gh0strat | 84bff06a71810c0f742acfdbcab3a89966912aaee1260159db9f9dbd6661f850

Resubmissions

30-01-2025 11:36

250130-nqt7aazmc1 10

29-01-2025 16:02

250129-tg9s9s1lhn 10

Analysis

max time kernel
157s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
Size

29.5MB
MD5

e6af77e3ec383cd78ec9b7f0f94e12cb
SHA1

7acfb040b938caaf34015751a607f1467daaec25
SHA256

84bff06a71810c0f742acfdbcab3a89966912aaee1260159db9f9dbd6661f850
SHA512

d5cd86a645d62b8ea8fe9c764cb1f2cda0c4a49b1a6aeb6c85de10fb09a63472d7908b312e743487e7844fc6049263119a7f0a07c96048276581e4864bd67f6f
SSDEEP

786432:HrI2fVu1bJctT0UFi7H+tAW7TtKW8L2UKAlAI:HrIeO0T0UcqtrTIWYBGI

Score

10^/10

gh0strat purplefox xred backdoor discovery macro persistence pyinstaller rat rootkit trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2288-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2288-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3028-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3028-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3028-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0009000000018b54-6.dat	family_gh0strat
behavioral1/memory/2288-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2288-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3028-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3028-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3028-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259506181.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000500000001cfb4-2513.dat

Executes dropped EXE 11 IoCs

pid	Process
2396	R.exe
2288	N.exe
1048	TXPlatfor.exe
3028	TXPlatfor.exe
1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
1700	Remote Data.exe
1928	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
1960	Synaptics.exe
2248	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
588	._cache_Synaptics.exe
6076	._cache_Synaptics.exe

Loads dropped DLL 31 IoCs

pid	Process
2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2396	R.exe
2976	svchost.exe
2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
1048	TXPlatfor.exe
2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2976	svchost.exe
1700	Remote Data.exe
1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
1928	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2248	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2248	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2248	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2248	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2248	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2248	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2248	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
1960	Synaptics.exe
1960	Synaptics.exe
588	._cache_Synaptics.exe
6076	._cache_Synaptics.exe
6076	._cache_Synaptics.exe
6076	._cache_Synaptics.exe
6076	._cache_Synaptics.exe
6076	._cache_Synaptics.exe
6076	._cache_Synaptics.exe
6076	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259506181.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2288-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2288-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2288-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3028-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3028-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3028-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0005000000019820-45.dat	pyinstaller
behavioral1/files/0x0008000000018b71-66.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remote Data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3016	cmd.exe
2508	PING.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2508	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2768	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3028	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2288	N.exe
Token: SeLoadDriverPrivilege	3028	TXPlatfor.exe
Token: 33	3028	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	3028	TXPlatfor.exe
Token: 33	3028	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	3028	TXPlatfor.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
2768	EXCEL.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2396	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	30
PID 2956 wrote to memory of 2396	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	30
PID 2956 wrote to memory of 2396	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	30
PID 2956 wrote to memory of 2396	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	30
PID 2956 wrote to memory of 2288	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	33
PID 2956 wrote to memory of 2288	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	33
PID 2956 wrote to memory of 2288	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	33
PID 2956 wrote to memory of 2288	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	33
PID 2956 wrote to memory of 2288	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	33
PID 2956 wrote to memory of 2288	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	33
PID 2956 wrote to memory of 2288	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	33
PID 2288 wrote to memory of 3016	2288	N.exe	35
PID 2288 wrote to memory of 3016	2288	N.exe	35
PID 2288 wrote to memory of 3016	2288	N.exe	35
PID 2288 wrote to memory of 3016	2288	N.exe	35
PID 1048 wrote to memory of 3028	1048	TXPlatfor.exe	36
PID 1048 wrote to memory of 3028	1048	TXPlatfor.exe	36
PID 1048 wrote to memory of 3028	1048	TXPlatfor.exe	36
PID 1048 wrote to memory of 3028	1048	TXPlatfor.exe	36
PID 1048 wrote to memory of 3028	1048	TXPlatfor.exe	36
PID 1048 wrote to memory of 3028	1048	TXPlatfor.exe	36
PID 1048 wrote to memory of 3028	1048	TXPlatfor.exe	36
PID 3016 wrote to memory of 2508	3016	cmd.exe	38
PID 3016 wrote to memory of 2508	3016	cmd.exe	38
PID 3016 wrote to memory of 2508	3016	cmd.exe	38
PID 3016 wrote to memory of 2508	3016	cmd.exe	38
PID 2956 wrote to memory of 1388	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	39
PID 2956 wrote to memory of 1388	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	39
PID 2956 wrote to memory of 1388	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	39
PID 2956 wrote to memory of 1388	2956	2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	39
PID 2976 wrote to memory of 1700	2976	svchost.exe	40
PID 2976 wrote to memory of 1700	2976	svchost.exe	40
PID 2976 wrote to memory of 1700	2976	svchost.exe	40
PID 2976 wrote to memory of 1700	2976	svchost.exe	40
PID 1388 wrote to memory of 1928	1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	41
PID 1388 wrote to memory of 1928	1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	41
PID 1388 wrote to memory of 1928	1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	41
PID 1388 wrote to memory of 1928	1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	41
PID 1388 wrote to memory of 1960	1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	43
PID 1388 wrote to memory of 1960	1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	43
PID 1388 wrote to memory of 1960	1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	43
PID 1388 wrote to memory of 1960	1388	HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	43
PID 1928 wrote to memory of 2248	1928	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	44
PID 1928 wrote to memory of 2248	1928	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	44
PID 1928 wrote to memory of 2248	1928	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	44
PID 1928 wrote to memory of 2248	1928	._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe	44
PID 1960 wrote to memory of 588	1960	Synaptics.exe	45
PID 1960 wrote to memory of 588	1960	Synaptics.exe	45
PID 1960 wrote to memory of 588	1960	Synaptics.exe	45
PID 1960 wrote to memory of 588	1960	Synaptics.exe	45
PID 588 wrote to memory of 6076	588	._cache_Synaptics.exe	49
PID 588 wrote to memory of 6076	588	._cache_Synaptics.exe	49
PID 588 wrote to memory of 6076	588	._cache_Synaptics.exe	49
PID 588 wrote to memory of 6076	588	._cache_Synaptics.exe	49

C:\Users\Admin\AppData\Local\Temp\2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2508
- C:\Users\Admin\AppData\Local\Temp\HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
  C:\Users\Admin\AppData\Local\Temp\HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2248
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:588
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:6076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2920

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259506181.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1700

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3028

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe

Filesize
25.3MB

MD5
250edd5dee344f6d90053b2df0919d78

SHA1
9795f7000eda7d04a8078df3723775eb94d5ff9d

SHA256
b9c175b7541ebb681efa089c2a393c858dd90e5a5168b3a0b488158097565fc5

SHA512
82687c7d8a8a33c4ccca315b941e4a96588a1de814cb9efd5439e83f8d7c09ae2fc00950aa01006cebec0f4e1596a5e8f28af27500948ee7c5987fd20bd40f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
3.4MB

MD5
acc4e9eab1197376787453b41bbd2020

SHA1
7722657c37c436ba23c5f847b98cb97aa4bcc63c

SHA256
9d2e25a24066210b368edcc87ede521df9fe6985cec4c91778fe6b4a4a98a08f

SHA512
66571502f7f69f7a801ca33dde0288399e490b55d0e178c2a5eebea90c7f3364267334f39cf780d396aa81bc9be16bd2c53a2df29ebb5d31ad483234d9d68a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19282\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
395d39f6ec3e09c5194899434150cdf7

SHA1
abd262b486e1adc39b40dbfe012a551c732dfd69

SHA256
ecc40b2c80300b94615b450d5a97ed15ce51aa929c73da22c906ab01856f8223

SHA512
0f55725eb8609ae52c45ff7e255c3e23bff0b9e049f2f37cb4fc12841ad9f5ed8264307961cbd27031997c29ce04677b646f9c859fc629b25186ec52f735ba36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19282\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
b178f49844a5168d29d5cce20a6303e3

SHA1
29dd5bd890addbba1d8a9aeacb68716f8208da73

SHA256
9358400795afcc41f5e748e20b139cfbb1ac976b3e460597b0b21893d647276d

SHA512
b65308d482342291069314e9f99964c3479ea41579db17d3cbe3888318bb7605ee67c11a40f14609665a419f44a61809513bddb8b3657b24a4bac16bb274664f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19282\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
da1c671169dd183afca9ac76f46fd86e

SHA1
47a1bd0c45d5b87351870b8dd2122da30638ec83

SHA256
e5c2478571ab260776b547579acd847bdecac9b4b9b4590d4ac7c80135c68930

SHA512
5e6eb5525a77ac63bbae2288fecfd5712aff5c194e55d93239ae6171b8602de9d029ca725f15efb03890dff57a34c07435687e87a20839d614cc9c90fdf06f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19282\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
c54a336fdc425291b1d972f6fbaca6c7

SHA1
ea3872c198f3f41e41dcc42cf92aabbc6540579d

SHA256
8d1f5410f8b4326876410b45fcdcabb96bea4941f71ea5b11cb6dae80e6bdd49

SHA512
abe7694493ce2e367582be1155fb5100a7840e67eb1f646dbd5360a47b430ec03634a3f1a940a8a5f555d96da0fdab66a4a2de544b847234e38b588cf597e0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19282\ucrtbase.dll

Filesize
1.1MB

MD5
359a14ce507a0d0ada72127ae5e7d439

SHA1
951b1fbc667ffed0b9961bc14a5e7c37bae52afc

SHA256
e0bb6f1a8606fd8988f93255a5c69e89970da6a30ff60be22d3f90ac5d20e56b

SHA512
d6151dc504aa469a275e2ffc25a014995c72dbcf6509e33a679202a5c3f0f4e8f7fe283ca46120cfe53f13cf0b2548e040ac1840fdb615986a9ca7497f7edec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\typeguard-4.3.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMbnjOsg.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMbnjOsg.xlsm

Filesize
27KB

MD5
cd13ec2ad4bd1f5bf13e0ad6337a38ca

SHA1
9019a6dd24d9ed731cf5edcf9a7397e4b4d71e4b

SHA256
18b994e25a0232bf1613da0e7067503922d9d26529bee17c1074706e19f68cdb

SHA512
950080bc5116f01c93dfa5f1c3a91c62c6ec63372af5ad0261aec9eacf888495213bb5493d5351cefbe6737e84134c2118bd589b443b880a044bac11270f6e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMbnjOsg.xlsm

Filesize
28KB

MD5
a0f3b5ce45c968b73145dd9db123f68f

SHA1
a8ac759e7cc4258b0e57920b9d2cb063d659e7db

SHA256
62f82e413cb8f3cab9167fb2777d912b6dac04e817436ed7a159c0674ae161fb

SHA512
93d5ca8b23aa3241c76d11f0718b48987e4d4a6015a262bfd866689831659d7921bdc22a6094675c1969454195d889bff55a464c007a9ba67790863b21368f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMbnjOsg.xlsm

Filesize
29KB

MD5
17b6f3a63d0c7698c825bc805a995124

SHA1
d9f8958849b3d8d887fa4bb37bac7a04ecf01bc7

SHA256
acf190a05a824f7a06f088f8bd9fd1395a38b107e1aa5af52b34a752ddc78f76

SHA512
9af51a6032c683a16b39796b2290a54b0e2349e1ff002a53474febc5cd70570adcd832db757e740c227b88c7394dc762c15a5cde4c0567f0e59b73523ab2b331

Download Submit
\Users\Admin\AppData\Local\Temp\HD_2025-01-29_e6af77e3ec383cd78ec9b7f0f94e12cb_icedid_luca-stealer.exe

Filesize
26.1MB

MD5
737c69214d5ada4901a06629bb10498b

SHA1
13ff4574772d0824fcb486185e60e08b9f528e3a

SHA256
b9133a7c26e039ead1676cadfbc7601309ed439f4d927ea930520687aa31ae3b

SHA512
a887be5969faecae08d349a66d385b98a5ec14a4584adbf59793d9e9e72469dfecc262eccf953a61f58887125dc198dce2d736afdec55f0458a2687d1f603ad9

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19282\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
f2cd3227975bd33ae08e34221d223ca6

SHA1
26b19fd814ea86825244e7a7cf82e7eddc189895

SHA256
f88209bb4993bfbcfc9727d101a4f1ecf84649ca5fd15b264faac11daf19ac7f

SHA512
690408ba6d88ad97334a8f9012c5db5c4d46d70cd9519f1d8e9131d1044805dce992d89167ef12d0192f4e5ab079722b88700df9601c05674267fc4f8d5486e3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19282\python39.dll

Filesize
4.3MB

MD5
2f437852e6db4e02e50530914842b97e

SHA1
6d767a495d6980798f3f2e673208f84d60bcc0b6

SHA256
b4c1ee645ac50e5e38debeeb36344b1de87b7149510fc9f5347db3f9db5f7b20

SHA512
4d60337e3f53dc3a908b8d82f9ad287b17a6db4ad559e32f3cd30937c9e42a26f1d4926b5d5ce78e466f4a28d9d5913ea20ca44d93dbf5aab74e55a315a59da6

Download Submit
\Windows\SysWOW64\259506181.txt

Filesize
899KB

MD5
b26106a2f6854706dfd7cc450f0967f9

SHA1
e1c8d54b0097d3eff31dfb72c26c7a1794856362

SHA256
fddc347d65c8eeef06e05c0e99ed902409ff55aef6a217f3a2daff8db8e724c2

SHA512
6cee32e113153276b34fee16ec74c2b7caf7562562d86fbcf5ed162dd7e3f1e5b863867ce68837d00b60426a1e547134dfb43d04fa9688a4f625d92a335dc5cb

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1388-130-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1388-269-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1960-1220-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1960-3313-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1960-1134-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1960-4385-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1960-2143-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1960-4350-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2288-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2288-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2288-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2768-3261-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2768-1163-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3028-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3028-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3028-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download