06ace6c2455cb84c5a0e86adc50ba61c6988dd3fd07122fa6151b6657b4a5fb4

Analysis

max time kernel
146s
max time network
124s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe
Size

18.6MB
MD5

c2b355abe814f11a1e59b75092ab6690
SHA1

a6a0ed15388f17396a6530c3896cc25ce531cbc9
SHA256

06ace6c2455cb84c5a0e86adc50ba61c6988dd3fd07122fa6151b6657b4a5fb4
SHA512

19c3c5ca9240c1ac0e031a0044f0aafdf09e56662173fc6933b23491fc44531770ee4aab77643e95d4da9774d688c628e4cd2f405dd737b141e89e3664314d1b
SSDEEP

393216:8Fr8rykk0l+tDJARmvLvPmzWrH5eg+P/krIEwp:6r8rykHRmqzW19+P/krIEg

Score

9^/10

bootkit persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1148-14-0x00000000003C0000-0x00000000003E4000-memory.dmp	UPX
behavioral1/memory/1148-17-0x0000000000400000-0x000000000172F000-memory.dmp	UPX
behavioral1/memory/1148-24-0x0000000000400000-0x000000000172F000-memory.dmp	UPX
behavioral1/memory/1148-33-0x0000000000400000-0x000000000172F000-memory.dmp	UPX

Loads dropped DLL 3 IoCs

Processes:

2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe

pid	process
1148	2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe
1148	2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe
1148	2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe

UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/1148-14-0x00000000003C0000-0x00000000003E4000-memory.dmp upx
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe

description ioc process

File opened for modification \??\PhysicalDrive0 2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe

pid process

1148 2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe
1148 2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe

resource	yara_rule
behavioral1/memory/1148-14-0x00000000003C0000-0x00000000003E4000-memory.dmp	upx

description	ioc	process
File opened for modification	\??\PhysicalDrive0	2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_c2b355abe814f11a1e59b75092ab6690_hacktools_icedid.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gzip.dll
Filesize
29KB

MD5
8b3591965f623b219c0c528153746cab

SHA1
020961494fa0e08779b7aacf4422269935354f7d

SHA256
97ea3d99cf21123bc1aec72f9ded6a51ac659830392adfefd424eb799ab0219e

SHA512
6e547197d160c9ec13cf2384add1bb6753276e3dab97d951adba9257d6bf999720635a7b9d94a5ca8b94bdda2f25f36c5938d126bc3e46a358e1fad072132351

Download Submit
\Users\Admin\AppData\Local\Temp\libacf.dll
Filesize
2.3MB

MD5
3bf9278f2371862eeb2de0558bbd57f0

SHA1
0ea39874e8b07b22ceda6026d0c74cc961c6a384

SHA256
7b753c6a0e1f7d0f46469806041b0d6b55b57cd42ee55d3c0213a4fedf7a0acb

SHA512
d604c1e29802c1bfee5173bbe96d428c8410f3e7d87e91034d5b4d4c582273737cf0d9c568ee6f32f730d8ba135e8af342828f7087763958d0ac29111cc299f0

Download Submit
\Users\Admin\AppData\Local\Temp\libacf_Caller.dll
Filesize
390KB

MD5
285e9e2db7a142e95e933fd449b2eb87

SHA1
b84a922b141e1bd5c4ad0e7b9e914da2a319f5eb

SHA256
fb11c997942e623e7a24ee6d4575789931b2ad0da06616afaad7a4c5baedaf58

SHA512
c8ae43a435d7f5ac6c9ea6eb2203076b4b754dfe5e71e1752df49876e15d4c9f1d817d8def7f23ac7a76d8ffbd37710a199631368be7e01c7b38e70be6f58738

Download Submit
memory/1148-0-0x0000000010000000-0x00000000101D4000-memory.dmp

Filesize
1.8MB

Download
memory/1148-15-0x000000000054E000-0x000000000054F000-memory.dmp

Filesize
4KB

Download
memory/1148-14-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/1148-16-0x0000000000400000-0x000000000172F000-memory.dmp

Filesize
19.2MB

Download
memory/1148-17-0x0000000000400000-0x000000000172F000-memory.dmp

Filesize
19.2MB

Download
memory/1148-18-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/1148-24-0x0000000000400000-0x000000000172F000-memory.dmp

Filesize
19.2MB

Download
memory/1148-27-0x0000000000400000-0x000000000172F000-memory.dmp

Filesize
19.2MB

Download
memory/1148-33-0x0000000000400000-0x000000000172F000-memory.dmp

Filesize
19.2MB

Download