2dcdcbe3866622e94a92289b568541fa28b67f70e60680e3c533fc89ad6309a2

Analysis

max time kernel
84s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_64304170c710b21c884636a166797431_icedid.exe
Size

281KB
MD5

64304170c710b21c884636a166797431
SHA1

7244ace16483f48ff0beb293c8bfc32551429b8c
SHA256

2dcdcbe3866622e94a92289b568541fa28b67f70e60680e3c533fc89ad6309a2
SHA512

e6dbf742c225244574dfdfd00af929594381189b13162b5fa9d16957a7aafda42f3589cc635f886ccc244d6766b0abd9d8c86b63edc8980c0ccd38dee2a727dd
SSDEEP

3072:lxUm75Fku3eKeJk21ZSJReOqlz+mErj+HyHnNVIPL/+ybbiGF+1u46Q7q303lU8O:fU8DkpP1oJ1qlzUWUNVIT/bbbIW09R

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2880	approach.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe
2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\silently\approach.exe	2024-09-12_64304170c710b21c884636a166797431_icedid.exe
File opened for modification	C:\Program Files\silently\approach.exe	2024-09-12_64304170c710b21c884636a166797431_icedid.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_64304170c710b21c884636a166797431_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	approach.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe
2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe
2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe
2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe
2880	approach.exe
2880	approach.exe
2880	approach.exe
2880	approach.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2880	2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe	29
PID 2116 wrote to memory of 2880	2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe	29
PID 2116 wrote to memory of 2880	2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe	29
PID 2116 wrote to memory of 2880	2116	2024-09-12_64304170c710b21c884636a166797431_icedid.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-09-12_64304170c710b21c884636a166797431_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_64304170c710b21c884636a166797431_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Program Files\silently\approach.exe
  "C:\Program Files\silently\approach.exe" "33201"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\silently\approach.exe

Filesize
281KB

MD5
48afc5447c9118d0e9e5539e81d87321

SHA1
5d1379e93c1fbe5aa0238ab0d8e1db35b334e694

SHA256
55603bbe31e41254b434e4ac7f0982bb79c63833ac1bb6ed6c4837d4bd04eae5

SHA512
a3b1cd51d08f1aa4e6bbf0ad72e415ed2bd54324ea829d9ec077b85779c291efca6b5a288419e49773a260682895eb80b49c32b9e4b4480a6392dd0fdaf89a1a

Download Submit