6795f3912d47769ffb39d713ef62ae77b39521197d738b59145a1e245e0c6cf8

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 00:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-26_2d499ba7fb093d29f703917052cbdba2_hacktools_icedid.exe
Size

2.5MB
MD5

2d499ba7fb093d29f703917052cbdba2
SHA1

596f6b7c98356839210fb4ddf9deb55d1d71d65e
SHA256

6795f3912d47769ffb39d713ef62ae77b39521197d738b59145a1e245e0c6cf8
SHA512

ea6091bc0a96cb7e6537793f7a0b588b853ba4a1c2e0c86f9b560b8a571c07a19051fbb74b5e050b1766c2a3ecaa0bc865bf4944aa12b63b88d17a2f8ebb3c81
SSDEEP

49152:XmvdgqxpQzgXQ3TooLeYN/yKiZ3pWBST1W5KiZ/:IZpQzgXgkoLpN/yKO8OW5KO/

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3424	DXKI.XBNZH

Loads dropped DLL 4 IoCs

pid	Process
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fuzhu.dll	DXKI.XBNZH
File created	C:\Windows\SysWOW64\shurufa.ime	DXKI.XBNZH
File created	C:\Windows\SysWOW64\ESPI11.dll	DXKI.XBNZH
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	DXKI.XBNZH

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-26_2d499ba7fb093d29f703917052cbdba2_hacktools_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DXKI.XBNZH
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH
3424	DXKI.XBNZH

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4320	2024-08-26_2d499ba7fb093d29f703917052cbdba2_hacktools_icedid.exe
4320	2024-08-26_2d499ba7fb093d29f703917052cbdba2_hacktools_icedid.exe
3424	DXKI.XBNZH
3424	DXKI.XBNZH

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3424	4320	2024-08-26_2d499ba7fb093d29f703917052cbdba2_hacktools_icedid.exe	86
PID 4320 wrote to memory of 3424	4320	2024-08-26_2d499ba7fb093d29f703917052cbdba2_hacktools_icedid.exe	86
PID 4320 wrote to memory of 3424	4320	2024-08-26_2d499ba7fb093d29f703917052cbdba2_hacktools_icedid.exe	86
PID 3424 wrote to memory of 3676	3424	DXKI.XBNZH	90
PID 3424 wrote to memory of 3676	3424	DXKI.XBNZH	90
PID 3424 wrote to memory of 3676	3424	DXKI.XBNZH	90

C:\Users\Admin\AppData\Local\Temp\2024-08-26_2d499ba7fb093d29f703917052cbdba2_hacktools_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-26_2d499ba7fb093d29f703917052cbdba2_hacktools_icedid.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\DXKI.XBNZH
  "C:\Users\Admin\AppData\Local\Temp\DXKI.XBNZH"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DXKI.XBNZH

Filesize
2.5MB

MD5
7bf482d9ace7d8ed7484a1712b2caf5d

SHA1
b541fd4006ddda0d90f6166a3b3c3ce68fb1264f

SHA256
803b9282284dd20b050b404fac9c6b24617a6568e533462aa01e8addb22cdc73

SHA512
2c5162e57da905b6b6c6d1dc53699c118dcdde31835a26dc2d1cf107c6e9d3c61d97e43f620a992eb2ed363bfe8fded82283985d6cd65f85ed345a4907604373

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESPI.dll

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
C:\Windows\SysWOW64\shurufa.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
memory/3424-27-0x0000000002320000-0x000000000232E000-memory.dmp

Filesize
56KB

Download