9cf6c2d6aa029a43ce8bf49663aa5f9a6bb12b6675bbedfd80ea70ca21e3cc0a

Analysis

max time kernel
125s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe
Size

282KB
MD5

8cfb31ee99059b9af71c4267a98b892a
SHA1

536b97e78409eb7d01f8bed38832fbb4333bb6ad
SHA256

9cf6c2d6aa029a43ce8bf49663aa5f9a6bb12b6675bbedfd80ea70ca21e3cc0a
SHA512

991d1c84fd311362b8d1fc038bcd6fca883b518eb021977d9e9085f920a0b106495906266338822178396ea81d935bf2905303436149156816c8fe601536e7af
SSDEEP

3072:lxUm75Fku3eKeJk21ZSJReOqlz+mErj+HyHnNVIPL/+ybbiGF+1u46Q7q303lU8O:fU8DkpP1oJ1qlzUWUNVIT/bbbIW09R

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4512	against.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\shipped\against.exe	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe
File opened for modification	C:\Program Files\shipped\against.exe	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	against.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3260	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe
3260	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe
3260	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe
3260	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe
4512	against.exe
4512	against.exe
4512	against.exe
4512	against.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4512	3260	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe	83
PID 3260 wrote to memory of 4512	3260	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe	83
PID 3260 wrote to memory of 4512	3260	2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_8cfb31ee99059b9af71c4267a98b892a_icedid.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files\shipped\against.exe
  "C:\Program Files\shipped\against.exe" "33201"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\shipped\against.exe

Filesize
283KB

MD5
2c70a26cbbac8c830e5ca234cc67a7e8

SHA1
3421f42a5b742895242c885c18e3d234cf8b54fe

SHA256
13277c7ec4a4737a52e0b91f29d05bfdc42fc18b8bd1d894c6af6400954c7786

SHA512
59a4a6b6b26212a726022518a9a0b41f38004dfe27d96715e7fe88acb8856476021d81e79794ab529eb08f1466846d062eca8e4ad3a9f7ff4c4d15e9032fc23c

Download Submit