Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 03:45

General

  • Target

    2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe

  • Size

    602KB

  • MD5

    169b1f31485f0103973555d92a17b8df

  • SHA1

    bc28421db6ebe828041d9f06313056ff8fbcc52b

  • SHA256

    cbc89fcc895d9aee6028ca0f4c899697901a882476aef81a92cc106a22c7bbd1

  • SHA512

    f158e3929aabc17005af2fdca066004c8170cbec88b5bd061a72b3008749f655e153349d0f162ff27aef148108efbbe4cab367f8d9be714194b90474dd75c573

  • SSDEEP

    12288:BO8oSyBu+/FNipnbfWdswjvrqFvhh72zS5:voSAu+//imWFz2i

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Blocklisted process makes network request 1 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\SysWOW64\Rundll32.exe
        Rundll32 C:\Windows\system32\hrgmuctb.dll Exbcute
        3⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\SysWOW64\net.exe
          net stop WinDefend
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop WinDefend
            5⤵
              PID:2768
          • C:\Windows\SysWOW64\net.exe
            net stop MpsSvc
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MpsSvc
              5⤵
                PID:2744
            • C:\Windows\SysWOW64\sc.exe
              sc config WinDefend start= disabled
              4⤵
              • Launches sc.exe
              PID:2528
            • C:\Windows\SysWOW64\sc.exe
              sc config MpsSvc start= disabled
              4⤵
              • Launches sc.exe
              PID:1328
            • C:\Windows\SysWOW64\sc.exe
              sc stop ZhuDongFangYu
              4⤵
              • Launches sc.exe
              PID:2424
            • C:\Windows\SysWOW64\sc.exe
              sc delete ZhuDongFangYu
              4⤵
              • Launches sc.exe
              PID:2600
            • C:\Windows\SysWOW64\sc.exe
              sc stop 360rp
              4⤵
              • Launches sc.exe
              PID:2536
            • C:\Windows\SysWOW64\sc.exe
              sc delete 360rp
              4⤵
              • Launches sc.exe
              PID:2512
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" stop PolicyAgent
              4⤵
              • Launches sc.exe
              PID:2760
          • C:\Windows\SysWOW64\Rundll32.exe
            Rundll32 C:\Windows\system32\avjmuctb.dll Exbcute
            3⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Adds Run key to start application
            • Enumerates connected drives
            PID:1892
        • C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
          C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:628

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\avjmuctb.dll

              Filesize

              24KB

              MD5

              af18ffd71cf2abe49e60353b9202bf70

              SHA1

              fca0fb502f5d79eacfb6b3af613e9f38e30220d8

              SHA256

              adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac

              SHA512

              3bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb

            • C:\Windows\SysWOW64\hrgmuctb.dll

              Filesize

              75KB

              MD5

              9b0bdefd566a844ab82d31d41cae80eb

              SHA1

              11221562bee4503b003ba5f8e7be67df92093dd9

              SHA256

              c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc

              SHA512

              66e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909

            • \Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe

              Filesize

              454KB

              MD5

              61a77d9b15c3587c37e488d15c047f1b

              SHA1

              0de190158dae1da0e21f87a4949bbff56bdc701b

              SHA256

              5c36cbc4ec7f56df3c15d71dcbfc4391a499f4b35f92966d52b418d5e19000f4

              SHA512

              9f0632c0d3305e05e366131cb08586a09a54522b077b2c305b76c245f939da5774cc53ea9bf32d3cc364c113813ebe1f59b7410cdebc66727263708d71acddb2

            • \Users\Admin\AppData\Local\Temp\34A7.tmp

              Filesize

              1.7MB

              MD5

              b5eb5bd3066959611e1f7a80fd6cc172

              SHA1

              6fb1532059212c840737b3f923a9c0b152c0887a

              SHA256

              1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

              SHA512

              6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

            • \Windows\SysWOW64\system.exe

              Filesize

              144KB

              MD5

              2de43a2571b821f9cdcd84c3c23b7ce6

              SHA1

              ff038212807b5cc4ce85009877350a25f3495f1d

              SHA256

              894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7

              SHA512

              de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7

            • memory/2252-0-0x0000000000400000-0x000000000049C000-memory.dmp

              Filesize

              624KB

            • memory/2252-16-0x0000000000260000-0x0000000000261000-memory.dmp

              Filesize

              4KB

            • memory/2252-56-0x0000000000400000-0x000000000049C000-memory.dmp

              Filesize

              624KB