Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 13:31

General

  • Target

    2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe

  • Size

    3.1MB

  • MD5

    64bf0cc952e3709e7b47e411780a94c8

  • SHA1

    ce17b54a681c1b7ad11a426ef1b8965303c1da38

  • SHA256

    23d959b6953113b4c9b674c6f8eb41d65e8504d3db4f8c3045df4a59563b2c7b

  • SHA512

    0e08968828f0eb2b89bcf297be3e250e31520c2ee78128a36fc2a3d83f0c93dff27f953385c2fa38b3be491d5cb27748c17e882786f33aad6d15c4340d0eefd1

  • SSDEEP

    98304:4MDtIXLr06AdfEThF35Pzu7Q9mbkqKkodM3:ormEdF3iQ9mgqKkV

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241025133117300.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\SysWOW64\schtasks.exe
        Schtasks.Exe /delete /tn "Maintenance" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2648
      • C:\Windows\SysWOW64\schtasks.exe
        Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241025133117300.xml"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20241025133117300.bat" "
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2752
      • C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1744
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 3 /nobreak
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2608

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\zb20241025133117300.bat

          Filesize

          736B

          MD5

          f2e439d133bea259fd8e5bff317f26cf

          SHA1

          7dbe3e43b6b69088020fecfa53f876fd8fc56a5a

          SHA256

          d32a4cde9394cb947a912dc17fbfead8be1864181b03847a6363ccdb2f50ec85

          SHA512

          27fab4caf661ec14856ee9f5df55b806288199cf9fbd5d30aaf72f0bce28b0319fe7c54ad8510d1f4e7c27f687bbe28dbc88bdba6941163d5555862dfcfcd501

        • C:\Users\Admin\AppData\Local\Temp\zbe20241025133117300.bat

          Filesize

          389B

          MD5

          d64fbef3ceaeec59a5aaff6380f4c7b0

          SHA1

          78ecfc9a408bde923acefedca44fbf3365407af4

          SHA256

          aac16463b0975f49662a83ecdd2a7d9aeeb2e75019f775b19d3bcf11358fa1aa

          SHA512

          548dc8e13f40dc80e265177963afdc0cc2864a948e50440e289f884a7bf39f26630d78b972cfeb0848294ae9723eb92fd5d26961ddea686f721b910a7f5895e7

        • C:\Users\Admin\AppData\Local\Temp\ze20241025133117300.tmp

          Filesize

          3.1MB

          MD5

          5e257f0de14b5df97d2d612fc16bdba9

          SHA1

          3909ad43252d24ffe20d11dddd9c2dcea8bb8032

          SHA256

          5976d64cdca51156d14e5c4a7025e653942ab98948347f7a54edb643cb4d755f

          SHA512

          f55ad6949c661772a9bf10bfcad3af4ddf62192d54047b1c7588e928a70f894791e7e5b56659c880d9d6f78eb6e171f9dbd99c416ac268836084f33478f3a4b7

        • C:\Users\Admin\AppData\Local\Temp\zx20241025133117300.xml

          Filesize

          1KB

          MD5

          a509440011c1cd28069fae8570804731

          SHA1

          f9b308d36c726fb7613af7466fe6f5572dc81213

          SHA256

          be48d33a2dde30ef7f4dfd3bfd54ce8475822cb89073f5e52a70917ca264dfdc

          SHA512

          e9fc7536a8c9e5de64686fb568ab76305e800ce8755435dc3fd536e411bef3f62939d6d2da01ae9ceb59bfaf3988fe22253e3797dc026c7b259e1cd339fade0f