Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/01/2025, 12:32
Behavioral task
behavioral1
Sample
2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe
-
Size
11.2MB
-
MD5
85d2c8e0e00f4750107bac6f6b0b3445
-
SHA1
f7ac1bdd43a02ac231cbd4be56c1a270f3777a88
-
SHA256
0c744a4f4902b8c94b87fa579065e1fb2d5f6f2d27a6ebbdff6f3501e2e78c35
-
SHA512
f9eaccfa9f8815f285f4ad2183997f11ab4c3a17c319b18df0a0ca6153c66a24d0dd99e90c996bbf2244e6bb875c78a4a2aaa0e64e92e7a42aa5962a659d8192
-
SSDEEP
196608:i4eQZYLJnBg4D2R+Nk3RbBzs/6hkP8S9qRZKzPWz2X2+twU2HfyjLfazM0+WsDRD:3ZYRDxk3RtgOkPJyZcXJz2/6LizmzVHH
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x0005000000019217-118.dat -
Executes dropped EXE 8 IoCs
pid Process 2988 Server.exe 2128 Onetap (1).exe 2776 ._cache_Server.exe 2824 Synaptics.exe 2600 svchost.exe 2648 ._cache_Synaptics.exe 1192 Process not Found 2652 svchost.exe -
Loads dropped DLL 9 IoCs
pid Process 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 2988 Server.exe 2988 Server.exe 2988 Server.exe 2988 Server.exe 2824 Synaptics.exe 2824 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Server.exe -
Creates a Windows Service
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2128 Onetap (1).exe -
resource yara_rule behavioral1/files/0x0007000000016033-12.dat upx behavioral1/memory/2128-68-0x0000000140000000-0x000000014124B000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svchost.exe ._cache_Server.exe File opened for modification C:\Windows\svchost.exe ._cache_Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Server.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2656 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2128 Onetap (1).exe 2128 Onetap (1).exe 2128 Onetap (1).exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 2776 ._cache_Server.exe 2600 svchost.exe 2648 ._cache_Synaptics.exe 2656 EXCEL.EXE 2652 svchost.exe 2652 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2988 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 30 PID 2384 wrote to memory of 2988 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 30 PID 2384 wrote to memory of 2988 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 30 PID 2384 wrote to memory of 2988 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 30 PID 2384 wrote to memory of 2128 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 31 PID 2384 wrote to memory of 2128 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 31 PID 2384 wrote to memory of 2128 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 31 PID 2384 wrote to memory of 2128 2384 2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe 31 PID 2988 wrote to memory of 2776 2988 Server.exe 32 PID 2988 wrote to memory of 2776 2988 Server.exe 32 PID 2988 wrote to memory of 2776 2988 Server.exe 32 PID 2988 wrote to memory of 2776 2988 Server.exe 32 PID 2988 wrote to memory of 2824 2988 Server.exe 33 PID 2988 wrote to memory of 2824 2988 Server.exe 33 PID 2988 wrote to memory of 2824 2988 Server.exe 33 PID 2988 wrote to memory of 2824 2988 Server.exe 33 PID 2824 wrote to memory of 2648 2824 Synaptics.exe 35 PID 2824 wrote to memory of 2648 2824 Synaptics.exe 35 PID 2824 wrote to memory of 2648 2824 Synaptics.exe 35 PID 2824 wrote to memory of 2648 2824 Synaptics.exe 35 PID 2600 wrote to memory of 2652 2600 svchost.exe 37 PID 2600 wrote to memory of 2652 2600 svchost.exe 37 PID 2600 wrote to memory of 2652 2600 svchost.exe 37 PID 2600 wrote to memory of 2652 2600 svchost.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
-
-
C:\Users\Admin\AppData\Roaming\Onetap (1).exe"C:\Users\Admin\AppData\Roaming\Onetap (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2128
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\svchost.exeC:\Windows\svchost.exe Win72⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
421KB
MD5a857b537e8649f06ef10a9960fbfb137
SHA1a4e5e981e485d7eff80a60273e980e1dd55c1211
SHA25627e5eae57a9eb81305e03e9c29692f605569e50203ea9bb428c86bc57fca11ca
SHA512cb8d47037cb61432de00132bdda7dd8722db65a2f66384613b8ef9ad5e4f33090131aca2d88b0d72328d4f737f55799dcaa1cc93986cf8621fb781da26ed6dbc
-
Filesize
23KB
MD56578f3d7494c9999e643d773cc8594b0
SHA1c441d6ce1178a3c7ca21584e9013e950a8a5206b
SHA2567df70a24be870d1b739d28ad33c5a2b35942040c99ebe3f4a35059e86f2fd67d
SHA5121eabb7dfc889eb801acff1b372e854ac48faadb02bf6e913e07cd049440548662691fceaa0a53ed00ce8b8b6a7c7c365d2666bfe581ae18e7e811660d009b8d5
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
9.1MB
MD57309886b94ed89dbf84e663891b210aa
SHA164639fcc149630306e91523428f3e35b5fa38d1f
SHA256aead45444baba74dfbf623c46189e9fd6b29c07839cb2e0ed414138bdf84c1cf
SHA512d65339e0b5590a4b17d185a53596fad09762b1d6b7b633bc1469e3a2131350caab6e9e0739da5e830d7069861aa6308e5db11c13b4be6bd42ce95164bec49e0a
-
Filesize
1.1MB
MD55ef868a2db9378a57d854c6c1f6257ad
SHA1a7eb959eae127311d466adb45be4983ed1dc03da
SHA2566b8f8725c13cf835a72b49583cd139c5e801ffc5983efbec1dbdb198d5dd55c9
SHA512cd4e4c6604a653b0e8646659c578c0f2c59c0669c7a7fedafc283ca18b112057da443e37dff9f8eee14b715917f1fa4a195fffd790900a35121b0ea87643ae2d