1fd3a8df103296f82aebb34955a91db6b247594dfe1b4be5a29aa08a9cd47ca5

Analysis

max time kernel
120s
max time network
139s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe
Size

1.2MB
MD5

5cb533da53172780b9c6e6b1eba10ce0
SHA1

309cb75dacbe3fc2ea68f7c11acd0078d4f6f0b0
SHA256

1fd3a8df103296f82aebb34955a91db6b247594dfe1b4be5a29aa08a9cd47ca5
SHA512

6d2ed156d40683f12e4bef06e023a19aa22b93cd97a10cbe6a90a972170b49e9f73ea2866a3782f90dee5bc0b665edcfbdd68ecdde62f03cc2e6b4d80f72b262
SSDEEP

24576:0kmqQjHJl8Jusq/gRp+SsclFp4Y2IK2NOw4RYDH/mviccFj:gq68Jo4+Sscp6aOwwYDH/mviccFj

Score

8^/10

discovery

Malware Config

Signatures

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Executes dropped EXE 1 IoCs

pid	Process
2244	78.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	78.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	78.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE
2244	78.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2624	2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe
2624	2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe
2244	78.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2244	2624	2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe	30
PID 2624 wrote to memory of 2244	2624	2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe	30
PID 2624 wrote to memory of 2244	2624	2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe	30
PID 2624 wrote to memory of 2244	2624	2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_5cb533da53172780b9c6e6b1eba10ce0_hijackloader_icedid.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- \??\c:\78.EXE
  c:\78.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\78.EXE

Filesize
386KB

MD5
e9ed04f21ed96d365a1c7016b3ff733d

SHA1
44f1015773d5f46a8a4540b156f479a8c848d175

SHA256
96141ae4d591fd1ac4903ad13bdebe1fda5910f41e95d8f7e4e38e742c4d141d

SHA512
c5ff335174084b66dab7f34f738e0ddc24bc3b0444c267dbf6a13aff86d24d5342c78ec9b8d8221b9cba60e122d7c504f56bf5fab26b5d33b45a5ce93e7e24ea

Download Submit
memory/2244-5-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download