Malware Analysis Report

2024-09-22 15:12

Sample ID 240604-nm7cfafb94
Target 2024-06-04_2e6670919c6543821f012cfc845334f4_icedid
SHA256 abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abe350c97682d509dae94c89366883d3ba5dd91ba20066ea23bc9d8238774d2e

Threat Level: Known bad

The file 2024-06-04_2e6670919c6543821f012cfc845334f4_icedid was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

Gh0st RAT payload

Detect PurpleFox Rootkit

Gh0strat

PurpleFox

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets DLL path for service in the registry

Sets service image path in registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-04 11:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 11:31

Reported

2024-06-04 11:34

Platform

win7-20231129-en

Max time kernel

147s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259393080.txt" C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\259393080.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2328 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2328 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2328 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 2328 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2328 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2328 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2328 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2328 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2328 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2328 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 2144 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 2328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 2328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 2328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 2328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 2328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 2328 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 2656 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2540 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe
PID 2540 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe
PID 2540 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe
PID 2540 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe
PID 2840 wrote to memory of 1108 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2840 wrote to memory of 1108 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2840 wrote to memory of 1108 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2840 wrote to memory of 1108 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2520 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\HD-CheckCpu.exe
PID 2520 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\HD-CheckCpu.exe
PID 2520 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\HD-CheckCpu.exe
PID 2520 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\HD-CheckCpu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe

C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe"

C:\Windows\SysWOW64\Remote Data.exe

"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259393080.txt",MainThread

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\HD-CheckCpu.exe" --cmd checkHypervEnabled

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 cloud.bluestacks.com udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 delegate.bluestacks.com udp
US 52.21.129.184:443 delegate.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 52.21.129.184:443 delegate.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp

Files

\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

\Windows\SysWOW64\259393080.txt

MD5 6de042f5eaae880c33cdd3e2db29aafc
SHA1 58b69182db9ea376337729e4d4ee9d19d7f51cbe
SHA256 4c54d51f8957f95bf356114306bc511d7b512b57382a2eff8abebcb000fdbd1f
SHA512 58dde80ce74ab99555b66d355817e097ce03e0cb3065f072042ff11d145dc34c8109d63dcc7d3d5643f09b151a6fffb2a2f3cdc22149f818b5abb0b18e18f0a8

\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/2144-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2144-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2144-20-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe

MD5 7dc4321f6abf7303d24f192ab8539d70
SHA1 f88604f35ddbe7dfa37a03b7a3e5124573c46b99
SHA256 5e1a07cb244d9af7c4259cdccd1d7ba2837bb9b71793019985bd6f889fc9b1ce
SHA512 f1078365d637ce237e09590013253d22b3d5a1ee05e0d20d86f9a0d8ca4555d2ec5d07fe2b53adfe7a50089789c5c878b51ec8cc6561d42bcb55ad2eb721a686

memory/2620-43-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2620-48-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2620-70-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe

MD5 afaa1ff1ca826fbd182cd68285a6fd40
SHA1 25982bd191895b0fe69c673fcf18a1bcd481b3d7
SHA256 48e6dfbc66f740b46ed2530e94c3ce2f154586ded094b9aba9e913be0cd7a6a8
SHA512 7f84ecab7e8f531ef5b9e9b72ab17a9c8da7d4c91839872dce59e838a2d82a5acbba59e0b5a12799b18cfee15b1e87a958bf649c4b512127bd0b03ae0e9c8f05

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\BlueStacksInstaller.exe.config

MD5 1b456d88546e29f4f007cd0bf1025703
SHA1 e5c444fcfe5baf2ef71c1813afc3f2c1100cab86
SHA256 d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb
SHA512 c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

memory/2520-173-0x0000000001250000-0x00000000012EE000-memory.dmp

memory/2520-175-0x000000001A820000-0x000000001A888000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\JSON.dll

MD5 f5fd966e29f5c359f78cb61a571d1be4
SHA1 a55e7ed593b4bc7a77586da0f1223cfd9d51a233
SHA256 d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156
SHA512 d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

\Windows\SysWOW64\Remote Data.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1A0B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ac9fbadf39864521590af32df6dc9bf2
SHA1 b15887da54cd24d6a2c3ad576362338b94c4b9b5
SHA256 39c389eef130c1e647e252d45dc0ca0da50401079b5f7470bc8f94443a21a9b1
SHA512 2a513073ccf3cecbba20305c4c48d5925dc4d853892dbd0045f6cfa7fdeb42b46cd47afe020b845b7b7dded0eee473055f8fdddc99880df7eb68541a6f8f82f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\Locales\i18n.en-US.txt

MD5 206562eed57e938afe21fc6942fa8e59
SHA1 779e90fec866c0fd2f47da020651db71c89ec3dd
SHA256 27d611a71edf36307a7ed0651f6c5910292ac7e2b68074a7e33d306b3d93ec45
SHA512 275c3192a7aee28fad31beb521cf5e7c66010e7562ce244ba9fc4de352f35b4ab63180ed12a56ea0b1458c185e076e2d07ba6d8797467177d3c5b2ac14371b26

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\HD-CheckCpu.exe

MD5 81234fd9895897b8d1f5e6772a1b38d0
SHA1 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3
SHA256 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c
SHA512 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

memory/2520-251-0x0000000000A20000-0x0000000000A2A000-memory.dmp

memory/2520-250-0x0000000000A20000-0x0000000000A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\Assets\loader.png

MD5 03903fd42ed2ee3cb014f0f3b410bcb4
SHA1 762a95240607fe8a304867a46bc2d677f494f5c2
SHA256 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1
SHA512 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\ThemeFile

MD5 c3e6bab4f92ee40b9453821136878993
SHA1 94493a6b3dfb3135e5775b7d3be227659856fbc4
SHA256 de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6
SHA512 a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83a91fad57f62932a83c716f85da05ac
SHA1 fc09d93fd4b35bd8f9eb8914cb405cb8ac7d607d
SHA256 7fc6f26c2eb68294f8fbc91899f649f0ce259971d346eadbcc9110860e3cfe03
SHA512 91212964bec626e27f80e279b839a5d4c85fe6581488675ae83d077350e6f4a1f2b57b10d80be82b410db0fbcd0eee8a4162f4702d809375d5b5088bd8796ed0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9c4b9825301b1441c87d4e6a20fd9c6
SHA1 f806f9eeaf40422bac416d9ae12da2613177593a
SHA256 13a641eab664a1ee1dbdf9720b1629c55e06f79d957b7df24d4298cfc8bbaec9
SHA512 8dc0a4931059462bedae1ea4d1a6e75e60294b2bb9d65b1bc25881d0fd669e13a13c61b6dd0a788a6c02a7fedba03a2f581fb77ef5906906b1c0a4f9358d8cd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f38dcb2006fc8e24e99c683063a90c4
SHA1 61ef8a35a2dfe6c4b60746dfc621f5d54688d497
SHA256 2ecdb2d7587d5212f0d7c8dcd79f3b9e625e25f3cc1d4ca3030c2e07dfd05c54
SHA512 9fd6dd9c5484ab38053f6b702beb2fa423c56ee8d56b58facdf3ae0b221e693a3ec9eb960e8de08b81d807d59eab1e0c5cdaafa515e87cdd2a6526ff16c5f1f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f4f2c8eab9dcec7676aae3eb34e5eae
SHA1 faaee59070ee32e6f7d20862b6bf7213df870869
SHA256 725446a833f0a416eb76e999ec5582175ba48d36f15b3e13d01ce0cf08973ba1
SHA512 a26c1374bff63cad89bec8965f69f1ce4b5c34d7396330951ac4dcf7f0fd080e1c37a863dae5d7d4a8f36baf7d18ad0acdc827f3764139b81d80c73e78e4f5dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 d10ab668dfdab9f69717e5485301261d
SHA1 14e047eaacb6fbc2643f11b217bba2cb68c4e09f
SHA256 7a7fca02f0481167a1f59c748f09bfff738a3c8a6f0e53ae4a2c0a7efa514633
SHA512 9327abbafe427d22d3584ef34325a87406fa7eb74c44c39bf506bb2e9b369a337243e3148f71f8fc70038017b3f7a063a15f446f68176e690aa2cae13c0c2400

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 515e9d50b1d89cddb5e73b5d652fc56e
SHA1 96333eda5855309fb899da93c1b851bbdd8bc3b5
SHA256 242ce7e5e0ecc14541773d83091efb1e118f2c58474d176f0414782a31bf1b7c
SHA512 e8c01730799421553316177bebd391f22edf84fea583b855841301c2a12a6b523afd6516504232d8c81b5875c106a654dabbe487f1ebc1758eeed47e36c174eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9a49b2e790f374eb726ffc5ba55cde0
SHA1 b932070bdced6c956b8f6febc7643cf819741c8e
SHA256 51a0ebc643f3a668075b90e0ca05115d01ab672aa60ac554999119903a6c5b19
SHA512 04660c04b10ad873f3188a87895d1d942da7be81c93874a032fd547b98fbf21255ed4b13760ca3fc34e057335ce5366abe0c551529e82c5dc2a4e20e6dfa1b31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9eed74eb8aeaaaea2455596004da8f0
SHA1 b000852a2fd42474916ad9569e3c46f1cb477d14
SHA256 c68e6d90eb4dc1594c90903418784942680c0ceacd6f8ee461356b744bc4abe9
SHA512 46a0137bc9408cec34cf8f4231543cb0956da1bb2ce231d06e0ffea1a3bd68c1c8901a3e2e1966b4b7359b9f16fd2432a87dbec13c080905d7d6665f999488b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12381615e882d2b81cd1d0fcece49eca
SHA1 9fbf860c509591c6283d084152cd73210e1a8ffd
SHA256 38c1e401a12789dd3d44d57b094b9d566aa0fcd6e21c446b066f9d1b436de112
SHA512 60c79f3db416f4e495a29b0c6ce9d05e1a83e487a68ae06414214fd790c0a97bd38c6fce5ad642da76352db55a9114c798df45448f3eeec90c57f5cd599343d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6cb8b6d83288f26612ba8a93c6add26
SHA1 37251e7b22e33df125ba35789ffd439601fb092d
SHA256 1c417c9eac09c213d7ea67cdc36a6e615017464b7ea9ad83e2db0693c9c03b31
SHA512 0e38c895b34962b75682658932284d7ac7b9f6e2e269faa94eff6fa2d1743f33eaf9cefc23f242755e52f2ece0f52bcfb9b036abc2bcaefdca396ea2a3c296b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 404a187c99d1ea6a9ea5e02c5ee1de7f
SHA1 f8573c656100d69d4471f5b15547bbbf2d441775
SHA256 0a80a661472ac306c186da5fc9ecb3f7cff5309719919d8438d024da18ee4601
SHA512 feaeee34878f4064878f9923e5573d4622cb8e2785cb88a988bd2b3f92bade8da5ba11d94b667435919911ff5cd0f371ad3441ec1204d8928d15d12c228cb0b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6afacd9669299474f42b185b84920e3a
SHA1 b1c91110e615e2364b6a57934b08abab400c8270
SHA256 9d96ad4ddafff08f51c795c9ff58b14d06610f274fb220e61dfc56a01ba00f4f
SHA512 572b98d1b9ebc453b33ee58e9285b5770155f0df2569014a72737cb69c834b35ea805ac2ef1fe0ad4657e18d1337dfe506e80df5fca010abaad49ef01951530d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89e32c2bac56e226d12787e17c735396
SHA1 4ddecfd4ba7884d80d5fb37456b7f4c05a6d918b
SHA256 fb4508db0139043d8fdc514ee7dcbb1d30e5e50683e5fa01bd868dcc8dca8e23
SHA512 420215841eeb39a3b3a4d636f774f1f5b892a238c241fa907ed97c16de2b3f4a38b6bbce4861daeb0e5217a80ab6a5d07c2089f264b2410301b30e8661d72618

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\Assets\minimize_progress.png

MD5 1504b80f2a6f2d3fefc305da54a2a6c2
SHA1 432a9d89ebc2f693836d3c2f0743ea5d2077848d
SHA256 2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6
SHA512 675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\Assets\exit_close.png

MD5 26eb04b9e0105a7b121ea9c6601bbf2a
SHA1 efc08370d90c8173df8d8c4b122d2bb64c07ccd8
SHA256 7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157
SHA512 9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\Assets\error_icon_72.png

MD5 4aaf83d2b3fd56ad806708e60474df39
SHA1 144777a265879b69fadea3eb3ac6939458918578
SHA256 84e59d14d9433e6c3d92daeb8c443063b5e3be6c0b297f0403dbde473a05cb3f
SHA512 3b8485f054fe6ed2374bc81cb1786f09741219fbfcb22503707b11cf5db1ab262ba4349633597d5d9ddabc3415b170fa8eebc932f58d211d7092b8fb96fa1304

C:\Users\Admin\AppData\Local\Temp\7zSCE9C3226\Assets\link.png

MD5 ae2c73ee43d722c327c7fb6fdbee905c
SHA1 96f238bf53ac80f5b7a9ad6ef2531e8e3f274628
SHA256 28c0abc6bfe7a155815104883a37a53dd783d142300471064c95eddf3cae0eaf
SHA512 5a1e341f727cf1cb4832cced8e96c5a74971451629603c48bfb91ceb4561d0122ab9ae701f8b34681d5f13115a384467d430ccb8282494b40f4577ebc3ad825b

memory/2520-1000-0x0000000000A20000-0x0000000000A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 b5d8bb398b8becec50bbfdc050092b1d
SHA1 d62c9521e0585b74183b51d921fcb06d114e8932
SHA256 eb0f5f9a7d0d328e67c8e250a41decc5bcb0fe3935ad4c2eb27063beaa99fe08
SHA512 7602c55cf3bd117bdc39375ac1fdc1fc49953e0f31e277207f1f90747c32f2b38d445c99ef4c1f4df9b2565499fcb77fc259b37084d6bfd6d981d68fcb913dff

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 11:31

Reported

2024-06-04 11:34

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240595953.txt" C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\Remote Data.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File created C:\Windows\SysWOW64\240595953.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 948 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 948 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 948 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 948 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 948 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 1464 wrote to memory of 4872 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 1464 wrote to memory of 4872 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 1464 wrote to memory of 4872 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 4184 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 948 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 948 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe
PID 1536 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe
PID 1536 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe
PID 5084 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5084 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5084 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1840 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe
PID 1840 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe
PID 1840 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe
PID 1840 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe
PID 1840 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe
PID 1840 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe
PID 4544 wrote to memory of 4304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 4544 wrote to memory of 4304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 4544 wrote to memory of 4304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe

C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe" --cmd checkHypervEnabled

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe" --cmd checkSSE4

C:\Windows\SysWOW64\Remote Data.exe

"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240595953.txt",MainThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 cloud.bluestacks.com udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 181.86.160.34.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cdn-bgp.bluestacks.com udp
SE 184.31.15.56:443 cdn-bgp.bluestacks.com tcp
US 8.8.8.8:53 56.15.31.184.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

C:\Windows\SysWOW64\240595953.txt

MD5 6de042f5eaae880c33cdd3e2db29aafc
SHA1 58b69182db9ea376337729e4d4ee9d19d7f51cbe
SHA256 4c54d51f8957f95bf356114306bc511d7b512b57382a2eff8abebcb000fdbd1f
SHA512 58dde80ce74ab99555b66d355817e097ce03e0cb3065f072042ff11d145dc34c8109d63dcc7d3d5643f09b151a6fffb2a2f3cdc22149f818b5abb0b18e18f0a8

C:\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/4184-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4184-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4184-19-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4184-23-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1464-26-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1464-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1464-29-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_2024-06-04_2e6670919c6543821f012cfc845334f4_icedid.exe

MD5 7dc4321f6abf7303d24f192ab8539d70
SHA1 f88604f35ddbe7dfa37a03b7a3e5124573c46b99
SHA256 5e1a07cb244d9af7c4259cdccd1d7ba2837bb9b71793019985bd6f889fc9b1ce
SHA512 f1078365d637ce237e09590013253d22b3d5a1ee05e0d20d86f9a0d8ca4555d2ec5d07fe2b53adfe7a50089789c5c878b51ec8cc6561d42bcb55ad2eb721a686

memory/4872-142-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4872-152-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4872-153-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe

MD5 afaa1ff1ca826fbd182cd68285a6fd40
SHA1 25982bd191895b0fe69c673fcf18a1bcd481b3d7
SHA256 48e6dfbc66f740b46ed2530e94c3ce2f154586ded094b9aba9e913be0cd7a6a8
SHA512 7f84ecab7e8f531ef5b9e9b72ab17a9c8da7d4c91839872dce59e838a2d82a5acbba59e0b5a12799b18cfee15b1e87a958bf649c4b512127bd0b03ae0e9c8f05

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 b5d8bb398b8becec50bbfdc050092b1d
SHA1 d62c9521e0585b74183b51d921fcb06d114e8932
SHA256 eb0f5f9a7d0d328e67c8e250a41decc5bcb0fe3935ad4c2eb27063beaa99fe08
SHA512 7602c55cf3bd117bdc39375ac1fdc1fc49953e0f31e277207f1f90747c32f2b38d445c99ef4c1f4df9b2565499fcb77fc259b37084d6bfd6d981d68fcb913dff

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\BlueStacksInstaller.exe.config

MD5 1b456d88546e29f4f007cd0bf1025703
SHA1 e5c444fcfe5baf2ef71c1813afc3f2c1100cab86
SHA256 d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb
SHA512 c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

memory/1840-179-0x0000000000220000-0x00000000002BE000-memory.dmp

memory/1840-181-0x000000001C7E0000-0x000000001C848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\JSON.dll

MD5 f5fd966e29f5c359f78cb61a571d1be4
SHA1 a55e7ed593b4bc7a77586da0f1223cfd9d51a233
SHA256 d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156
SHA512 d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Locales\i18n.en-US.txt

MD5 206562eed57e938afe21fc6942fa8e59
SHA1 779e90fec866c0fd2f47da020651db71c89ec3dd
SHA256 27d611a71edf36307a7ed0651f6c5910292ac7e2b68074a7e33d306b3d93ec45
SHA512 275c3192a7aee28fad31beb521cf5e7c66010e7562ce244ba9fc4de352f35b4ab63180ed12a56ea0b1458c185e076e2d07ba6d8797467177d3c5b2ac14371b26

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\HD-CheckCpu.exe

MD5 81234fd9895897b8d1f5e6772a1b38d0
SHA1 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3
SHA256 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c
SHA512 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Assets\loader.png

MD5 03903fd42ed2ee3cb014f0f3b410bcb4
SHA1 762a95240607fe8a304867a46bc2d677f494f5c2
SHA256 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1
SHA512 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

memory/1840-190-0x000000001DE00000-0x000000001E328000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\ThemeFile

MD5 c3e6bab4f92ee40b9453821136878993
SHA1 94493a6b3dfb3135e5775b7d3be227659856fbc4
SHA256 de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6
SHA512 a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

memory/1840-192-0x000000001D130000-0x000000001D168000-memory.dmp

memory/1840-193-0x000000001D100000-0x000000001D10E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Assets\installer_minimize.png

MD5 38b539a1e4229738e5c196eedb4eb225
SHA1 f027b08dce77c47aaed75a28a2fce218ff8c936c
SHA256 a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2
SHA512 2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Assets\installer_logo.png

MD5 e33432b5d6dafb8b58f161cf38b8f177
SHA1 d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a
SHA256 9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183
SHA512 520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Assets\close_red.png

MD5 93216b2f9d66d423b3e1311c0573332d
SHA1 5efaebec5f20f91f164f80d1e36f98c9ddaff805
SHA256 d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb
SHA512 922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Assets\custom.png

MD5 03b17f0b1c067826b0fcc6746cced2cb
SHA1 e07e4434e10df4d6c81b55fceb6eca2281362477
SHA256 fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b
SHA512 67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Assets\unchecked_gray.png

MD5 e50df2a0768f7fc4c3fe8d784564fea3
SHA1 d1fc4db50fe8e534019eb7ce70a61fd4c954621a
SHA256 671f26795b12008fbea1943143f660095f3dca5d925f67d765e2352fd7ee2396
SHA512 c87a8308a73b17cbdd179737631fb1ba7fdaeb65e82263f6617727519b70a81266bb695867b9e599c1306ee2cf0de525452f77ce367ca89bf870ea3ae7189998

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Assets\backicon.png

MD5 7ff5dc8270b5fa7ef6c4a1420bd67a7f
SHA1 b224300372feaa97d882ca2552b227c0f2ef4e3e
SHA256 fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1
SHA512 f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Assets\setpath.png

MD5 b2e7f40179744c74fded932e829cb12a
SHA1 a0059ab8158a497d2cf583a292b13f87326ec3f0
SHA256 5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b
SHA512 b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

memory/1840-202-0x00000000215F0000-0x00000000215F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0065C917\Assets\installer_bg.jpg

MD5 3478e24ba1dd52c80a0ff0d43828b6b5
SHA1 b5b13bbf3fb645efb81d3562296599e76a2abac0
SHA256 4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904
SHA512 5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d

C:\Windows\SysWOW64\Remote Data.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641