Overview

overview

9

Static

static

3

2024-06-10...id.exe

windows7-x64

9

2024-06-10...id.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-10_b98fd82d30fb5972bedcfe490d82bf61_icedid.exe

  • Size

    38.4MB

  • MD5

    b98fd82d30fb5972bedcfe490d82bf61

  • SHA1

    7a4e98c13d7fad348d408c7904c1c0c248803340

  • SHA256

    febf2ca4d433c5cf54c65aa7c7e09e1d2afc443bada2ff9773f7d8e5812e9f65

  • SHA512

    9400d5e3dd844a472dd991101ed63e6ef26fd665ed7f0cdebea1a3a3598aa138651aac651eebc63f8221c7a1290ea720668189b2c7247af62fe5ca4b58d649d3

  • SSDEEP

    786432:CejfTZH3PqRky+Ywd/mrVioPL4KhXXVVuVoB/SK2sv:fjbZXPImuU8EKV6C

Score
9/10
discovery

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Program Files directory 44 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_b98fd82d30fb5972bedcfe490d82bf61_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_b98fd82d30fb5972bedcfe490d82bf61_icedid.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" "C:\Program Files (x86)\Metadata1\BetaLang.jpg"
      2⤵
        PID:2564
      • C:\Program Files (x86)\Metadata1\Launcher.exe
        "C:\Program Files (x86)\Metadata1\Launcher.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Program Files (x86)\Metadata1\1C0A0B0C120F156D155B15B0A0F160A0C160F.exe
          "C:\Program Files (x86)\Metadata1\1C0A0B0C120F156D155B15B0A0F160A0C160F.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of UnmapMainImage
          PID:2356
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec /i C:\Users\Admin\AppData\Local\Temp\timeweii.msi /q /norestart
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
      • C:\Windows\SysWOW64\wusa.exe
        wusa.exe C:\Users\Admin\AppData\Local\Temp\timeweii.msix64.msu /quiet /norestart
        2⤵
        • Drops file in Windows directory
        PID:3008
      • C:\Windows\SysWOW64\wusa.exe
        wusa.exe C:\Users\Admin\AppData\Local\Temp\timeweii.msix86.msu /quiet /norestart
        2⤵
        • Drops file in Windows directory
        PID:2820
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
        PID:2592
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 9624C786A7853142A3E15E81C9C0E986
          2⤵
          • Loads dropped DLL
          • Blocklisted process makes network request
          PID:2928
        • C:\Windows\system32\MsiExec.exe
          C:\Windows\system32\MsiExec.exe -Embedding F78E151CC0F3D98540A03E54F6C20327
          2⤵
            PID:920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\f765ae0.rbs
          Filesize

          608B

          MD5

          41a833ca5ebd8aede3367b137299e5fa

          SHA1

          5d49d27ccb1b807448ee3bc757a99ec880fe15d2

          SHA256

          99d1dd7d530cce1ff638c0bb0e2f43188577982f00d3454346fd509e30e3b658

          SHA512

          409164e05d116aac8fe34df2d928d63dae39e680fe98d55df6070c948bf5a77a4bf4839a454d9e0d43489bc21c9a0343f83ef02fc6ce7b50bab681292982e8fd

          Download Submit

        • C:\Program Files (x86)\Metadata1\ExuiKrnln_Win32.lib
          Filesize

          1.3MB

          MD5

          4f2b40a72f89837ee39b7af2e33dd672

          SHA1

          69346069bd65fd33d9097c13f782b749a23c44af

          SHA256

          bb7be0935d6fa554fc1daf7db4502c65a27ffaaf26639214bf7ef370f99b9cf3

          SHA512

          38a23da435c3f065a2ad6c5166863a12486aba361f3e758551e5cb44980d30b575ab184ef0f7675e634ab58257b25e2ae09eb57f79dd826a7080dfd63cebec44

          Download Submit

        • C:\Program Files (x86)\Metadata1\ExuiKrnln_Win64.lib
          Filesize

          1.8MB

          MD5

          dbaf95ed9bf6b9ffa44bdf46043e20e7

          SHA1

          4c08a8def960a9a391c0415d4c3d7c96e0cfb8a9

          SHA256

          d4bc06e86279869af83c89728bb7a057de640e9ff6ba0ba03804732a0eae9a07

          SHA512

          6105ea4ff6a2b2d301d6796a2533cabe70b96c59f66b2d9a73ad79513baee5aedf4fae7b4c526ef81a5062d7450adb934126a8879b5ad6ba41ef4c5df5668ad1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\timeweii.msi
          Filesize

          1.2MB

          MD5

          ce6bfaef90f6a5365c37b07e65eb9264

          SHA1

          8b11f826932a5444067399c3c48720a91e9ffeb7

          SHA256

          f55b3aab50ce0d22cc3ec504f17a9bdb5a8840263e10209c12b3beddb12ab2eb

          SHA512

          c9a57c3835b628cd7612f29172ad571c67ace5d8614133e7c951becc3b0386cbd07a467b95dab90fd731dadd7110aa0380de94280956c1238326586eb0de4749

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\timeweii.msix64.msu
          Filesize

          796KB

          MD5

          c7a9ad8a726a867ce85803519c16c4ec

          SHA1

          5b067ffb69a94a6e5f9da89ce88c658e52a0dec0

          SHA256

          bc35e63a125eb2dce45971bedc7ef8a78706b7e26286aed0cf664999ad833eda

          SHA512

          5fa087c4ba5d7173506de8fa0761f3c4d76395eb6ea0ff8d4dfa31ba90b2ee9f6a3387191452c69122623616faf95448827cfd7cc7cb76a807912177e0cc0773

          Download Submit

        • C:\Windows\Installer\MSI6943.tmp
          Filesize

          78KB

          MD5

          f3be41747464ed10a17ead59d5ed8ea1

          SHA1

          dbfa1aa59ddb7e2b051036e6a57ed8ff3f1c1e0e

          SHA256

          0d206debd16abd95a0dae3a9d9578860f5c917f9342a23ee7c0c024539771cca

          SHA512

          d3ea042971594f00c33de7243193d9974975196dff835ad8125a6399fbbb5dbb3296f47fb5769454f236888b2007a931fa931a77700324c1c73ace3487e6c319

          Download Submit

        • \Program Files (x86)\Metadata1\1C0A0B0C120F156D155B15B0A0F160A0C160F.exe
          Filesize

          27.2MB

          MD5

          1f91636c71528497d056ab7e011e17a1

          SHA1

          0cc9959dfdcfb70371b22f3b6a0ea3fe99b9d5c2

          SHA256

          8bce73c978370dcbb16bad44e1495becbf1bee550570d094a690dcc332873ab7

          SHA512

          a1505eabefcbfd576031f1e1412f8a82d2a76d437be62ce2dc13593e3f58ddd4eb618995b13d67243599079c888986a81c7983eb6cadf2011cf5ab7bee5d47ad

          Download Submit

        • \Program Files (x86)\Metadata1\AntiCheat.dll
          Filesize

          3.4MB

          MD5

          b181808a51b6a4d61039dfa7c9afdd88

          SHA1

          49cd8cff761a370e4928a1fd8257abf5c667ba99

          SHA256

          732c0f98cd19c14b3c8ada1b19685cb63e2be8f3b97f249be0aa310fe7b2c95a

          SHA512

          ffd4306e5301b2daade5e4d7069bd0e2914d6be2c5aed46758ba6ce2b2e39e9c6cd6315842a537cb110a36b17159299813716dbec3d5fda11d64de6fa0f53ba2

          Download Submit

        • \Program Files (x86)\Metadata1\Launcher.exe
          Filesize

          27.2MB

          MD5

          0e8eacd8d2aaf7c18a64f05952549ba0

          SHA1

          b90305652566e8e2337d65f0f522a5ed59dc77d8

          SHA256

          276ab3ec275f3fdb76fbd32aa07b28e5c19d2f6f66b0172feb3690e6f2cab205

          SHA512

          3d2a4b6414aa0ba4b1097d748e389d30622880796584d1bd398cad487b9fd49e4955cd79f348f4fb02ad5eb865644d0726257fe125d060b1761f1a9bf2943b5d

          Download Submit

        • \Program Files (x86)\Metadata1\Uninstall.exe
          Filesize

          1.7MB

          MD5

          eade5b8fdc8ecd409087169ba5e12e38

          SHA1

          24967a0cc7046e4eef7c55be488567c7e59c6636

          SHA256

          ef43f36aa450c01664ebd6e4566cd07287271ddd77ba58bc1418900c8a058164

          SHA512

          cc5f68127bff66e941b0ddd78f750f1295db512e806695bad23c324b5db3d348b5d6ccab02661d25f12ffdd779fea7a03b18e00ccea86b9e4806df659bf50eff

          Download Submit

        • memory/2228-0-0x0000000050000000-0x0000000050109000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2592-44-0x00000000029F0000-0x0000000002A00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2704-94-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-113-0x0000000000290000-0x0000000000291000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-101-0x0000000000270000-0x0000000000271000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-103-0x0000000000270000-0x0000000000271000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-106-0x0000000000280000-0x0000000000281000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-108-0x0000000000280000-0x0000000000281000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-111-0x0000000000290000-0x0000000000291000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-98-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-116-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-118-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-119-0x0000000000400000-0x0000000003DED000-memory.dmp

          Filesize

          57.9MB

          Download

        • memory/2704-96-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-93-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-89-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2704-91-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download