61b5303feb469223d5a3891c190e9b0e49786cc59408074e8f5e0ea6101ba257

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 13:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe
Size

2.6MB
MD5

72242a2ceac1573f23a34cb4e0cd6d69
SHA1

137dec2d6b87a76affd3e7a359d37bd191f63d81
SHA256

61b5303feb469223d5a3891c190e9b0e49786cc59408074e8f5e0ea6101ba257
SHA512

da8117ca7e9290af8f177e126ff8a6b802d4ba65e110533ee6a084a962cc3c182deb8b10b34b06743ef1b685d75f2d368d3f63a2aa8e533b4478d92bfbccb46a
SSDEEP

24576:5nWYXDaHMv6CorjqnyPQGzh0JONZejOuC+e4mOzrvxiI3ENyesg/jHLxQVIxX6LP:tl1vqjdPQRw/D4mizA0dizLrB51vG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Loads dropped DLL 1 IoCs

pid	Process
2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000012029-55.dat	autoit_exe
behavioral1/files/0x0009000000012029-58.dat	autoit_exe
behavioral1/files/0x0009000000012029-59.dat	autoit_exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe
File created	C:\WINDOWS\Media\ActiveX.ocx	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DOMStorage	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DOMStorage\64ma.com\Total = "1640"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DOMStorage\64ma.com	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.64ma.com	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.64ma.com\ = "1640"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DOMStorage\64ma.com\NumberOfSubdomains = "1"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1640"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2376	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2376	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	28
PID 2500 wrote to memory of 2376	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	28
PID 2500 wrote to memory of 2376	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	28
PID 2500 wrote to memory of 2376	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	28
PID 2500 wrote to memory of 824	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	30
PID 2500 wrote to memory of 824	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	30
PID 2500 wrote to memory of 824	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	30
PID 2500 wrote to memory of 824	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	30
PID 2500 wrote to memory of 824	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	30
PID 2500 wrote to memory of 824	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	30
PID 2500 wrote to memory of 824	2500	72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe	30

C:\Users\Admin\AppData\Local\Temp\72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\72242a2ceac1573f23a34cb4e0cd6d69_backswap_icedid_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
  "C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2376
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s
  2⤵
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Filesize
642KB

MD5
d871f2c4088b8b4044a06352378e5f47

SHA1
1ac52a4fa15aaee20307c475ff0ef95351418074

SHA256
bfc4f31183a35555e19d2095a743129b20949acbcb5ea43a5fbfaa0b7e624bfa

SHA512
294a0cc0d8f89b077821ed97891dc693bdb6dd3f7b4436840f78e5663ece817cf6400d782f31ae33b8fdbbffa9c1691e2411fc9240d2100c2c1e2a4be71b2d68

Download Submit
C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Filesize
642KB

MD5
d871f2c4088b8b4044a06352378e5f47

SHA1
1ac52a4fa15aaee20307c475ff0ef95351418074

SHA256
bfc4f31183a35555e19d2095a743129b20949acbcb5ea43a5fbfaa0b7e624bfa

SHA512
294a0cc0d8f89b077821ed97891dc693bdb6dd3f7b4436840f78e5663ece817cf6400d782f31ae33b8fdbbffa9c1691e2411fc9240d2100c2c1e2a4be71b2d68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24935eb0395511c3047e9c38b71afbf1

SHA1
de10463bb696ab8e7aac4d4d70f6f9c8c912515f

SHA256
98d65b05e0bd1b6699a7343b722fe452f26ee8fb6c2f4215e4e227251f76bd80

SHA512
d040de50461dcc9975705b0727d8a11e522a94f6dcef307b05bc2f9fe8cc6d3dea8c4bdf56c9a2f1179b1c846459d8d95e73f0d4f36701257c287248d286e182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5H6G87BW\live.64ma[1].xml

Filesize
3KB

MD5
d3825f3b83b5dfe9a05458da8493c353

SHA1
0f13aec0f3da6c365dfe2c81f599cfc220526440

SHA256
e7a0b2d8b5eab4ff2baffca7ef0f74d9f1def5e811156699d2e5aa17839c7c62

SHA512
7a4ab1fc55bd5fee73b445cce91dae2603253f7307a41c8478ebb91d444f6436d3d860dedf1d9fd617d5112c5f2625cd9d9a553b845a72b030410e078a41f29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8C4A.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8EAE.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\WINDOWS\Media\ActiveX.ocx

Filesize
12B

MD5
a09e8cfaa57affad4369c03db40e1612

SHA1
a5c0085626d5699e2387181ff3b6b7516c7f274d

SHA256
3e996c0dc018a5445ff589b70e7703c41e2d25251912594eb987b4a8ba02208a

SHA512
db51d0d74704a82523186c00605e1eef755193091ae27e493c59f8923c83850d327b9f9cd222972d4c276749292c3da602a6714bf88e2fe49a8bb5160daf9aa7

Download Submit
\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Filesize
642KB

MD5
d871f2c4088b8b4044a06352378e5f47

SHA1
1ac52a4fa15aaee20307c475ff0ef95351418074

SHA256
bfc4f31183a35555e19d2095a743129b20949acbcb5ea43a5fbfaa0b7e624bfa

SHA512
294a0cc0d8f89b077821ed97891dc693bdb6dd3f7b4436840f78e5663ece817cf6400d782f31ae33b8fdbbffa9c1691e2411fc9240d2100c2c1e2a4be71b2d68

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads