Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe
Resource
win7-20241010-en
General
-
Target
2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe
-
Size
2.4MB
-
MD5
d5f5c6126613d03b21a3b32d0ee9fe5e
-
SHA1
7baa19a30d6f30665f487301b2b114d5fcb197c7
-
SHA256
01dc05ab076d23a80dd14c884d8b02fac01a49be262a4b4d28f317f0c6badc0e
-
SHA512
d80e81d7a1f32036f4990110d307b041807ebf1f782161cddcfe17f8f6f1f5fa417460b662c7770f2b602ceb5d321890628198e81f037e7a37e48914e441bdcd
-
SSDEEP
49152:M1Y/47zPHQzNvLNNVbkPsmRpcgO/X1tJem2BrJE8RNI0IAb66PYK:sc4fPHsnypcgO/X/2Br560IaPY
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2760-5-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral2/memory/4512-15-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral2/memory/2760-22-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/4512-24-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-27-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral2/memory/2676-37-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-38-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-39-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-40-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-41-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-42-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-43-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-44-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-45-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-46-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-47-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-48-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-49-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-50-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit behavioral2/memory/2676-51-0x0000000000400000-0x00000000008D8000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 20 IoCs
resource yara_rule behavioral2/memory/2760-5-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral2/memory/4512-15-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral2/memory/2760-22-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/4512-24-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-27-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral2/memory/2676-37-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-38-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-39-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-40-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-41-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-42-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-43-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-44-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-45-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-46-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-47-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-48-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-49-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-50-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat behavioral2/memory/2676-51-0x0000000000400000-0x00000000008D8000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Executes dropped EXE 3 IoCs
pid Process 2760 Tempbskdjgwijgks.exe 4512 QiQyqi.exe 2676 QiQyqi.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\QiQyqi.exe Tempbskdjgwijgks.exe File opened for modification C:\Windows\SysWOW64\QiQyqi.exe Tempbskdjgwijgks.exe File created C:\Windows\SysWOW64\Delete00.bat 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 2760 Tempbskdjgwijgks.exe 4512 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe 2676 QiQyqi.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tempbskdjgwijgks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QiQyqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QiQyqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4000 PING.EXE 2180 cmd.exe 4448 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4448 PING.EXE 4000 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2760 Tempbskdjgwijgks.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4812 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 4812 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 2760 Tempbskdjgwijgks.exe 4512 QiQyqi.exe 2676 QiQyqi.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4812 wrote to memory of 2760 4812 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 84 PID 4812 wrote to memory of 2760 4812 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 84 PID 4812 wrote to memory of 2760 4812 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 84 PID 2760 wrote to memory of 2180 2760 Tempbskdjgwijgks.exe 86 PID 2760 wrote to memory of 2180 2760 Tempbskdjgwijgks.exe 86 PID 2760 wrote to memory of 2180 2760 Tempbskdjgwijgks.exe 86 PID 4512 wrote to memory of 2676 4512 QiQyqi.exe 87 PID 4512 wrote to memory of 2676 4512 QiQyqi.exe 87 PID 4512 wrote to memory of 2676 4512 QiQyqi.exe 87 PID 2180 wrote to memory of 4448 2180 cmd.exe 89 PID 2180 wrote to memory of 4448 2180 cmd.exe 89 PID 2180 wrote to memory of 4448 2180 cmd.exe 89 PID 4812 wrote to memory of 372 4812 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 90 PID 4812 wrote to memory of 372 4812 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 90 PID 4812 wrote to memory of 372 4812 2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe 90 PID 372 wrote to memory of 4000 372 cmd.exe 92 PID 372 wrote to memory of 4000 372 cmd.exe 92 PID 372 wrote to memory of 4000 372 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-13_d5f5c6126613d03b21a3b32d0ee9fe5e_icedid.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Tempbskdjgwijgks.exeC:\Users\Admin\AppData\Local\Tempbskdjgwijgks.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\TEMPBS~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4448
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\\Delete00.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4000
-
-
-
C:\Windows\SysWOW64\QiQyqi.exeC:\Windows\SysWOW64\QiQyqi.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\QiQyqi.exeC:\Windows\SysWOW64\QiQyqi.exe -acsi2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5a6e135ed878dfe7a157f4efaba874046
SHA13a472594af195aca945323c5ab293ccc7844f7fa
SHA25623fe87161faf342a4d021529e8e7d7ce7eb3ca0e50fa97dfb76d7e0f615c29ea
SHA512d8d8e796ee14484188b86c8fc567d117545c078d6fe2228075b5981293793ddd045555ed50d2fe8eaca3001fe3c847b27dd4aa2547d1e1aa29abc5226c76b1b3
-
Filesize
151B
MD572b938681ae6999cdd1d3d938023d1f3
SHA18f55ef8063670f09fd6b3cbdc2113ba9fbcce479
SHA25687e7d0f8e06ed91f51321330014cb4722ed9ba99098afa0a624229eb8c9f2722
SHA5125d46087b8c63bb573711919dca996dd9f64cc98e5024e2595d837effef82e378c27c2db27760d9783d0ba5efce99bbe072d58cbae23d9c217f0400c5f2c67a0e