Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 10:15
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
Resource
win7-20240221-en
General
-
Target
2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe
-
Size
284KB
-
MD5
bc98c095a804215bf82755355aded823
-
SHA1
e4445cf7416969eebb12a31d573baa990a8ecf04
-
SHA256
45ef35da373b5dc185b9205b2cc56ee5b226bf99257867a66b4a14f58a48c438
-
SHA512
6831a191dfff649e133007b030c2d419c60966560f9f2033c19234af8c402c21e0136b2aad1c6d5d798c2075f4b01563b712c90506fd0e5a11637b91be9def3f
-
SSDEEP
6144:3lDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:3lDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sethome9304.exepid process 2496 sethome9304.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-04-28_bc98c095a804215bf82755355aded823_icedid.exepid process 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
Processes:
2024-04-28_bc98c095a804215bf82755355aded823_icedid.exedescription ioc process File created \??\c:\windows\system\sethome9304.exe 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe File opened for modification \??\c:\windows\system\sethome9304.exe 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
2024-04-28_bc98c095a804215bf82755355aded823_icedid.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2024-04-28_bc98c095a804215bf82755355aded823_icedid.exepid process 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2024-04-28_bc98c095a804215bf82755355aded823_icedid.exesethome9304.exepid process 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe 2496 sethome9304.exe 2496 sethome9304.exe 2496 sethome9304.exe 2496 sethome9304.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-28_bc98c095a804215bf82755355aded823_icedid.exedescription pid process target process PID 2864 wrote to memory of 2496 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe sethome9304.exe PID 2864 wrote to memory of 2496 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe sethome9304.exe PID 2864 wrote to memory of 2496 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe sethome9304.exe PID 2864 wrote to memory of 2496 2864 2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe sethome9304.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_bc98c095a804215bf82755355aded823_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\sethome9304.exec:\windows\system\sethome9304.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\abc.lnkFilesize
965B
MD5b9440a68f4e2225b51164e145bf3b7e3
SHA14bb99f3bfe864004cb8b639fd0e1fbbfc554e3ea
SHA2561ae7763686fa1e0c74f4480df3f3f374f9c91c12da9b09fbf173ba23ddae6004
SHA51206102730d5d672dbaf8192453d188289a8098cb361e427d6b54810974f954e114f05d93609f43486aa85de0db7f43f19318985e2d203c9c7a6713faefa41f669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnkFilesize
1KB
MD5c67acbab733ace624a578699e5fb6dad
SHA1a5f40b7ab132778a8aa98e2e493a818167a9b363
SHA2568cff500b97c3bc2d44c732ef7347b4d72eb1849f37d18b13ad9891c8c38fded7
SHA5122bf0ce531016b26b8eb72de821de077b177956075119cec540aacc983f3bcde5fa5c093a3c9a45bb17b54cfc587c22b1821e5b1d786a782bbd3c9455fb2c5d13
-
C:\Users\abc.lnkFilesize
1KB
MD50e67f28e8030c7f19c003a0cc05761e6
SHA178ddeb5407c25dd790134c1d3d9cf8407cc2abb0
SHA2567cd0a70a12d71b044e5134026949a4e301b1848a2c7fb123a970e2a63ee4f513
SHA5124a36ca2a62f04873056a07171670133167243ad05491dba5c000cf4376d399466a61266bb5c95eab3857462e89a82824ef53e10d80fe93d3b8da7b3355598fb3
-
\Windows\system\sethome9304.exeFilesize
284KB
MD591133dd7caa6e08ebcd9ca23b9db2529
SHA1f15f79fbebff7e868baec1d757396212d5b1f3fc
SHA25613665df077a15fde8ca55877ffc4e47a4763b4059b5f38682cd34f12b393080f
SHA512cf5e215affdab49679b1e261e7614f8a0e98c68b54b48afbdf7f42f719abb1ca39c4e7b96e1bf2a8dccc6716a9f0aeb2fd61de12dd0e1352962937ec4417cea1