4a417f62a755bf5e0b2721b6d40fbf82fe925f0ee68e4fde8ba56c15aaa00f51

Resubmissions

29/11/2024, 09:15

241129-k73cfaxlfz 10

31/08/2024, 21:23

240831-z8h3hswela 8

Analysis

max time kernel
140s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
submitted
31/08/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
Size

10.0MB
MD5

2852198f3ef4c8bdd1ea978ed82591e3
SHA1

717992777e1d521822df536742ee213f373596c3
SHA256

4a417f62a755bf5e0b2721b6d40fbf82fe925f0ee68e4fde8ba56c15aaa00f51
SHA512

edcc3bd01f993e9ff509f5457e13d995b4ae854b30e67fe1c59f2e70b3fef532849d01fb81b0c83ca7cf121c40422e29b73d5b6a12bf8daaa9b5e793fa3169e4
SSDEEP

196608:Oky3BgLy6ipLtOPAr8pY/7ZBPVKpKevWp/:Ix2yNZ//N92KeOl

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000004ed7-9.dat	acprotect
behavioral1/files/0x000500000001925d-21.dat	acprotect
behavioral1/files/0x00070000000173de-189.dat	acprotect

Loads dropped DLL 7 IoCs

pid	Process
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000004ed7-9.dat	upx
behavioral1/memory/2416-11-0x0000000010000000-0x0000000010387000-memory.dmp	upx
behavioral1/files/0x000500000001925d-21.dat	upx
behavioral1/memory/2416-23-0x0000000071690000-0x00000000716C0000-memory.dmp	upx
behavioral1/files/0x00070000000173de-189.dat	upx
behavioral1/memory/2416-192-0x00000000711E0000-0x0000000071418000-memory.dmp	upx
behavioral1/memory/2416-193-0x0000000010000000-0x0000000010387000-memory.dmp	upx
behavioral1/memory/2416-194-0x0000000071690000-0x00000000716C0000-memory.dmp	upx
behavioral1/memory/2416-196-0x00000000711E0000-0x0000000071418000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2108	cmd.exe
1356	NETSTAT.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1356	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	NETSTAT.EXE
Token: SeDebugPrivilege	2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2108	2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe	32
PID 2416 wrote to memory of 2108	2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe	32
PID 2416 wrote to memory of 2108	2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe	32
PID 2416 wrote to memory of 2108	2416	2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe	32
PID 2108 wrote to memory of 1356	2108	cmd.exe	34
PID 2108 wrote to memory of 1356	2108	cmd.exe	34
PID 2108 wrote to memory of 1356	2108	cmd.exe	34
PID 2108 wrote to memory of 1356	2108	cmd.exe	34
PID 2108 wrote to memory of 904	2108	cmd.exe	35
PID 2108 wrote to memory of 904	2108	cmd.exe	35
PID 2108 wrote to memory of 904	2108	cmd.exe	35
PID 2108 wrote to memory of 904	2108	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-31_2852198f3ef4c8bdd1ea978ed82591e3_icedid.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find ":41200 "
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Connections Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Connections Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\SysWOW64\find.exe
    find ":41200 "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab9781.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar97B2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

Filesize
10.6MB

MD5
50c266e46ccf9bc8956279f78d51f205

SHA1
0ba5b98a91a9a019cd9b87cf01796c65ee6a0839

SHA256
c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00

SHA512
7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37

Download Submit
\Users\Admin\AppData\Local\Temp\ee\Plugins\rdjson.dll

Filesize
192KB

MD5
2244857ed4d33e3ab8b32c1a09eaff39

SHA1
9af9d5bc1be9c202471075b5222500c409428fd0

SHA256
e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d

SHA512
c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590

Download Submit
\Users\Admin\AppData\Local\Temp\hps4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
\Users\Admin\AppData\Local\Temp\wv2++.dll

Filesize
1.5MB

MD5
860a922b27e5ff77c5ae3ef0092b17db

SHA1
58dc7a6e37d5eb0e017b480295b0a057f9274973

SHA256
48f8328a6135e7910c5ceeb05626d1d66dcdcd867b7dc7e1cc87d627d9e8790f

SHA512
302a736c1b8aa93fe118372dc8d25b84d69f7154be8110317ca289a5c3c2c6002f9e29ea1497b0cc80c61f27b6657292f6b17e8f34b25a0605e5185c9a85f7bf

Download Submit
\Users\Admin\AppData\Local\Temp\yyjson.dll

Filesize
456KB

MD5
f7e8a4be9dc7a7c3e7a75f861223cac2

SHA1
7e77900ac2fe952fba12ec88f1c92d3a13e534b6

SHA256
32e91c06f7aa35f6dde3f753b1066752db87a9bca0a33e5e043e0493f32cc4fe

SHA512
5c32d9be1c3ed0814c65af48fff0faa9d3200c8424f098f6df7f49e8ccc87880ebe891d4f19481d7870e93e5732870b02ed153125749e911a8199ec7e8388be6

Download Submit
\Users\Admin\Documents\ee\Plugins\WebView2Loader.dll

Filesize
112KB

MD5
e12389f7769a1b1d3328493518658cd0

SHA1
9b40a6bb34f1335f40d1e2fcb8e1a44d114e7d54

SHA256
3d2226dc9994f49c14de623233a99be1f3717cfda927fbde8d6e21908c279b72

SHA512
97323931a273626fb6904d5893915914c92043a7b0e13776d2bb518326cb846c9c374e6975253a4eabcdb1e526bcb081c9ff404d64787f475ba20a934a9c60a2

Download Submit
\Users\Admin\Documents\ee\Plugins\WebView2Runtime.dll

Filesize
56KB

MD5
b723e0277663c415c7b862f18c4bd160

SHA1
caa8d11ffcee0cf310ec9e512fb07d16ae34e6ee

SHA256
4429c11eefc4e40274e7ad6c6c6f7dff16298b44e7fb8c618a32d2bf70f708cc

SHA512
9994a05f61e309387dabdc1bf75d180b3f987ad9444deac0afdf538bd51e4a06e69edf675a3c40b5164a30e79a64446e71b72646a55904af8086c694cb3f1a44

Download Submit
memory/2416-23-0x0000000071690000-0x00000000716C0000-memory.dmp

Filesize
192KB

Download
memory/2416-11-0x0000000010000000-0x0000000010387000-memory.dmp

Filesize
3.5MB

Download
memory/2416-192-0x00000000711E0000-0x0000000071418000-memory.dmp

Filesize
2.2MB

Download
memory/2416-193-0x0000000010000000-0x0000000010387000-memory.dmp

Filesize
3.5MB

Download
memory/2416-194-0x0000000071690000-0x00000000716C0000-memory.dmp

Filesize
192KB

Download
memory/2416-196-0x00000000711E0000-0x0000000071418000-memory.dmp

Filesize
2.2MB

Download