Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 13:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
-
Size
3.1MB
-
MD5
64bf0cc952e3709e7b47e411780a94c8
-
SHA1
ce17b54a681c1b7ad11a426ef1b8965303c1da38
-
SHA256
23d959b6953113b4c9b674c6f8eb41d65e8504d3db4f8c3045df4a59563b2c7b
-
SHA512
0e08968828f0eb2b89bcf297be3e250e31520c2ee78128a36fc2a3d83f0c93dff27f953385c2fa38b3be491d5cb27748c17e882786f33aad6d15c4340d0eefd1
-
SSDEEP
98304:4MDtIXLr06AdfEThF35Pzu7Q9mbkqKkodM3:ormEdF3iQ9mgqKkV
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2664 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1744 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe -
Loads dropped DLL 1 IoCs
pid Process 2664 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2608 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2760 schtasks.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1744 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 1744 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2872 1620 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 30 PID 1620 wrote to memory of 2872 1620 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 30 PID 1620 wrote to memory of 2872 1620 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 30 PID 1620 wrote to memory of 2872 1620 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 30 PID 1620 wrote to memory of 2664 1620 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 32 PID 1620 wrote to memory of 2664 1620 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 32 PID 1620 wrote to memory of 2664 1620 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 32 PID 1620 wrote to memory of 2664 1620 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 32 PID 2664 wrote to memory of 2752 2664 cmd.exe 34 PID 2664 wrote to memory of 2752 2664 cmd.exe 34 PID 2664 wrote to memory of 2752 2664 cmd.exe 34 PID 2664 wrote to memory of 2752 2664 cmd.exe 34 PID 2872 wrote to memory of 2648 2872 cmd.exe 35 PID 2872 wrote to memory of 2648 2872 cmd.exe 35 PID 2872 wrote to memory of 2648 2872 cmd.exe 35 PID 2872 wrote to memory of 2648 2872 cmd.exe 35 PID 2872 wrote to memory of 2760 2872 cmd.exe 36 PID 2872 wrote to memory of 2760 2872 cmd.exe 36 PID 2872 wrote to memory of 2760 2872 cmd.exe 36 PID 2872 wrote to memory of 2760 2872 cmd.exe 36 PID 2664 wrote to memory of 1744 2664 cmd.exe 37 PID 2664 wrote to memory of 1744 2664 cmd.exe 37 PID 2664 wrote to memory of 1744 2664 cmd.exe 37 PID 2664 wrote to memory of 1744 2664 cmd.exe 37 PID 2664 wrote to memory of 2608 2664 cmd.exe 38 PID 2664 wrote to memory of 2608 2664 cmd.exe 38 PID 2664 wrote to memory of 2608 2664 cmd.exe 38 PID 2664 wrote to memory of 2608 2664 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241025133117300.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\schtasks.exeSchtasks.Exe /delete /tn "Maintenance" /f3⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
C:\Windows\SysWOW64\schtasks.exeSchtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241025133117300.xml"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20241025133117300.bat" "2⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1744
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5f2e439d133bea259fd8e5bff317f26cf
SHA17dbe3e43b6b69088020fecfa53f876fd8fc56a5a
SHA256d32a4cde9394cb947a912dc17fbfead8be1864181b03847a6363ccdb2f50ec85
SHA51227fab4caf661ec14856ee9f5df55b806288199cf9fbd5d30aaf72f0bce28b0319fe7c54ad8510d1f4e7c27f687bbe28dbc88bdba6941163d5555862dfcfcd501
-
Filesize
389B
MD5d64fbef3ceaeec59a5aaff6380f4c7b0
SHA178ecfc9a408bde923acefedca44fbf3365407af4
SHA256aac16463b0975f49662a83ecdd2a7d9aeeb2e75019f775b19d3bcf11358fa1aa
SHA512548dc8e13f40dc80e265177963afdc0cc2864a948e50440e289f884a7bf39f26630d78b972cfeb0848294ae9723eb92fd5d26961ddea686f721b910a7f5895e7
-
Filesize
3.1MB
MD55e257f0de14b5df97d2d612fc16bdba9
SHA13909ad43252d24ffe20d11dddd9c2dcea8bb8032
SHA2565976d64cdca51156d14e5c4a7025e653942ab98948347f7a54edb643cb4d755f
SHA512f55ad6949c661772a9bf10bfcad3af4ddf62192d54047b1c7588e928a70f894791e7e5b56659c880d9d6f78eb6e171f9dbd99c416ac268836084f33478f3a4b7
-
Filesize
1KB
MD5a509440011c1cd28069fae8570804731
SHA1f9b308d36c726fb7613af7466fe6f5572dc81213
SHA256be48d33a2dde30ef7f4dfd3bfd54ce8475822cb89073f5e52a70917ca264dfdc
SHA512e9fc7536a8c9e5de64686fb568ab76305e800ce8755435dc3fd536e411bef3f62939d6d2da01ae9ceb59bfaf3988fe22253e3797dc026c7b259e1cd339fade0f