46ae2c723f1e09508add028efa57ea096ddf612ade94138ffef8785cec91b4ee

General

Target

2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Size

3.8MB
MD5

eaf4fb45b88191885d2d713e22f31570
SHA1

6ce60575e53371757caeb34f5d38ff20515e4334
SHA256

46ae2c723f1e09508add028efa57ea096ddf612ade94138ffef8785cec91b4ee
SHA512

9c76c9768f1a42b90c1b05b76c560078f26fb1bd75fea98786a483e1adbf5925d84319fe75e4f9a9edb7278cbb5de34b4e1ff3331b4ff577eb8523455aa5f520
SSDEEP

49152:PHm90pQ3ZFePUeMJ6GlrsfrBEuDl1mRU+9SUh5WYyqPbDq17n8TlO:PH+Gc5lrsl1mRU+9OYnPHgb8TY

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Low Rights	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

Modifies registry class 12 IoCs

Processes:

2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

description pid process

Token: SeRestorePrivilege 4636 2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

description	pid	process
Token: SeRestorePrivilege	4636	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

pid	process
4636	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
4636	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
4636	2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe

C:\Users\Admin\AppData\Local\Temp\2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2022-11-23_eaf4fb45b88191885d2d713e22f31570_icedid.exe"
1⤵
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads