ccec3d5e49c5d1de909bc5d9abee147604bdeaca7cd50103a8d27ae5642903a7

Analysis

max time kernel
151s
max time network
132s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06-08-2023 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe
Size

5.8MB
MD5

864290e3e41a44088ce77f8e9a45b254
SHA1

9b0b6775aaafe2a1c6f75feca09804f7532c674b
SHA256

ccec3d5e49c5d1de909bc5d9abee147604bdeaca7cd50103a8d27ae5642903a7
SHA512

aea91673cc0d0785136b5fb929b81d018041801a0c6e94e71528a2bdd6bcdc3a6edc74d9ed85a1fd593400adc6072069609a9d73c62a6dbefc3de46400010c5c
SSDEEP

98304:Hd6RAG3iQ8op+ezwWwNIyTQbMGLd51YkPu4cJMGBj4DhDZANxBYtsb:qHL8opj2TMM0LNPy8DpZ+C2b

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1140	svchost.exe
2224	svchost.exe
2908	STBW.LDPDP
2992	svchost.exe
708	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1140	svchost.exe
2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe
2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe
1620	regsvr32.exe
1272	regsvr32.exe
2908	STBW.LDPDP

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2908-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-99-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-101-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-103-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-105-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-107-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-110-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-112-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-114-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-116-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-118-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-120-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-122-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-124-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-126-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-128-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-130-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2908-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\svchost.exe\""	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	STBW.LDPDP

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.bat	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID\ = "EyLogin.EyLoginSoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ = "IEyLoginSoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}\ = "EyLogin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EyLogin.DLL\AppID = "{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID\ = "EyLogin.EyLoginSoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EyLogin.DLL\AppID = "{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\ = "EyLogin 1.0.2.5 ÀàÐÍ¿â"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\FLAGS\ = "0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ = "EyLoginSoft Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID\ = "EyLogin.EyLoginSoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID\ = "EyLogin.EyLoginSoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EyLogin.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ = "EyLoginSoft Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CLSID\ = "{C691BF80-87AF-43A7-AD56-28D5DA857FBD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\ = "EyLoginSoft Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CurVer\ = "EyLogin.EyLoginSoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\ = "EyLoginSoft Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}\ = "EyLogin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CLSID\ = "{C691BF80-87AF-43A7-AD56-28D5DA857FBD}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CurVer\ = "EyLogin.EyLoginSoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjr.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	STBW.LDPDP
Token: SeIncBasePriorityPrivilege	2224	svchost.exe
Token: SeIncBasePriorityPrivilege	2224	svchost.exe
Token: SeIncBasePriorityPrivilege	2224	svchost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe
2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe
2908	STBW.LDPDP
2908	STBW.LDPDP
2908	STBW.LDPDP

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1140	2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe	29
PID 2564 wrote to memory of 1140	2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe	29
PID 2564 wrote to memory of 1140	2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe	29
PID 2564 wrote to memory of 1140	2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe	29
PID 1140 wrote to memory of 2224	1140	svchost.exe	30
PID 1140 wrote to memory of 2224	1140	svchost.exe	30
PID 1140 wrote to memory of 2224	1140	svchost.exe	30
PID 1140 wrote to memory of 2224	1140	svchost.exe	30
PID 1140 wrote to memory of 2920	1140	svchost.exe	31
PID 1140 wrote to memory of 2920	1140	svchost.exe	31
PID 1140 wrote to memory of 2920	1140	svchost.exe	31
PID 1140 wrote to memory of 2920	1140	svchost.exe	31
PID 2564 wrote to memory of 2908	2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe	33
PID 2564 wrote to memory of 2908	2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe	33
PID 2564 wrote to memory of 2908	2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe	33
PID 2564 wrote to memory of 2908	2564	864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe	33
PID 2908 wrote to memory of 2992	2908	STBW.LDPDP	34
PID 2908 wrote to memory of 2992	2908	STBW.LDPDP	34
PID 2908 wrote to memory of 2992	2908	STBW.LDPDP	34
PID 2908 wrote to memory of 2992	2908	STBW.LDPDP	34
PID 2908 wrote to memory of 708	2908	STBW.LDPDP	35
PID 2908 wrote to memory of 708	2908	STBW.LDPDP	35
PID 2908 wrote to memory of 708	2908	STBW.LDPDP	35
PID 2908 wrote to memory of 708	2908	STBW.LDPDP	35
PID 2908 wrote to memory of 1620	2908	STBW.LDPDP	36
PID 2908 wrote to memory of 1620	2908	STBW.LDPDP	36
PID 2908 wrote to memory of 1620	2908	STBW.LDPDP	36
PID 2908 wrote to memory of 1620	2908	STBW.LDPDP	36
PID 2908 wrote to memory of 1620	2908	STBW.LDPDP	36
PID 2908 wrote to memory of 1620	2908	STBW.LDPDP	36
PID 2908 wrote to memory of 1620	2908	STBW.LDPDP	36
PID 2908 wrote to memory of 1272	2908	STBW.LDPDP	37
PID 2908 wrote to memory of 1272	2908	STBW.LDPDP	37
PID 2908 wrote to memory of 1272	2908	STBW.LDPDP	37
PID 2908 wrote to memory of 1272	2908	STBW.LDPDP	37
PID 2908 wrote to memory of 1272	2908	STBW.LDPDP	37
PID 2908 wrote to memory of 1272	2908	STBW.LDPDP	37
PID 2908 wrote to memory of 1272	2908	STBW.LDPDP	37

C:\Users\Admin\AppData\Local\Temp\864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\864290e3e41a44088ce77f8e9a45b254_hacktools_icedid_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\svchost.exe
  /svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.bat""
    3⤵
    PID:2920
- C:\Users\Admin\AppData\Local\Temp\STBW.LDPDP
  "C:\Users\Admin\AppData\Local\Temp\STBW.LDPDP"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\svchost.exe
    /svchost.exe
    3⤵
    - Executes dropped EXE
    PID:2992
- - C:\svchost.exe
    /svchost.exe
    3⤵
    - Executes dropped EXE
    PID:708
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\\sjr.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1620
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\\sjr.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.bat

Filesize
78B

MD5
79d1f3542288968cdf3a15829cd3ec0d

SHA1
8b2685cd5ad3ba347a8aa02f3ec318d1a3aab1ae

SHA256
23b0df4ea63b05aa6196636b42451b5d80605ad1a7cf0b439fe072281218afe6

SHA512
eec253600b5365cfee5889bfc9eefd33103e0be95757e6fdb333a674c332a978cd79c06437cdc418c7df4c2f72ce917e08fe2a536989c3e50cb0f62a79d464bf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.bat

Filesize
78B

MD5
79d1f3542288968cdf3a15829cd3ec0d

SHA1
8b2685cd5ad3ba347a8aa02f3ec318d1a3aab1ae

SHA256
23b0df4ea63b05aa6196636b42451b5d80605ad1a7cf0b439fe072281218afe6

SHA512
eec253600b5365cfee5889bfc9eefd33103e0be95757e6fdb333a674c332a978cd79c06437cdc418c7df4c2f72ce917e08fe2a536989c3e50cb0f62a79d464bf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\Users\Admin\AppData\Local\Temp\STBW.LDPDP

Filesize
5.8MB

MD5
aa3dbd520fc0dbcd40532753211d20b8

SHA1
363dbde6c4288cb271b7c2d963a725576ca0c390

SHA256
a472491f8f969c8b33a193bbd1c75366d49c7f2d7bfac0d289f1c26419535607

SHA512
ed951ebd846091b7c7f0946907947c7b534cdc779741f960187b449c62e0b80db26fa9bc36a92dbbf3f56a164423d57a242ed9223548aad6dfecf804d038728b

Download Submit
C:\Users\Admin\AppData\Local\Temp\STBW.LDPDP

Filesize
5.8MB

MD5
aa3dbd520fc0dbcd40532753211d20b8

SHA1
363dbde6c4288cb271b7c2d963a725576ca0c390

SHA256
a472491f8f969c8b33a193bbd1c75366d49c7f2d7bfac0d289f1c26419535607

SHA512
ed951ebd846091b7c7f0946907947c7b534cdc779741f960187b449c62e0b80db26fa9bc36a92dbbf3f56a164423d57a242ed9223548aad6dfecf804d038728b

Download Submit
C:\Users\Admin\AppData\Local\Temp\STBW.LDPDP

Filesize
5.8MB

MD5
aa3dbd520fc0dbcd40532753211d20b8

SHA1
363dbde6c4288cb271b7c2d963a725576ca0c390

SHA256
a472491f8f969c8b33a193bbd1c75366d49c7f2d7bfac0d289f1c26419535607

SHA512
ed951ebd846091b7c7f0946907947c7b534cdc779741f960187b449c62e0b80db26fa9bc36a92dbbf3f56a164423d57a242ed9223548aad6dfecf804d038728b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjr.dll

Filesize
2.1MB

MD5
3bdb92b38bdc6a5702ec1454534d0951

SHA1
9276b0c8de889744fcdf34e7c81e158830b8bcbb

SHA256
25ba0f3a0f6ddb0e9b0078640a8a2a2bf7e8948e0579d2080379debc8a272681

SHA512
cff7a9033f7a141f52f0ad3152e97a5313f1185669d9e6da4d60a68602c6a1af3ec5250e1c39ea328758419e5d0a826bb5085f3e96fa4019f3c5c2e586f1c35f

Download Submit
C:\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
C:\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe

Filesize
707KB

MD5
6be57b5f84b3ae053023dbf7d64ab7e1

SHA1
b02656c26acfdb2357fa54b918ed9019600f80de

SHA256
06cd62623d3a299d9e86d6c2154d1736356d373a322cdff3a54e940ecfee6030

SHA512
369f9b6e81caadbd3eecc8e3c9a676396a7432d6bc847e8710872ef296a36c34c4bdc3ad39e285b6f9bad51fd4dff2062816f69e192c93bbfd11580d2ec2226f

Download Submit
\Users\Admin\AppData\Local\Temp\STBW.LDPDP

Filesize
5.8MB

MD5
aa3dbd520fc0dbcd40532753211d20b8

SHA1
363dbde6c4288cb271b7c2d963a725576ca0c390

SHA256
a472491f8f969c8b33a193bbd1c75366d49c7f2d7bfac0d289f1c26419535607

SHA512
ed951ebd846091b7c7f0946907947c7b534cdc779741f960187b449c62e0b80db26fa9bc36a92dbbf3f56a164423d57a242ed9223548aad6dfecf804d038728b

Download Submit
\Users\Admin\AppData\Local\Temp\STBW.LDPDP

Filesize
5.8MB

MD5
aa3dbd520fc0dbcd40532753211d20b8

SHA1
363dbde6c4288cb271b7c2d963a725576ca0c390

SHA256
a472491f8f969c8b33a193bbd1c75366d49c7f2d7bfac0d289f1c26419535607

SHA512
ed951ebd846091b7c7f0946907947c7b534cdc779741f960187b449c62e0b80db26fa9bc36a92dbbf3f56a164423d57a242ed9223548aad6dfecf804d038728b

Download Submit
\Users\Admin\AppData\Local\Temp\sjr.dll

Filesize
2.1MB

MD5
3bdb92b38bdc6a5702ec1454534d0951

SHA1
9276b0c8de889744fcdf34e7c81e158830b8bcbb

SHA256
25ba0f3a0f6ddb0e9b0078640a8a2a2bf7e8948e0579d2080379debc8a272681

SHA512
cff7a9033f7a141f52f0ad3152e97a5313f1185669d9e6da4d60a68602c6a1af3ec5250e1c39ea328758419e5d0a826bb5085f3e96fa4019f3c5c2e586f1c35f

Download Submit
\Users\Admin\AppData\Local\Temp\sjr.dll

Filesize
2.1MB

MD5
3bdb92b38bdc6a5702ec1454534d0951

SHA1
9276b0c8de889744fcdf34e7c81e158830b8bcbb

SHA256
25ba0f3a0f6ddb0e9b0078640a8a2a2bf7e8948e0579d2080379debc8a272681

SHA512
cff7a9033f7a141f52f0ad3152e97a5313f1185669d9e6da4d60a68602c6a1af3ec5250e1c39ea328758419e5d0a826bb5085f3e96fa4019f3c5c2e586f1c35f

Download Submit
\Users\Admin\AppData\Local\Temp\sjr.dll

Filesize
2.1MB

MD5
3bdb92b38bdc6a5702ec1454534d0951

SHA1
9276b0c8de889744fcdf34e7c81e158830b8bcbb

SHA256
25ba0f3a0f6ddb0e9b0078640a8a2a2bf7e8948e0579d2080379debc8a272681

SHA512
cff7a9033f7a141f52f0ad3152e97a5313f1185669d9e6da4d60a68602c6a1af3ec5250e1c39ea328758419e5d0a826bb5085f3e96fa4019f3c5c2e586f1c35f

Download Submit
memory/708-139-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/708-138-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1140-75-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1140-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1272-149-0x0000000073D40000-0x000000007420B000-memory.dmp

Filesize
4.8MB

Download
memory/1272-148-0x0000000073D40000-0x000000007420B000-memory.dmp

Filesize
4.8MB

Download
memory/1620-145-0x0000000073D40000-0x000000007420B000-memory.dmp

Filesize
4.8MB

Download
memory/1620-144-0x0000000073D40000-0x000000007420B000-memory.dmp

Filesize
4.8MB

Download
memory/2224-155-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2224-162-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2224-109-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2224-67-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2908-112-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-105-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-118-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-120-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-122-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-124-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-126-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-128-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-130-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-114-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-110-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-107-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-116-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-103-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-101-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2908-152-0x0000000073FE0000-0x00000000744AB000-memory.dmp

Filesize
4.8MB

Download
memory/2908-153-0x0000000073FE0000-0x00000000744AB000-memory.dmp

Filesize
4.8MB

Download
memory/2908-156-0x0000000073FE0000-0x00000000744AB000-memory.dmp

Filesize
4.8MB

Download
memory/2992-87-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2992-88-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download