Overview

overview

7

Static

static

3

2024-09-08...id.exe

windows7-x64

7

2024-09-08...id.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-08_5d7d29a9fa6013a318893206373fb1f4_hacktools_icedid.exe

  • Size

    2.5MB

  • MD5

    5d7d29a9fa6013a318893206373fb1f4

  • SHA1

    30b92e33589d602a765c5e20cb867a2758f0ea82

  • SHA256

    98bb4d3774243f4301afb9f7863320de1a1f6d6493f7f5060b289293938ab589

  • SHA512

    93ba61a1fa111ad3fa17bcc09b567442567cdf85f2aee16701d067496710331f4f0d26bc0d3e6babdbf3cd2fcdafc550e060aa5815a24701cde20dcf60114114

  • SSDEEP

    49152:XmvdgqxpQzgXQ3TooLeYN/yKiZ3pWBST1W5KiZBa:IZpQzgXgkoLpN/yKO8OW5KOo

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 4 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-08_5d7d29a9fa6013a318893206373fb1f4_hacktools_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-08_5d7d29a9fa6013a318893206373fb1f4_hacktools_icedid.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Local\Temp\LOIB.YYODR
      "C:\Users\Admin\AppData\Local\Temp\LOIB.YYODR"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\SysWOW64\netsh.exe
        netsh winsock reset
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\ESPI.dll
    Filesize

    120KB

    MD5

    c3adbb35a05b44bc877a895d273aa270

    SHA1

    8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

    SHA256

    b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

    SHA512

    614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\LOIB.YYODR
    Filesize

    2.5MB

    MD5

    2d7cafd2f1cf8da7e43740fb8d21296b

    SHA1

    11c2551cac5aaf58bc551f56ddfe9959423702a3

    SHA256

    e7b88091227e2c8783f5834ec0d096c7f20c40f4816400048569b7dffd37c96c

    SHA512

    b12cdfd3be22fb797bc0494ce62caf99ce292ad46d3f897298da2cb4484e51ebd5d3ee38ec369bda7eaec289c7a9af2ade2f02ba9726b0e16c38ee8180f46303

    Download Submit

  • \Windows\SysWOW64\shurufa.ime
    Filesize

    52KB

    MD5

    b60da4e2e5aceba3ce3d87ee2cd872ee

    SHA1

    9bbdbf1f3ce2c000a86e0473da756a4b1031db41

    SHA256

    b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

    SHA512

    664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

    Download Submit

  • memory/2120-29-0x0000000000230000-0x000000000023E000-memory.dmp

    Filesize

    56KB

    Download