915ca133c99fb5f2c0086faaefcf759e0a5fd2ed21073a132e4c3521ab9ca947

Analysis

max time kernel
137s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
Size

13.6MB
MD5

a717113f71eae6745b6337c3c5446830
SHA1

82ff18ff0b3696fb2613b0c882fe42983ab44392
SHA256

915ca133c99fb5f2c0086faaefcf759e0a5fd2ed21073a132e4c3521ab9ca947
SHA512

0ad7c6eb5acae6b2468fa2ee569d525389aa0278bec0dba77ee3a40abc2e2828242f68b4a15099f09323ece7dbb4fd35e58da3d32bf7573af82bc17736554b58
SSDEEP

196608:wLF8XVfWn24fRsChmwsAoWEZ9vjKGic9BDal:YFApWPZsY5nu9LKjc9s

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

pid process

2472 2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
2472 2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

pid process

2472 2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
2472 2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

pid	process
2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

pid	process
2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2472 wrote to memory of 2900	2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 2472 wrote to memory of 2900	2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 2472 wrote to memory of 2900	2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 2472 wrote to memory of 2900	2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 2900 wrote to memory of 2908	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 2908	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 2908	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 2908	2900	cmd.exe	cmd.exe
PID 2908 wrote to memory of 2112	2908	cmd.exe	netsh.exe
PID 2908 wrote to memory of 2112	2908	cmd.exe	netsh.exe
PID 2908 wrote to memory of 2112	2908	cmd.exe	netsh.exe
PID 2908 wrote to memory of 2112	2908	cmd.exe	netsh.exe
PID 2472 wrote to memory of 1240	2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 2472 wrote to memory of 1240	2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 2472 wrote to memory of 1240	2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 2472 wrote to memory of 1240	2472	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 1240 wrote to memory of 1236	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 1236	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 1236	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 1236	1240	cmd.exe	cmd.exe
PID 1236 wrote to memory of 856	1236	cmd.exe	netsh.exe
PID 1236 wrote to memory of 856	1236	cmd.exe	netsh.exe
PID 1236 wrote to memory of 856	1236	cmd.exe	netsh.exe
PID 1236 wrote to memory of 856	1236	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\cmd.exe
  /c cmd /c netsh interface ip set dns Local Area Connection static 223.5.5.5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh interface ip set dns Local Area Connection static 223.5.5.5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip set dns Local Area Connection static 223.5.5.5
      4⤵
      PID:2112
- C:\Windows\SysWOW64\cmd.exe
  /c cmd /c netsh interface ip set dns Local Area Connection static 223.5.5.5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh interface ip set dns Local Area Connection static 223.5.5.5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip set dns Local Area Connection static 223.5.5.5
      4⤵
      PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl.dll

Filesize
2.5MB

MD5
298f5812023bab65ee23d13ee9489a6e

SHA1
71e9d7f205e5e7af6907c539c77a3aeea971692f

SHA256
fe100d35b034c15ae3b74379f4eedd321c8e4b84fe666b54ee924ca2a8bdca6e

SHA512
217258fb7728f61199f913fb98c894077c12a124e1596d1c6c7cfc065d4d2a6e1e03ad950c3321e2a8dcd997fb5c9524f98530db4bcb39f9914ecb5ff0e22dbd

Download Submit