System32 directory 1 IoCs
Processes:
2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exedescription ioc process File opened for modification C:\Windows\SysWOW64\NetSetupShim\wmidcom.exe 2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
wmidcom.exepid process 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe 4860 wmidcom.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exepid process 1224 2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exewmidcom.exepid process 1224 2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe 1224 2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe 4860 wmidcom.exe 4860 wmidcom.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exedescription pid process target process PID 1224 wrote to memory of 4860 1224 2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe wmidcom.exe PID 1224 wrote to memory of 4860 1224 2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe wmidcom.exe PID 1224 wrote to memory of 4860 1224 2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe wmidcom.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-13_5b7d91515a4b65d243ef074eac657505_icedid.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NetSetupShim\wmidcom.exe"C:\Windows\SysWOW64\NetSetupShim\wmidcom.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\NetSetupShim\wmidcom.exeFilesize
273KB
MD55b7d91515a4b65d243ef074eac657505
SHA18a2928272ac430bbc69bf4634dc089c87a1f3200
SHA256e9973029a4b7112be1c157ce1c60439bff0d5aaa1d61728e42e2347ce69baff7
SHA512744505a1baabd627f46a90f7768cdc2f7c708615a5adca8f4fca77de30e5147f468f1e368303f865b1a034a0f244fafb709e7afc38e56478c2bf12d6a2055ca8
-
memory/1224-0-0x00000000022D0000-0x00000000022DC000-memory.dmpFilesize
48KB
-
memory/1224-4-0x00000000022C0000-0x00000000022C9000-memory.dmpFilesize
36KB
-
memory/1224-6-0x00000000027E0000-0x00000000028D1000-memory.dmpFilesize
964KB
-
memory/4860-7-0x0000000002180000-0x000000000218C000-memory.dmpFilesize
48KB
-
memory/4860-11-0x0000000002180000-0x000000000218C000-memory.dmpFilesize
48KB
-
memory/4860-12-0x00000000026C0000-0x00000000027B1000-memory.dmpFilesize
964KB