adefc643b9a8801ed84087b7cc28b1b88087783dca967e8f092cf0832ae616f7

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe
Size

1.7MB
MD5

8444025ad5a804c44d153a36438c6658
SHA1

96f2c4ab475f13ae091ff4d0a9aa16e01f650a85
SHA256

adefc643b9a8801ed84087b7cc28b1b88087783dca967e8f092cf0832ae616f7
SHA512

46b86145ef3863cd724e7a9a2a4d964d89a4b391949123a034e9213ec6a20343b2b03e694cb06c369ae5a6d6f301ee9f9ffc13dd97e339fe459ba3537d59f1bf
SSDEEP

24576:iXzUbSX5Z/IYno0dbnn9Zc5NcQlgo1oyW06I/6DHZ4NqzUHME:iX4uXjo0Z9Zc5NcQ6o1o/Ie+N7sE

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1216	Server.exe
2684	Jhfnhcx.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe
1216	Server.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfnhcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1216	Server.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3040	2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe
3040	2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe
1216	Server.exe
2684	Jhfnhcx.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1216	3040	2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe	31
PID 3040 wrote to memory of 1216	3040	2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe	31
PID 3040 wrote to memory of 1216	3040	2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe	31
PID 3040 wrote to memory of 1216	3040	2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe	31
PID 1216 wrote to memory of 2684	1216	Server.exe	32
PID 1216 wrote to memory of 2684	1216	Server.exe	32
PID 1216 wrote to memory of 2684	1216	Server.exe	32
PID 1216 wrote to memory of 2684	1216	Server.exe	32
PID 1216 wrote to memory of 2796	1216	Server.exe	33
PID 1216 wrote to memory of 2796	1216	Server.exe	33
PID 1216 wrote to memory of 2796	1216	Server.exe	33
PID 1216 wrote to memory of 2796	1216	Server.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_8444025ad5a804c44d153a36438c6658_icedid.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Roaming\Server.exe
  "C:\Users\Admin\AppData\Roaming\Server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Jhfnhcx.exe
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Jhfnhcx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\Server.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Server.exe

Filesize
973KB

MD5
535cebb9e1e7d63faf78c965f03d4b85

SHA1
b820b2673c431d8257166c57328033f0be139930

SHA256
2a5119083a4c9324cd2ad0abd314cbf1bff78ad57daf5be211ece46d4327bd72

SHA512
4d2974e6a31866dcee3d011ebd538fc9da0b370f6fafe45d4223f1d70cceb9474b627c686f506c4832d46865dbbcae57526dfaa885e34b774832483bb4f695e2

Download Submit
memory/1216-12-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download