Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 14:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe
Resource
win7-20240903-en
General
-
Target
2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe
-
Size
608KB
-
MD5
72665429ba495c6e3f8c538a1346206e
-
SHA1
acfdcd87e4664474ec43c309b964a8f2716eaadd
-
SHA256
0327fd36fe504244476aa3ed1bcb21b4d030196bf0404334020d871aa1ee06c0
-
SHA512
afb0a9edad3824c2cb5dc287d1b9411d67563b7aeef6d223f54709baddd04f663a8f1407f14cfcb2fc06f3941ca2408cbc027d8d3b04df16e4eb375aa3ef6232
-
SSDEEP
12288:D/211RfBpEg42IRo0wk5bHAW+J+gNs5cVEMmt6BpB/:jwEgcRRgpVEMjrB/
Malware Config
Signatures
-
Trickbot family
-
Trickbot x86 loader 8 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral1/memory/2336-0-0x00000000003B0000-0x00000000003DE000-memory.dmp trickbot_loader32 behavioral1/memory/2336-4-0x00000000003B0000-0x00000000003DE000-memory.dmp trickbot_loader32 behavioral1/memory/2336-3-0x0000000000270000-0x000000000029D000-memory.dmp trickbot_loader32 behavioral1/memory/2912-14-0x00000000003B0000-0x00000000003DE000-memory.dmp trickbot_loader32 behavioral1/memory/2336-19-0x00000000003B0000-0x00000000003DE000-memory.dmp trickbot_loader32 behavioral1/memory/2912-20-0x00000000003B0000-0x00000000003DE000-memory.dmp trickbot_loader32 behavioral1/memory/2932-25-0x00000000007E0000-0x000000000080E000-memory.dmp trickbot_loader32 behavioral1/memory/2932-30-0x00000000007E0000-0x000000000080E000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 2912 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe -
Loads dropped DLL 2 IoCs
pid Process 2336 2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe 2336 2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2336 2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe 2336 2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe 2912 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 2912 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2912 2336 2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe 30 PID 2336 wrote to memory of 2912 2336 2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe 30 PID 2336 wrote to memory of 2912 2336 2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe 30 PID 2336 wrote to memory of 2912 2336 2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe 30 PID 2912 wrote to memory of 1780 2912 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 31 PID 2912 wrote to memory of 1780 2912 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 31 PID 2912 wrote to memory of 1780 2912 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 31 PID 2912 wrote to memory of 1780 2912 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 31 PID 2912 wrote to memory of 1780 2912 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 31 PID 2912 wrote to memory of 1780 2912 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 31 PID 2520 wrote to memory of 2932 2520 taskeng.exe 34 PID 2520 wrote to memory of 2932 2520 taskeng.exe 34 PID 2520 wrote to memory of 2932 2520 taskeng.exe 34 PID 2520 wrote to memory of 2932 2520 taskeng.exe 34 PID 2932 wrote to memory of 2332 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 35 PID 2932 wrote to memory of 2332 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 35 PID 2932 wrote to memory of 2332 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 35 PID 2932 wrote to memory of 2332 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 35 PID 2932 wrote to memory of 2332 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 35 PID 2932 wrote to memory of 2332 2932 2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-19_72665429ba495c6e3f8c538a1346206e_icedid.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Roaming\speedlink\2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exeC:\Users\Admin\AppData\Roaming\speedlink\2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1780
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A468D5AE-A444-44B3-9832-6C24E094F478} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\speedlink\2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exeC:\Users\Admin\AppData\Roaming\speedlink\2024-12-19_92887429ba497c8e3f8c738a1348208e_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2332
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608KB
MD572665429ba495c6e3f8c538a1346206e
SHA1acfdcd87e4664474ec43c309b964a8f2716eaadd
SHA2560327fd36fe504244476aa3ed1bcb21b4d030196bf0404334020d871aa1ee06c0
SHA512afb0a9edad3824c2cb5dc287d1b9411d67563b7aeef6d223f54709baddd04f663a8f1407f14cfcb2fc06f3941ca2408cbc027d8d3b04df16e4eb375aa3ef6232