Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 05:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe
Resource
win10v2004-20240704-en
General
-
Target
2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe
-
Size
21.9MB
-
MD5
76d34572294fd80c212e9d32bb20e225
-
SHA1
01d80314eaa59f874781441ef98ece053c986c4f
-
SHA256
467ff5e8e733b7b8fdb0e987d2944cf45800c0b1fd27c712678255f6fa4272f9
-
SHA512
71091f8781c55e2e3a22e210ce7812c4577121570984928252b51c8afdd9e76e3ef6b78eba7de18acb60cfb3c824b7b0af83095b0444a6763a7a92f709e228cf
-
SSDEEP
393216:CYFOnfOuvxTqU9HqCF2SGid036plO3wAh7OhXy3DruHq8eHv:CnzvxTh9Hp2SG4lO3ChX4rUq1P
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MiniThunderPlatform.exepid process 1448 MiniThunderPlatform.exe -
Loads dropped DLL 13 IoCs
Processes:
2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exeMiniThunderPlatform.exepid process 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe 1448 MiniThunderPlatform.exe 1448 MiniThunderPlatform.exe 1448 MiniThunderPlatform.exe 1448 MiniThunderPlatform.exe 1448 MiniThunderPlatform.exe 1448 MiniThunderPlatform.exe 1448 MiniThunderPlatform.exe 1448 MiniThunderPlatform.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MiniThunderPlatform.exedescription ioc process File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exepid process 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exedescription pid process target process PID 2968 wrote to memory of 1448 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe MiniThunderPlatform.exe PID 2968 wrote to memory of 1448 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe MiniThunderPlatform.exe PID 2968 wrote to memory of 1448 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe MiniThunderPlatform.exe PID 2968 wrote to memory of 1448 2968 2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe MiniThunderPlatform.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-05_76d34572294fd80c212e9d32bb20e225_hacktools_icedid.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLLFilesize
87KB
MD579cb6457c81ada9eb7f2087ce799aaa7
SHA1322ddde439d9254182f5945be8d97e9d897561ae
SHA256a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
SHA512eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8
-
C:\Users\Admin\AppData\Local\Temp\download\XLBugReport.exeFilesize
242KB
MD567c767470d0893c4a2e46be84c9afcbb
SHA100291089b13a93f82ee49a11156521f13ea605cd
SHA25664f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0
SHA512d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35
-
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllFilesize
89KB
MD5dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dllFilesize
3.4MB
MD51a87ff238df9ea26e76b56f34e18402c
SHA12df48c31f3b3adb118f6472b5a2dc3081b302d7c
SHA256abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964
SHA512b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9
-
C:\Users\Admin\AppData\Local\Temp\download\id.datFilesize
40B
MD56154289e92bb0bfe3ff41409992e9b56
SHA10f9b7079c685e4248ad36a6bc43e9e6741cc97c2
SHA2569eb40763f8dc578ae98197d728e2a8985efebd50a2c4c30401f14cc22ceb155c
SHA5123b123cd74e4278845f9c0e207c6a5dac68906a02ac95ae162dd076737e694978704f43082ddd23ce2767bb7afd4819414a3d33b9cfc33ff7fc323618704cdda4
-
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeFilesize
262KB
MD50c8f2b0ee5bf990c6541025e94985c9f
SHA1be942f5fef752b0070ba97998bfe763b96529aa2
SHA25612d6cc86fdc69e1aa8d94d38715bbe271994c0f86f85283fa2190da7c322f4c8
SHA5127b0e81149fafa88050a125155732057190d8f93e8d62cb05a68da9cf24e30228f14d0ffd888c0362bffd5872e970200098e75572b2819abeea10022ab1a264f6
-
\Users\Admin\AppData\Local\Temp\download\XLBugHandler.dllFilesize
98KB
MD592154e720998acb6fa0f7bad63309470
SHA1385817793b9f894ca3dd3bac20b269652df6cbc6
SHA2561845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096
SHA51237ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff
-
\Users\Admin\AppData\Local\Temp\download\msvcp71.dllFilesize
492KB
MD5a94dc60a90efd7a35c36d971e3ee7470
SHA1f936f612bc779e4ba067f77514b68c329180a380
SHA2566c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
SHA512ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab
-
\Users\Admin\AppData\Local\Temp\download\msvcr71.dllFilesize
340KB
MD5ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
\Users\Admin\AppData\Local\Temp\download\zlib1.dllFilesize
58KB
MD589f6488524eaa3e5a66c5f34f3b92405
SHA1330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SHA256bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
SHA512cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e
-
\Users\Admin\AppData\Local\Temp\xldl.dllFilesize
286KB
MD540e8d381da7c2badc4b6f0cdb4b5378f
SHA13646338c6a20f17bf4383a8d053ce37681df8ead
SHA256cb0b0c42dae0a1e946f97f6bda522eb5ad943cb632ba3d19f597ecb3e1f5eb94
SHA51268dc5128d2e90885ca0e69dced80254e87ab765faefaf152b3cf452b37fb730ec146d4930342ced3f227bd7622a93592526d73567155346de14cd76e5180e7b3
-
memory/1448-77-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1448-69-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1448-80-0x0000000002A00000-0x0000000002D60000-memory.dmpFilesize
3.4MB
-
memory/1448-106-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2968-0-0x00000000002A0000-0x00000000003A0000-memory.dmpFilesize
1024KB
-
memory/2968-57-0x0000000004CB0000-0x0000000004D06000-memory.dmpFilesize
344KB
-
memory/2968-12-0x00000000002A0000-0x00000000003A0000-memory.dmpFilesize
1024KB
-
memory/2968-66-0x0000000004CB0000-0x0000000004D06000-memory.dmpFilesize
344KB
-
memory/2968-56-0x0000000004CB0000-0x0000000004D06000-memory.dmpFilesize
344KB
-
memory/2968-105-0x0000000004CB0000-0x0000000004D06000-memory.dmpFilesize
344KB