45ef35da373b5dc185b9205b2cc56ee5b226bf99257867a66b4a14f58a48c438

General

Target

2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
Size

284KB
MD5

bc98c095a804215bf82755355aded823
SHA1

e4445cf7416969eebb12a31d573baa990a8ecf04
SHA256

45ef35da373b5dc185b9205b2cc56ee5b226bf99257867a66b4a14f58a48c438
SHA512

6831a191dfff649e133007b030c2d419c60966560f9f2033c19234af8c402c21e0136b2aad1c6d5d798c2075f4b01563b712c90506fd0e5a11637b91be9def3f
SSDEEP

6144:3lDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:3lDx7mlHZo7HoRv177ePH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sethome9304.exe

pid process

2496 sethome9304.exe
Loads dropped DLL 2 IoCs

Processes:

2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe

pid process

2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2496	sethome9304.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe

description	ioc	process
File created	\??\c:\windows\system\sethome9304.exe	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
File opened for modification	\??\c:\windows\system\sethome9304.exe	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/"	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe

pid process

2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

2024-04-28_bc98c095a804215bf82755355aded823_icedid.exesethome9304.exe

pid	process
2864	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
2864	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
2864	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
2864	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
2496	sethome9304.exe
2496	sethome9304.exe
2496	sethome9304.exe
2496	sethome9304.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe

description	pid	process	target process
PID 2864 wrote to memory of 2496	2864	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe	sethome9304.exe
PID 2864 wrote to memory of 2496	2864	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe	sethome9304.exe
PID 2864 wrote to memory of 2496	2864	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe	sethome9304.exe
PID 2864 wrote to memory of 2496	2864	2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe	sethome9304.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864

\??\c:\windows\system\sethome9304.exe
c:\windows\system\sethome9304.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\abc.lnk
Filesize
965B

MD5
b9440a68f4e2225b51164e145bf3b7e3

SHA1
4bb99f3bfe864004cb8b639fd0e1fbbfc554e3ea

SHA256
1ae7763686fa1e0c74f4480df3f3f374f9c91c12da9b09fbf173ba23ddae6004

SHA512
06102730d5d672dbaf8192453d188289a8098cb361e427d6b54810974f954e114f05d93609f43486aa85de0db7f43f19318985e2d203c9c7a6713faefa41f669

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Filesize
1KB

MD5
c67acbab733ace624a578699e5fb6dad

SHA1
a5f40b7ab132778a8aa98e2e493a818167a9b363

SHA256
8cff500b97c3bc2d44c732ef7347b4d72eb1849f37d18b13ad9891c8c38fded7

SHA512
2bf0ce531016b26b8eb72de821de077b177956075119cec540aacc983f3bcde5fa5c093a3c9a45bb17b54cfc587c22b1821e5b1d786a782bbd3c9455fb2c5d13

Download Submit
C:\Users\abc.lnk
Filesize
1KB

MD5
0e67f28e8030c7f19c003a0cc05761e6

SHA1
78ddeb5407c25dd790134c1d3d9cf8407cc2abb0

SHA256
7cd0a70a12d71b044e5134026949a4e301b1848a2c7fb123a970e2a63ee4f513

SHA512
4a36ca2a62f04873056a07171670133167243ad05491dba5c000cf4376d399466a61266bb5c95eab3857462e89a82824ef53e10d80fe93d3b8da7b3355598fb3

Download Submit
\Windows\system\sethome9304.exe
Filesize
284KB

MD5
91133dd7caa6e08ebcd9ca23b9db2529

SHA1
f15f79fbebff7e868baec1d757396212d5b1f3fc

SHA256
13665df077a15fde8ca55877ffc4e47a4763b4059b5f38682cd34f12b393080f

SHA512
cf5e215affdab49679b1e261e7614f8a0e98c68b54b48afbdf7f42f719abb1ca39c4e7b96e1bf2a8dccc6716a9f0aeb2fd61de12dd0e1352962937ec4417cea1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads