Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe
Resource
win7-20241010-en
General
-
Target
2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe
-
Size
2.4MB
-
MD5
d5f5c6126613d03b21a3b32d0ee9fe5e
-
SHA1
7baa19a30d6f30665f487301b2b114d5fcb197c7
-
SHA256
01dc05ab076d23a80dd14c884d8b02fac01a49be262a4b4d28f317f0c6badc0e
-
SHA512
d80e81d7a1f32036f4990110d307b041807ebf1f782161cddcfe17f8f6f1f5fa417460b662c7770f2b602ceb5d321890628198e81f037e7a37e48914e441bdcd
-
SSDEEP
49152:M1Y/47zPHQzNvLNNVbkPsmRpcgO/X1tJem2BrJE8RNI0IAb66PYK:sc4fPHsnypcgO/X/2Br560IaPY
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2160-12-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral1/memory/2160-31-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2264-33-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-34-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral1/memory/2368-49-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-50-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-51-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-52-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-53-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-54-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-55-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-56-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-57-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-58-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-59-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-60-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-61-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-62-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral1/memory/2368-63-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 19 IoCs
resource yara_rule behavioral1/memory/2160-12-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral1/memory/2160-31-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2264-33-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-34-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral1/memory/2368-49-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-50-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-51-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-52-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-53-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-54-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-55-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-56-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-57-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-58-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-59-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-60-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-61-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-62-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral1/memory/2368-63-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Deletes itself 1 IoCs
pid Process 2880 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2160 Tempbskdjgwijgks.exe 2264 QiQyqi.exe 2368 QiQyqi.exe -
Loads dropped DLL 2 IoCs
pid Process 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\QiQyqi.exe Tempbskdjgwijgks.exe File created C:\Windows\SysWOW64\Delete00.bat 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe File created C:\Windows\SysWOW64\QiQyqi.exe Tempbskdjgwijgks.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 2160 Tempbskdjgwijgks.exe 2264 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe 2368 QiQyqi.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tempbskdjgwijgks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QiQyqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QiQyqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2916 cmd.exe 2868 PING.EXE 2716 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2868 PING.EXE 2716 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2160 Tempbskdjgwijgks.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 2160 Tempbskdjgwijgks.exe 2264 QiQyqi.exe 2368 QiQyqi.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2160 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 30 PID 2360 wrote to memory of 2160 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 30 PID 2360 wrote to memory of 2160 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 30 PID 2360 wrote to memory of 2160 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 30 PID 2160 wrote to memory of 2916 2160 Tempbskdjgwijgks.exe 32 PID 2160 wrote to memory of 2916 2160 Tempbskdjgwijgks.exe 32 PID 2160 wrote to memory of 2916 2160 Tempbskdjgwijgks.exe 32 PID 2160 wrote to memory of 2916 2160 Tempbskdjgwijgks.exe 32 PID 2264 wrote to memory of 2368 2264 QiQyqi.exe 33 PID 2264 wrote to memory of 2368 2264 QiQyqi.exe 33 PID 2264 wrote to memory of 2368 2264 QiQyqi.exe 33 PID 2264 wrote to memory of 2368 2264 QiQyqi.exe 33 PID 2916 wrote to memory of 2868 2916 cmd.exe 35 PID 2916 wrote to memory of 2868 2916 cmd.exe 35 PID 2916 wrote to memory of 2868 2916 cmd.exe 35 PID 2916 wrote to memory of 2868 2916 cmd.exe 35 PID 2360 wrote to memory of 2880 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 36 PID 2360 wrote to memory of 2880 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 36 PID 2360 wrote to memory of 2880 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 36 PID 2360 wrote to memory of 2880 2360 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 36 PID 2880 wrote to memory of 2716 2880 cmd.exe 38 PID 2880 wrote to memory of 2716 2880 cmd.exe 38 PID 2880 wrote to memory of 2716 2880 cmd.exe 38 PID 2880 wrote to memory of 2716 2880 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Tempbskdjgwijgks.exeC:\Users\Admin\AppData\Local\Tempbskdjgwijgks.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\TEMPBS~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2868
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\System32\\Delete00.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2716
-
-
-
C:\Windows\SysWOW64\QiQyqi.exeC:\Windows\SysWOW64\QiQyqi.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\QiQyqi.exeC:\Windows\SysWOW64\QiQyqi.exe -acsi2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD572b938681ae6999cdd1d3d938023d1f3
SHA18f55ef8063670f09fd6b3cbdc2113ba9fbcce479
SHA25687e7d0f8e06ed91f51321330014cb4722ed9ba99098afa0a624229eb8c9f2722
SHA5125d46087b8c63bb573711919dca996dd9f64cc98e5024e2595d837effef82e378c27c2db27760d9783d0ba5efce99bbe072d58cbae23d9c217f0400c5f2c67a0e
-
Filesize
1.6MB
MD5a6e135ed878dfe7a157f4efaba874046
SHA13a472594af195aca945323c5ab293ccc7844f7fa
SHA25623fe87161faf342a4d021529e8e7d7ce7eb3ca0e50fa97dfb76d7e0f615c29ea
SHA512d8d8e796ee14484188b86c8fc567d117545c078d6fe2228075b5981293793ddd045555ed50d2fe8eaca3001fe3c847b27dd4aa2547d1e1aa29abc5226c76b1b3