Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-10-2024 16:43
General
-
Target
2024-10-18_a4549e4bb83313dfc98109bb28c433d2_icedid.exe
-
Size
2.9MB
-
MD5
a4549e4bb83313dfc98109bb28c433d2
-
SHA1
0cab6e2522187c0e06f592832c11b1cab396eeb0
-
SHA256
2539300c8edd75c14dd5759307f62bb801a097fb7e7933446d4354e99dc99ce9
-
SHA512
abe53f9fe0e0bbd80fd5f5f2764eed3c28b9339b57e562cd8fd03d84ba20ab59612791797777c33a4782a17e1e8d3448412e7eba82e3860c006c4c984ba9a6c2
-
SSDEEP
49152:VQZAdVyVT9n/Gg0P+WhoeD4Fk+XGwv2tP1zTPADnWPMklKu8bi4O8b8ITDnl13S:OGdVyVT9nOgmhKk+Wwv2tP1PPknK
Malware Config
Signatures
-
Detect PurpleFox Rootkit 9 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 10 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 9 IoCs
-
Drops file in System32 directory 6 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_a4549e4bb83313dfc98109bb28c433d2_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-18_a4549e4bb83313dfc98109bb28c433d2_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-10-18_a4549e4bb83313dfc98109bb28c433d2_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-10-18_a4549e4bb83313dfc98109bb28c433d2_icedid.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-10-18_a4549e4bb83313dfc98109bb28c433d2_icedid.exe"C:\Users\Admin\AppData\Local\Temp\HD_2024-10-18_a4549e4bb83313dfc98109bb28c433d2_icedid.exe" --channel=2728.0.1146652286 --type=renderer3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259451331.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5737ac176981c442e531efe4f82c872db
SHA1df8a2503ae3fda67b06681c9c69131c8ac735c93
SHA256c5b2f7566fabbf606f93cbbbf1dfdc2e2d8c211d9271f6740cb708149db2a31b
SHA5126a5b371e87c70fc014caaf2a369feadc9d7cc26d4c95ddf53a4a1c469c5874b2c1f0408de9b5c880f8753f503d2675878a6f1e1f50746042aa311f3dad7370cc
-
Filesize
1.5MB
MD57a97aa40d8a3da4a9095873c72d524c5
SHA1d219db66995e0548ea1226cb1806388b1ac718f7
SHA25600d2ce2c35e8f2d31c2a8778c6e8846be3d1467cd1e66aa494571a14dea0e4d1
SHA51216de6e0fdda9ebd7de996e97f73d9fad661c947320b604e5aafdcde50ee4582b1b07da98233b12dc76c464abe2104323c056b1ab477532ee10f5117cb03aa90c
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5c0cbb8c25ffd499a590da0001bfbb5f6
SHA127dbcea4d41e3bbc172e9fdb693c14d6a7c264f2
SHA2566d56c2bac81ecc0193ada74cfc18ac20022baffe0395bba8d1f76ef039873454
SHA5128fcb85f9110fda85c8959fb86ac206bc660cbd2126f179705c917b817c75075d8607f1b07ffcc38477a4d8ea33d8e8c3082e0b56ac2d816f38585acb7c54f27b
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
8KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB