Overview

overview

10

Static

static

3

2024-06-28...id.exe

windows7-x64

10

2024-06-28...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe

  • Size

    10.8MB

  • MD5

    89de3a110c0bffb2bc3e073089135f2c

  • SHA1

    474df726bd9cc40699dad025c43f753e77eff1c1

  • SHA256

    27b3660ab08b007bb1a32d76a50de3c4ddb39d6427acbfff31a4ba4352aebfcd

  • SHA512

    6863522c6f03cf08847736e2d72ec8b74e0e7445ae4f221860ee74254977f4bb56b02ca51122b9ac16aa81eac72e7f2ed62c8df73c2f38c59adf6b0eaa878476

  • SSDEEP

    196608:4vA5UWb5RyputVARx2E9ONxxm2oadqvolbm/TBw00WxDtJ/YRZ8ZS4R0:/nRXtVw2E9cxzxViGWxDr/IGSB

Score
10/10
adwaredefense_evasionevasionpersistencestealer

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 9 IoCs
    evasion
  • Drops file in Drivers directory 6 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 7 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 10 IoCs
    defense_evasion
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 55 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Users\Admin\AppData\Local\Temp\WinManagerAgent.exe
      C:\Users\Admin\AppData\Local\Temp\WinManagerAgent.exe /VERYSILENT /ServerIP=172.16.0.22
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Users\Admin\AppData\Local\Temp\setup.exe
        C:\Users\Admin\AppData\Local\Temp\setup.exe /VERYSILENT /ServerIP=172.16.0.22
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Users\Admin\AppData\Local\Temp\is-97FIP.tmp\setup.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-97FIP.tmp\setup.tmp" /SL5="$70124,4922870,54272,C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT /ServerIP=172.16.0.22
          4⤵
          • Modifies firewall policy service
          • Drops file in Drivers directory
          • Sets service image path in registry
          • Executes dropped EXE
          • Impair Defenses: Safe Mode Boot
          • Loads dropped DLL
          • Installs/modifies Browser Helper Object
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2560
          • C:\Users\Admin\AppData\Local\Temp\is-0TG8P.tmp\instait.exe
            "C:\Users\Admin\AppData\Local\Temp\is-0TG8P.tmp\instait.exe"
            5⤵
            • Executes dropped EXE
            PID:2488
          • C:\Windows\SysWOW64\WinClass.exe
            "C:\Windows\system32\WinClass.exe" -install -silent
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:1988
          • C:\Users\Admin\AppData\Local\Temp\is-0TG8P.tmp\mfboot.exe
            "C:\Users\Admin\AppData\Local\Temp\is-0TG8P.tmp\mfboot.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1184
          • C:\Windows\SysWOW64\PassthruInstall.exe
            "C:\Windows\system32\PassthruInstall.exe"
            5⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            PID:1060
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1bfea3be-d20f-6d8b-3c3e-e026fab99e4d}\netsf_m.inf" "9" "67d0901a3" "0000000000000560" "WinSta0\Default" "000000000000055C" "208" "C:\Windows\SysWOW64"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{336e1099-4050-057b-5f2a-d453b12fa850} Global\{706d2c0d-2fb1-50a8-f79b-5b41cf662775} C:\Windows\System32\DriverStore\Temp\{148f6488-f441-5a7b-2bd7-a31ff58c8243}\netsf_m.inf C:\Windows\System32\DriverStore\Temp\{148f6488-f441-5a7b-2bd7-a31ff58c8243}\netsf.cat
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Browser Extensions

1
T1176

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

5
T1112

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Safe Mode Boot

1
T1562.009

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab9AFA.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-97FIP.tmp\setup.tmp
    Filesize

    741KB

    MD5

    ce37333b56a8b916e5f7b88b080109a3

    SHA1

    b608369e2875bb4a78b8e4cf5a9973ad38b7ba81

    SHA256

    77e7911c367e909718be547301070a8bc51ed5d7e51420ed620ca3ade74a1488

    SHA512

    9ac6e8ac2bce11a51c4115f091bac1ff98fb6ced3303d5509dde34c7d6e9fa0bf3275a0f4b78b644f2bf55f20f6a4ed5067b4d3135e91c4bb494ab61adc5f729

    Download Submit
  • C:\Windows\SysWOW64\drivers\passthru.sys
    Filesize

    31KB

    MD5

    d32d4e1d3a8d3e7cf7d2aeca51a3d143

    SHA1

    b700e34e425c60f0b5b8f8a309b655874909cf7d

    SHA256

    a8656391606c5ee51f87e05f62bbbc5d51a32b5f5814ff29504da1704d23d36d

    SHA512

    cc5dabfdeee40e731504749908e03f2ff79d77e1a4ecfee8d76dcb402278a8df440c5224bbf52d3cb177f2341fb5bc90a5fc4b9f525cd45147fbeceef37ac545

    Download Submit
  • C:\Windows\SysWOW64\netsf.cat
    Filesize

    9KB

    MD5

    66ce55fa9a430bcf8025e38775fbe89b

    SHA1

    d43bd010131d57959bd3398992417cf940050bc4

    SHA256

    1122404db216c0a8e5fe16d9ba3487358a5b59857fb84da8da9c4ca109d22fd5

    SHA512

    fdf8754d4c22e7df140a9e97e1ce381bbe175aa1e57a7653e7a25cc76b88f7ccff4fc5c3c0b2376a84f2eb51fa9eec5638cd374c779b053019ed07e188a77563

    Download Submit
  • C:\Windows\SysWOW64\netsf_m.inf
    Filesize

    2KB

    MD5

    e10e7eb0d7a79d374cc3a5262a79235a

    SHA1

    3acfb965d508bf9f63e811f3c3bbed55ddff5dbc

    SHA256

    7e3e13b44fe58c5576f9b807d465eccdf867a698986266949db8e97b76f5dd38

    SHA512

    7ee396b5fe65a29b881e05774d94615560bd7720db3816241fd5910cb5aa4803cce7fa3efe583c895fd0b7f9c232db31a9cea9c6befa29fe52a2e86f5a5c89e2

    Download Submit
  • C:\Windows\SysWOW64\ntcaff372.dll
    Filesize

    12KB

    MD5

    d7e67a2f5e3599834413342bd64effbf

    SHA1

    9264f61591b3e97f3efe1a318cd8b625a9e22ac4

    SHA256

    95c806cbdba0a74ad451cda7bc010b71baa2c8cd8fbddaed89813916b706b804

    SHA512

    9f785629c57d9438da3248725af07b3d0227f0b4ed6d2fc5f27b6c4348ef61f5ab098c35cd284d2389a26c865c1538a978a1fce6058d8132da2be3a2d43abb7b

    Download Submit
  • C:\Windows\SysWOW64\vccaff32.dll
    Filesize

    20KB

    MD5

    7a1c78e0126b7ead742f778218e5d0d5

    SHA1

    f67aa1f9c3cf16b4eb3940dab218ebee596b2584

    SHA256

    37614bfecf8ad64e75887482a98143b9f593fea4c5f05d8b9faaac6e06307b93

    SHA512

    36aa51a4703ccad59a10302f01c9fbc54cb7c976dcc637edf5617e5716e5ad475bfd00d00552364553aeacd144b7228a00cdf3a684a6acdfe2b33cd53de54b38

    Download Submit
  • C:\Windows\SysWOW64\wccaff32.dll
    Filesize

    1.6MB

    MD5

    0395b4d490a8b6622d3f60364a7b944f

    SHA1

    f8f8f2828a3dd505e43a2a1eb8b31b3f55ff0efb

    SHA256

    968618736c744cfff328bfd30b28d562bade131356be61c8d2a6f2464a046fe7

    SHA512

    f7c4c8a96d42bb57bc825619066f1a4aeb9d4ecec34a978a2ecf8df57bc96df79686d86830f1c9af2b3db593f88adda3cd0d5a1ecbb7c99cc12074e944484085

    Download Submit
  • C:\Windows\Temp\Cab98C8.tmp
    Filesize

    29KB

    MD5

    d59a6b36c5a94916241a3ead50222b6f

    SHA1

    e274e9486d318c383bc4b9812844ba56f0cff3c6

    SHA256

    a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

    SHA512

    17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

    Download Submit
  • C:\Windows\Temp\Tar9958.tmp
    Filesize

    81KB

    MD5

    b13f51572f55a2d31ed9f266d581e9ea

    SHA1

    7eef3111b878e159e520f34410ad87adecf0ca92

    SHA256

    725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

    SHA512

    f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\WinManagerAgent.exe
    Filesize

    10.6MB

    MD5

    9c43ec0fc8d71894e3cc6bb52ecc1f1c

    SHA1

    69e0916999fd2e031809ca523a895759f40fb85f

    SHA256

    82ba971fc7d511d8dfef0d1ee8da9648f2f72e7f43ddbbb1be1e79d63fcecf25

    SHA512

    aaef11301bd5ee123fec596c3b7933c91acecbb138bb7c7d0a82ef7c42bcd105d8b3312fa936360d57a03e88abca4a56732f19812bd80b95c7c229bd49de286c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-0TG8P.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-0TG8P.tmp\instait.exe
    Filesize

    88KB

    MD5

    8a66f11d2ce906e558d4bea65504447a

    SHA1

    04d374d1522dd1c0476c8d29e1a1c9cf110c7d29

    SHA256

    d85be407d6aa86ad6e741c454b52302d165894cfe5930be7336934a67298cc14

    SHA512

    e667827af62445a7d2f500dcb29f8db12885a2d72dd965646ccfac6c777884cccda4c280015035100c9aa2e363027c3c7208d2516258baf6b3df37bd8e68a2ab

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-0TG8P.tmp\mfboot.exe
    Filesize

    250KB

    MD5

    90c6119e37d941fd1fb6f55ad4e71c77

    SHA1

    5e77fa4dd77e3854eec45c9ac5fd6f44c8b349cb

    SHA256

    9ec20728f06a947f8f79eee89082d33f8fb223b149c2a3c204906c383f63fde3

    SHA512

    66bc3aef3d01a594159c2625fc6c5ac1d7bb9c52a59084b54e0eb9cfc6f480c9120a90aadb1ac05ff9d42bfd7c9ebd1b09c143bfb58f3578e9e2c3be194c3cc9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\setup.exe
    Filesize

    4.9MB

    MD5

    f21ec81e9739fc22c2b11835250df8ed

    SHA1

    6bc423c58a3d4ef7634c8b9be58037c35cb2008a

    SHA256

    5eef17155cf3c3f4041925eee2e6e0d7a9c38e4466569b7d594eff6aa6742953

    SHA512

    26659eceecf652284697f2d69e01b94dbcfd0636c74037a2398bdfa199c51f745fa2f5905cad9f4b3af370d01c2340b99c6df14a4a8c09e4ca608195178c4314

    Download Submit
  • \Windows\SysWOW64\PassthruInstall.exe
    Filesize

    12KB

    MD5

    2d8b7a945d3868669ba04ba3ddc13cb6

    SHA1

    88855ba82df56ac5e46f00711f2807b1164d91a2

    SHA256

    c473fcedcfa7cfa058374b2c5dd08b61ec0c3fdd9276bd7779465ad354c6b427

    SHA512

    039196724ae90b7ad4dc2f2bd67ad4c0a080020c15c921b1f69cc45f722ab93ade52b6dc16f736ff9f8112e06c8bd647e6edd845ff484168821106bcd104b184

    Download Submit
  • memory/2560-239-0x0000000000400000-0x00000000004CA000-memory.dmp
    Filesize

    808KB

    Download
  • memory/3020-17-0x0000000000401000-0x000000000040B000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3020-15-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3020-238-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download