353598534e9d8434f2a824936196a4bba65c952e01b55d933347a3c75cb4de5d

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe
Size

19.9MB
MD5

976313c5bb26ded943593c272cc45f85
SHA1

4d40a66595988ba556b5abade73a49918cd6a572
SHA256

353598534e9d8434f2a824936196a4bba65c952e01b55d933347a3c75cb4de5d
SHA512

c3d49b0a0b350ce14bf270fe5dbf758e035c8d83183cf5d0abff5763b122db4b2deae85591afa9a66e15a3c35cd212bd1dc8cf5447359897d6167061e3137e69
SSDEEP

196608:5NjmHTEwfYI/cwZPmyYj4PaX3kkJpUYdT3sXCrxsQ59XaPtGG9cY4eR3GBXlCCfK:5NiHTTgxV3xsRtneY4ewOGskNcI2

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2320	@AEDB61.tmp.exe
1896	2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe
2476	WdExt.exe
2148	launch.exe

Loads dropped DLL 9 IoCs

pid	Process
2052	explorer.exe
2052	explorer.exe
2320	@AEDB61.tmp.exe
2052	explorer.exe
764	cmd.exe
764	cmd.exe
2476	WdExt.exe
1100	cmd.exe
1100	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@AEDB61.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WdExt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2320	@AEDB61.tmp.exe
2476	WdExt.exe
2148	launch.exe
2148	launch.exe
2148	launch.exe
2148	launch.exe
2148	launch.exe
2148	launch.exe
2148	launch.exe
2148	launch.exe
2148	launch.exe
2148	launch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2052	2464	2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe	31
PID 2464 wrote to memory of 2052	2464	2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe	31
PID 2464 wrote to memory of 2052	2464	2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe	31
PID 2464 wrote to memory of 2052	2464	2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe	31
PID 2464 wrote to memory of 2052	2464	2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe	31
PID 2464 wrote to memory of 2052	2464	2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe	31
PID 2052 wrote to memory of 2320	2052	explorer.exe	32
PID 2052 wrote to memory of 2320	2052	explorer.exe	32
PID 2052 wrote to memory of 2320	2052	explorer.exe	32
PID 2052 wrote to memory of 2320	2052	explorer.exe	32
PID 2320 wrote to memory of 764	2320	@AEDB61.tmp.exe	34
PID 2320 wrote to memory of 764	2320	@AEDB61.tmp.exe	34
PID 2320 wrote to memory of 764	2320	@AEDB61.tmp.exe	34
PID 2320 wrote to memory of 764	2320	@AEDB61.tmp.exe	34
PID 2320 wrote to memory of 2772	2320	@AEDB61.tmp.exe	36
PID 2320 wrote to memory of 2772	2320	@AEDB61.tmp.exe	36
PID 2320 wrote to memory of 2772	2320	@AEDB61.tmp.exe	36
PID 2320 wrote to memory of 2772	2320	@AEDB61.tmp.exe	36
PID 764 wrote to memory of 2476	764	cmd.exe	38
PID 764 wrote to memory of 2476	764	cmd.exe	38
PID 764 wrote to memory of 2476	764	cmd.exe	38
PID 764 wrote to memory of 2476	764	cmd.exe	38
PID 2476 wrote to memory of 1100	2476	WdExt.exe	39
PID 2476 wrote to memory of 1100	2476	WdExt.exe	39
PID 2476 wrote to memory of 1100	2476	WdExt.exe	39
PID 2476 wrote to memory of 1100	2476	WdExt.exe	39
PID 1100 wrote to memory of 2148	1100	cmd.exe	41
PID 1100 wrote to memory of 2148	1100	cmd.exe	41
PID 1100 wrote to memory of 2148	1100	cmd.exe	41
PID 1100 wrote to memory of 2148	1100	cmd.exe	41
PID 1100 wrote to memory of 2148	1100	cmd.exe	41
PID 1100 wrote to memory of 2148	1100	cmd.exe	41
PID 1100 wrote to memory of 2148	1100	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\@AEDB61.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AEDB61.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2476
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
- - C:\Users\Admin\AppData\Local\Temp\2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe"
    3⤵
    - Executes dropped EXE
    PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDF58.tmp

Filesize
229KB

MD5
6f90e1169d19dfde14d6f753f06c862b

SHA1
e9bca93c68d7df73d000f4a6e6eb73a343682ac5

SHA256
70a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc

SHA512
f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
7df72340b9a793938bb1f455d9ab6f67

SHA1
5a9aba69e10f532b0106dba08a464e470ff873e3

SHA256
31a759a90e7c87e541f4e6f7f08348a4d7d2f926a12d789e2653119cb9a996c6

SHA512
6dbc89f1e4b7ff19d7439a45a512dadf78ad5ce6ef465166de1e4992fa3d82348cd0041155decc778c369f5d81ffba5ff297e00b17b44ab9c7ab10eb35173d8b

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
d92e03e2d3669b57b980238f09e11a89

SHA1
0f72c995318fa640c4ea0210604e497facf1aee8

SHA256
df6c9e7cc2ccbbeff5889fe85bff69447412f966bed823adbcbdbe20a73226ce

SHA512
9ea7ad9f3d421e1d404e6945bb0d40aea0aeef264cbee685c5bc60024e0fa1f8fbe8bf840c2d5a83716df19ffc4ede8caeb3dd85ce7f3e9b74d19877f3174154

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
126B

MD5
1157f2ab0a9dc7fa2a3e3840bf261c36

SHA1
6d90f021d355fc2dad089010657a4a3ea08c731f

SHA256
b283cc3f8364169694cb86440a2dbbf6a3ff13960d22ddc56dab067fd7aba41f

SHA512
73b7d00dbdb4db2d482d0866527048ddd707f32656dddac724b2048ba1f1cfaf19a9bf6d98e4d34c4a9f44f6c7de013799b78efc256abff7e9cb7dcd1213167a

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-21_976313c5bb26ded943593c272cc45f85_darpapox_hijackloader_icedid_nymaim.exe

Filesize
18.2MB

MD5
21179ea670c6127dc2276fff931a0c6b

SHA1
7fe0fe0e99d9b0767588e426bb0e963e6354b5a7

SHA256
9d2626af3b202443d83ee5131ee4cf4ded2970ad57eed0d5348c95e3c55a65f1

SHA512
230cb015afef70efae24d66f9b7d8648a9656a2cf2edf3679468b6c8b794ebc0abeef582faf10351729a727120a34892b59d05e7a9eda21af6e2782001b391e1

Download Submit
\Users\Admin\AppData\Local\Temp\@AEDB61.tmp.exe

Filesize
1.7MB

MD5
87e3936b92b3fbbdf6e551d3e7741161

SHA1
09b174c7c2d5fecf717542dcb07a3d4d888fb6d9

SHA256
28e33430274e6aa8c45a46268905cbaf8945e34c8755117a54b9fcc9b2c2993e

SHA512
2d13a994f85d64fd72582ff97a36d876acbf1b6f740d71fb05022cebb2674ebf1efa616915449c84eaebbb96159fbc4254149148d88f8dd97bb8b109569d546c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/2148-280-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2320-12-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download