Overview

overview

10

Static

static

3

2024-12-15...im.exe

windows7-x64

10

2024-12-15...im.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-15_78478e21d3d565bdbad21ea998100989_icedid_nymaim.exe

  • Size

    4.7MB

  • MD5

    78478e21d3d565bdbad21ea998100989

  • SHA1

    1220591d01d37602d4c115fc1aa6595ac9d6c10c

  • SHA256

    740c779fb642de8bd9b50dcb1a5669c88d997c8b6eae72f680ae858d06fde292

  • SHA512

    a5886bb4cc43b6a1f31b1223178c9a43f160b86bc6dd9916b840103b66fa866c83cb1b43d61071f96abbc1704ac9b5a681d9e5c57020c0a5d2c2997976ca097c

  • SSDEEP

    49152:NOSWCbNc7wKlXFJAgYPPhkmS/tajqOwBQ2dP5TROPE46tW5HiD3uZAt:c0csYInifojqNBdP5Ri6A5HiD3qAt

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 19 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 30 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 60 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1072
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1156
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Loads dropped DLL
        PID:1192
        • C:\Users\Admin\AppData\Local\Temp\2024-12-15_78478e21d3d565bdbad21ea998100989_icedid_nymaim.exe
          "C:\Users\Admin\AppData\Local\Temp\2024-12-15_78478e21d3d565bdbad21ea998100989_icedid_nymaim.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2532
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\PWRISOSH.DLL"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2752
          • C:\Users\Admin\AppData\Roaming\PowerISO\Upgrade\PowerISO8-x64-Full.exe
            "C:\Users\Admin\AppData\Roaming\PowerISO\Upgrade\PowerISO8-x64-Full.exe" /sleep=3000
            3⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Deletes itself
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2408
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32.exe /s /u "C:\Program Files\PowerISO\PWRISOSH.DLL"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:892
            • C:\Program Files\PowerISO\devcon.exe
              "C:\Program Files\PowerISO\devcon.exe" remove *scdbusDevice
              4⤵
              • Executes dropped EXE
              PID:1672
            • C:\Program Files\PowerISO\setup64.exe
              "C:\Program Files\PowerISO\setup64.exe" cp C:\Users\Admin\AppData\Local\Temp\nsy516D.tmp "C:\Windows\system32\Drivers\scdemu.sys"
              4⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              PID:2300
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:316

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\$PowerISO$\AAB1.tmp.ico
          Filesize

          2KB

          MD5

          4198afdeb9ace242c575ee572af22e1f

          SHA1

          32784594ec69ca459878010401c3931be8e5e15e

          SHA256

          b4d6704aabfcc8b7cb8f4ee58b162dd124e2d0e4dce20ecf13eebd262dd1e76e

          SHA512

          d4288466d9a669c7735dc788f81fd5581876048644c48a58df5e2f8c70d468464d9de2bcbd295cdfe8510fd77a9a3cc26e3de0a1cf985622fec00baefda7f4cc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsy516D.tmp
          Filesize

          135KB

          MD5

          92eae8dec1f992db12aa23d9d55f264a

          SHA1

          add6697b8c1c71980e391619e81e0bada05e38ee

          SHA256

          d01a58e0a222e4d301b75ae80150d8cbc17f56b3f6458352d2c7c449be302eee

          SHA512

          443a12a1a49e388725ee347e650297ba5268d655acd08e623ea988cde07ae08ae861620b600fb223358339eeab926fee1c8377386501310c68a3eb9515649441

          Download Submit

        • C:\Users\Admin\AppData\Roaming\PowerISO\Upgrade\version.ini
          Filesize

          561B

          MD5

          65a476590bc4133d3286e18784408444

          SHA1

          45ee5ef2b96c77ba38d0cf1516476dd966d22515

          SHA256

          636a60efddd903e92cb30b2880bfb0875adde3e61cc79178effe5ac96cbf66d9

          SHA512

          47823120ad11762d43c5b35bc9022d718d442c6d09e2dab5f26a935df883e184a0cb3da6a17217d0545642f74b87ae02ca057b862ab91b8d28066bd21a1a0485

          Download Submit

        • C:\Windows\SYSTEM.INI
          Filesize

          257B

          MD5

          98adfdbafd5a7aae8d55804aabb3fbad

          SHA1

          febefcc18e68d0214bd0c8074031fa1775445aa4

          SHA256

          14948ad3e5e5ae1f18b75f80a235efc064516465188f9a98c1f71b9c9856ecc5

          SHA512

          7a215b84f7354ab5ac344ef91816582c9e503729b7ff06440de9d915affa54aba6ebc95ed1c2541c2a84480217128f56a7378793ae4a9ec674917e5e4c4f1302

          Download Submit

        • C:\vfpda.exe
          Filesize

          100KB

          MD5

          b5d9397762faea0808ec3cad80598ef9

          SHA1

          0895d63a18c875ebe76d4aa1e0efcc524ded7c59

          SHA256

          fe7098f091c73858a6430d3b35607f43f49e3e31f34943786b12e75f8d3ee808

          SHA512

          472f0986587890250f1851d2040c2a754bac178508750a9d638903a74b28d230c4fe1ef078966f6a6a7f676a8f41c219f6ef0f5b571c5a2afefe9f92663a065d

          Download Submit

        • \Program Files\PowerISO\PWRISOVM.EXE
          Filesize

          452KB

          MD5

          ef4503d1bc80d30386acf67e16b57b33

          SHA1

          c1b33b9d04376bd51a283259bee1ea202fca88c4

          SHA256

          3c923258dd7bacfa5875b3373b30b09cb4b109dbd861c06c483f389d821f7df5

          SHA512

          b527831e3733f1d882749a98a0e3a3fb6196011b4802bc7188d7f37e99ea7f4ed1d8ef8a074f9846cebb490f249c642984bc2827ec026fb625fd8d4c83d877d0

          Download Submit

        • \Program Files\PowerISO\PowerISO.exe
          Filesize

          6.6MB

          MD5

          75aa9363a1b7382a127dab05d19f0f57

          SHA1

          c8333227ede62384c81ab49a3ab055d5a996f005

          SHA256

          b2cfbd6fbacad517fe41b09458ffed8465dcb9e684d06723aa927e721b16ca9d

          SHA512

          3093cfd338fab7f8df3253fcb709637accf4153de5be02cfa8ac1c86d986aa8599ad5deb2c6f8ff3ba3e7a4cd3d44947549509bfa57699cd5c96a9a5173f6229

          Download Submit

        • \Program Files\PowerISO\devcon.exe
          Filesize

          69KB

          MD5

          9d199564b65a91a531b23844649459e9

          SHA1

          8d84359ced1c51d14e70cb5ed36a6083c8b914cf

          SHA256

          8dc2490d1d650e3ffbf70922b81ae9800ddd29a644e4d7d29e9616e22a7d0f42

          SHA512

          ae522945d3ddcd7c2d99da14ba62d556928b7e6dfcb07114f13481777878a8ffa448170cebbf76da80d9ae45d0e3a509b0f2a7bd702773c1efcaca26496010d1

          Download Submit

        • \Program Files\PowerISO\setup64.exe
          Filesize

          20KB

          MD5

          88ac971e8ea0927083875d5338a7361c

          SHA1

          35b657bbe00ebd0fdbc142c81422e424a122df07

          SHA256

          10bfde037cdc0bb69f2c5b4a262d3935a90a99ee1509d8795b26c4127cc6633a

          SHA512

          00fcce623a8ba58065be87c1a3935240089199d6e4e6017a88b51610bedc81683cccebf471aa7aa65bc7042ad1f6018390a8c78e769c9a099d2b34902a1d1861

          Download Submit

        • \Program Files\PowerISO\uninstall.exe
          Filesize

          137KB

          MD5

          dba1c8c7cdf52e8ab6fba090226d5c86

          SHA1

          6216046da917ca6526741be9c32b5f6603d8a865

          SHA256

          d41e9206cb5b12cfdad6ffa5c85adfe68c8315e96ac05b5d0b52fe44ed7dad11

          SHA512

          4e571614fc44c2ae274236254dbf82085b40b19d7226eaee5e5bade9cf077f6d546b03bf0ca9b963fc576ba742d3b57ee2e7b7911f634f9410fc97044c68fbd8

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nst2177.tmp\InstOpt.dll
          Filesize

          25KB

          MD5

          6a45ec125830c244261b28fe97fb9f9d

          SHA1

          f30e65fa3a84c9078bf29af4b4d08ec618a8e44f

          SHA256

          fa8b56b52dc7130d924d0060633b5763c032408385a47ec7438d5e1d481d2fe5

          SHA512

          5387439a2a1f235a2ffe934570db8ab200e2688496d2be39d8f6a47dc7fb55e6e30e957b5b2f6d79799581278bd57c03dc81908afa5e9707375a14ec8a34e4e2

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nst2177.tmp\System.dll
          Filesize

          12KB

          MD5

          8cf2ac271d7679b1d68eefc1ae0c5618

          SHA1

          7cc1caaa747ee16dc894a600a4256f64fa65a9b8

          SHA256

          6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

          SHA512

          ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

          Download Submit

        • \Users\Admin\AppData\Roaming\PowerISO\Upgrade\PowerISO8-x64-Full.exe
          Filesize

          4.9MB

          MD5

          24100c426d2f5ecdf6adcf47bf544789

          SHA1

          339ef04a2b9f24356a27753be8ac6ff96f83e7e4

          SHA256

          88234f55746ce00f73fecdca6b9856fd8afeba840de090d8caa4868f80fd7948

          SHA512

          77c68c6f6999c55a16baa744049802c41261691b273a918bae0a2161675b17b6d73b684f717800148370189d51afee4e18004b89be60258e751a4eb4d544e0ec

          Download Submit

        • memory/1072-10-0x0000000000150000-0x0000000000152000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-43-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-68-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-24-0x00000000003A0000-0x00000000003A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-25-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-5-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-27-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-35-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-37-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-36-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-39-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-40-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-42-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-2-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-46-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-48-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-62-0x0000000007930000-0x0000000007931000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2532-63-0x00000000078E0000-0x00000000078E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-64-0x00000000003A0000-0x00000000003A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-65-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-26-0x00000000003A0000-0x00000000003A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-69-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-71-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-73-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-7-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-82-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-9-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-166-0x0000000000400000-0x0000000000A17000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2532-168-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-23-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-6-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-0-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-18-0x00000000003A0000-0x00000000003A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-19-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2532-21-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2532-3-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-22-0x0000000000400000-0x0000000000A17000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2532-8-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2532-4-0x00000000023D0000-0x000000000345E000-memory.dmp

          Filesize

          16.6MB

          Download