42a028ff2f8e4c636742d18441b0c016dcc673c618fd4f870e0cf84c11689d39

General

Target

2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe
Size

1.9MB
MD5

44d6589b7292f1b77547fd093452ccde
SHA1

47a6a432b37c49339f3002a0c5c177e13a5daa4c
SHA256

42a028ff2f8e4c636742d18441b0c016dcc673c618fd4f870e0cf84c11689d39
SHA512

4bc3abaf9017d6c3bb8e83d788a92ce1960d233cc7e0d580abf4c8add64687929947fe6c316bb6234ede6d630f4f7265feeaa0fd5ab2d429857a4ea995012e5d
SSDEEP

49152:i65bTChxKCnFnQXBbrtgb/iQvu0UHOaYmLP:J56hxvWbrtUTrUHO2r

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\ser2plms.sys	2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe

Executes dropped EXE 3 IoCs

pid	Process
1996	@AE1094.tmp.exe
1176	2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe
2364	WdExt.exe

Loads dropped DLL 8 IoCs

pid	Process
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
1996	@AE1094.tmp.exe
1660	cmd.exe
1660	cmd.exe
2364	WdExt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1996	@AE1094.tmp.exe
2364	WdExt.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1176	2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2892	624	2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe	28
PID 624 wrote to memory of 2892	624	2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe	28
PID 624 wrote to memory of 2892	624	2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe	28
PID 624 wrote to memory of 2892	624	2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe	28
PID 624 wrote to memory of 2892	624	2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe	28
PID 624 wrote to memory of 2892	624	2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe	28
PID 2892 wrote to memory of 1996	2892	explorer.exe	29
PID 2892 wrote to memory of 1996	2892	explorer.exe	29
PID 2892 wrote to memory of 1996	2892	explorer.exe	29
PID 2892 wrote to memory of 1996	2892	explorer.exe	29
PID 2892 wrote to memory of 1176	2892	explorer.exe	30
PID 2892 wrote to memory of 1176	2892	explorer.exe	30
PID 2892 wrote to memory of 1176	2892	explorer.exe	30
PID 2892 wrote to memory of 1176	2892	explorer.exe	30
PID 1996 wrote to memory of 1660	1996	@AE1094.tmp.exe	31
PID 1996 wrote to memory of 1660	1996	@AE1094.tmp.exe	31
PID 1996 wrote to memory of 1660	1996	@AE1094.tmp.exe	31
PID 1996 wrote to memory of 1660	1996	@AE1094.tmp.exe	31
PID 1996 wrote to memory of 2300	1996	@AE1094.tmp.exe	33
PID 1996 wrote to memory of 2300	1996	@AE1094.tmp.exe	33
PID 1996 wrote to memory of 2300	1996	@AE1094.tmp.exe	33
PID 1996 wrote to memory of 2300	1996	@AE1094.tmp.exe	33
PID 1660 wrote to memory of 2364	1660	cmd.exe	35
PID 1660 wrote to memory of 2364	1660	cmd.exe	35
PID 1660 wrote to memory of 2364	1660	cmd.exe	35
PID 1660 wrote to memory of 2364	1660	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\@AE1094.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AE1094.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      PID:2300
- - C:\Users\Admin\AppData\Local\Temp\2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-05-29_44d6589b7292f1b77547fd093452ccde_darpapox_icedid_nymaim.exe

Filesize
150KB

MD5
30f0375f6a3131533f969017be1c1497

SHA1
a42c04cd97aa12e8ad93d7a8fbf04933c150a06e

SHA256
ca944433163a9ca216ef6db95837de8c078f02506c78862febbdcc4177052b96

SHA512
18ddff7ebe15657e263c554f7726ac76aeb0d7f5a94aec4aa5d18fe7e8b3fe0ad496a58a91d128af5aee3a2739b2a14dda3dabc7888edc44d5093abc41e3e734

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12F5.tmp

Filesize
229KB

MD5
6f90e1169d19dfde14d6f753f06c862b

SHA1
e9bca93c68d7df73d000f4a6e6eb73a343682ac5

SHA256
70a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc

SHA512
f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
297646a8a1ddb070d605aebd93cfd91f

SHA1
bee9436bead79b0806c17daf854d6e6d375ebf18

SHA256
5ff007a6eb6d935e8caa88799e100a6a7639bbed00f2efc338cf8e29ea62b764

SHA512
ef8d5178e1cde0095d81964add4821e70df69b7c400bf0c709d0b06c95018b64129f70c07808d989e230b7f17a7d21207c509d3f90c7cab84f12a77e028fc474

Download Submit
\Users\Admin\AppData\Local\Temp\@AE1094.tmp.exe

Filesize
1.7MB

MD5
11005f4e543542f2e7da8736e531b2aa

SHA1
ea772fa77a851d535dba88abe9eb8221dbac443c

SHA256
0a48c575047c428c8a48f5e2bcaacffce7d8fecd8ed74112a3eb2a2b38af7706

SHA512
b97310aaee721e2794d9e06e6d31aa85fe2b0d664543476eee602f41b8209ac16d6fc5deccb0c3fd2a5287c818029975872e5c43231409ea07872c2eb09ed9f8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
590c9ef4cfa41ca551a99c708899c257

SHA1
4b09a910433ec8cacca308b4deb3cee9eb6eb09e

SHA256
76e93522a660b13b31004446386f84976666bb8fde1b58d3a07b06cc2025e168

SHA512
ea37ff4a731e7b0344b5c358c98d557c9934a89c8bcb1691c181e0eb9c27babee4ec979fde78a5ac79a4701d1c68e874d60bafd45892df3882d5d8d6ecc12a57

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/1996-20-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing