e4c31b5a3c644725a1d10b4a72af14788595a5a5608887008e7b90e60b2b854a

Analysis

max time kernel
141s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

259KB
MD5

d203a131e6bc82c3a030bd1aba259ac1
SHA1

8b6c84b3edab821ce0af78daaab927d08fb370f8
SHA256

0284127636739637c3ed4503f72917511382c3558dc6df43192e47c5625355f7
SHA512

7c5bcc304529ef4ff527016f0a5ba2799cc5d066e086836fb545dad1684e76d7d02ae213868ebba891a76e790455a8d1be6df3f4f3a32d384f30ae2add0cf3f5
SSDEEP

6144:U7WlQhWFAI3xRvuvS5fbw7FqbyKMuz26t4BRUQ+KxwYo/sy9wfOX:ukFAi5uqpbdMuzHsz+KxwB/L6fy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7BE2468-E024-79BC-0134-79ACE13578AC}	2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7BE2468-E024-79BC-0134-79ACE13578AC}\StubPath = "C:\\Windows\\_ice_.exe"	2.exe

Deletes itself 1 IoCs

pid	Process
2904	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1620	_ice_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\2.bat	2.exe
File opened for modification	C:\Windows\2.bat	2.exe
File created	C:\Windows\_ice_.dll	2.exe
File created	C:\Windows\_ice_.exe	2.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1620	_ice_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1620	2464	2.exe	30
PID 2464 wrote to memory of 1620	2464	2.exe	30
PID 2464 wrote to memory of 1620	2464	2.exe	30
PID 2464 wrote to memory of 1620	2464	2.exe	30
PID 2464 wrote to memory of 2904	2464	2.exe	31
PID 2464 wrote to memory of 2904	2464	2.exe	31
PID 2464 wrote to memory of 2904	2464	2.exe	31
PID 2464 wrote to memory of 2904	2464	2.exe	31

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\_ice_.exe
  C:\Windows\_ice_.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\2.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2.bat

Filesize
117B

MD5
702485b927b42e109c9601b5d98eb7a1

SHA1
9862e3b3dd78b7e806cb803bcffed235e20a2dd0

SHA256
f9a4067e19769a3ae99fd50bdde1c76a02df04ca91cd2bef3fa79cee95461850

SHA512
04a327f2b711f6fc0999f256fc4226c3240d396f2d0d9e09646024cdee4f9358eba131023832e16716e612b869d51c14129df7283536414f79b0adde18c9a2ee

Download Submit
C:\Windows\_ice_.dll

Filesize
482KB

MD5
593281c9206254cb206ed1a311a2b111

SHA1
71faa8fc5781d0d6680683cd4368d36d84346e41

SHA256
8b2d569863ad3ef67ca0f1bf20813395718dc11c8ff2e7dae52c47fc2e84b9fa

SHA512
8a89d76eda95baeb1bb291f10aaffba26595e9462e3b2dbe1a34e904ed49dd988611fb18718d0b8a79280d3b9f567c99879298b35a2ade9c5f14c11734562dac

Download Submit
C:\Windows\_ice_.exe

Filesize
14KB

MD5
0045d352c3325905b62e3fecd3b523b9

SHA1
6038b0e6293e270ba03ba7eeb727681819dd7c46

SHA256
3be34a72990bd54ad91a149c682d5cc655da148758b55560d532082ee4872eba

SHA512
f5558f3949bb14b70eab148a1b4be5fcdfb554efb276b0f5b57c6b8049998e15ab95b8c233b9bd94f6155f9029e4b5e42b591d09be90ffda7dc31193be228d56

Download Submit
memory/1620-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1620-22-0x0000000021760000-0x00000000217DE000-memory.dmp

Filesize
504KB

Download
memory/2464-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2464-0-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2464-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2464-1-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2464-19-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads