Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28-04-2024 03:53
General
-
Target
2024-04-28_b6bd3510fe1ea53a485125851fe24689_icedid.exe
-
Size
1.2MB
-
MD5
b6bd3510fe1ea53a485125851fe24689
-
SHA1
d922de471e1977714828b6a70258c449df945184
-
SHA256
a4ae317aaa5b27ca89de427fed5ce7b477d693690b1087ef4ad2f6733cc7bcb1
-
SHA512
3d3f8a3a10842a6197da9a77e17ef675293c413bbd87150f03d79a4c1edc50beb438621dc6b07e5a4ed283fae938c5b34069bb83e5583274438740219a0d560e
-
SSDEEP
24576:nNQqxk/LBaIt34ya0eKbQUMTAJPl++AJuoyUlztA8hxi:naqxkVaItIVUM2Pl+LVyynbi
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 5 IoCs
-
UPX dump on OEP (original entry point) 6 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_b6bd3510fe1ea53a485125851fe24689_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_b6bd3510fe1ea53a485125851fe24689_icedid.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CCProxy.iniFilesize
38B
MD5ed7026cea323f38e3926a8d4c8298037
SHA164daa6d089a10e19e636a9ef5904aa7201229fa6
SHA2563f1870c2d18b9e2e1e696887b974d7030efacd66628c1e96c856d17844096b27
SHA5125e86aaabf531c1d3dd131766afa03b62d62b0bc75a6fdb6bc616f90ad02fb3d4b20eb9551c7a7c54e1923db6d85f950732e98c381838c095d13aa3aa76d54525
-
memory/2324-0-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/2324-2-0x0000000002060000-0x00000000030EE000-memory.dmpFilesize
16.6MB
-
memory/2324-4-0x0000000002060000-0x00000000030EE000-memory.dmpFilesize
16.6MB
-
memory/2324-10-0x0000000002060000-0x00000000030EE000-memory.dmpFilesize
16.6MB
-
memory/2324-18-0x0000000002060000-0x00000000030EE000-memory.dmpFilesize
16.6MB
-
memory/2324-20-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/2324-5-0x0000000002060000-0x00000000030EE000-memory.dmpFilesize
16.6MB