1a71e8811d5d5b4dfc137e1c9a5bf6c4acac1fff675746be8d45e819a4491d0e

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08/08/2023, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
Size

18.5MB
MD5

9c9f56f51cd849caa142f0c014bd4080
SHA1

d24a31dbbe08dca5e9353592d1ecaae35b668435
SHA256

1a71e8811d5d5b4dfc137e1c9a5bf6c4acac1fff675746be8d45e819a4491d0e
SHA512

733e9e935f91b7ebbe509681909c0ba6fe2e9d2af731626512a6e248fcb496cd9b6a649c248026d74fd5d8e766e699aec61748e2a6ee908007a87cfbfd091330
SSDEEP

196608:wjWEjWWs3TehREvuI+kL2t0La3ZKat01NHqDXJqNjEe4pc3+rk5q55:ycT7vMkL27re1NHqbJYPDq55

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\AppData\\Local\\Temp/9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe"	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\wabmig.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Windows Mail\WinMail.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Windows Journal\PDIALOG.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Windows Mail\wab.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Windows Defender\MpCmdRun.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.properties.src	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
2196	9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe

C:\Users\Admin\AppData\Local\Temp\9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9c9f56f51cd849caa142f0c014bd4080_icedid_lightbolt_JC.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
18.5MB

MD5
aac45583c14fe3dbef136f239e07472b

SHA1
623e73397fe2ae2cdd9e0c32ed4f65152e1c7c07

SHA256
3738af2ca6c45725ca1ac588052977f28fc7e96177731acbd0c865986dbfe345

SHA512
e9a24d410614b4dc44f093f9227bd65e1892806895ef1e91e08bd3f9e6fa1fdad284cbd51d4ba4d43ddfa3f0874a856ec8fc288e27f3a52b24e091f948dbb9d1

Download Submit