78d028497bd2554918578486b296d3f60985b87a0c423bd0048aab8768273427

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IcarusRDP_builder-main/Addon/bb.exe
Size

22KB
MD5

1e1eabdff6349d45a7455ee58588ccbf
SHA1

8d3c956a80d97d5080a417e3da3689557c782b52
SHA256

ca40c199ed052cb5ed81483bf31520e30d46fc36dce34f206d25c2ff162f3129
SHA512

d528307ff98f7968999861c64efb32efff74d5fcbdfbf85de60705bc48c11a7966026f8aae58d80c0cd009166211c4773178148f9ba437f3955f307a12029da5
SSDEEP

384:+qE+wxApYsEHz5WVFtotTFAj3Lx+gO+adlVW8GiSQZdIghUmOaNJawcudoD7UFMH:+qdYsC5KFtuFY3k+lUe6vfnbcuyD7UF6

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2268	1764	bb.exe	31
PID 1764 wrote to memory of 2268	1764	bb.exe	31
PID 1764 wrote to memory of 2268	1764	bb.exe	31
PID 1764 wrote to memory of 2268	1764	bb.exe	31

C:\Users\Admin\AppData\Local\Temp\IcarusRDP_builder-main\Addon\bb.exe
"C:\Users\Admin\AppData\Local\Temp\IcarusRDP_builder-main\Addon\bb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2240.tmp\KillBots.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2240.tmp\KillBots.bat

Filesize
639B

MD5
e22986670095d9859b17688ba339db0a

SHA1
4d292de928e454ced5a1c951e2ad0d3467da3556

SHA256
2067cfd77cd0dd575e0d24ad4a0de3bb48aebbcad71da0b513ceb6dc366878c0

SHA512
d8da0e9d55ee6c08385b4ee6fb1a1b7eb2f327b9e1a4fde2f3ccfe457fa8d6a93357eed5d40a0b9eb6401773c90bc408501b852ba94025ae95fb069538db5c05

Download Submit