e5a4ba3b4bd70406783a3ae18ce1af20ead5563b62ce785b2d3af7c6f9a85ede

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
Size

1.1MB
MD5

0b1d3c602ee13d079b90d40371f338d6
SHA1

f2a92834892b79d33d482c0c53ff591615429452
SHA256

e5a4ba3b4bd70406783a3ae18ce1af20ead5563b62ce785b2d3af7c6f9a85ede
SHA512

af50cb59180a4282f99388809cc2d2c68a38e4fd7b0e85119d856b92781b1d0b341eaa2202f9b7d4e04e30ef22c3410beb5dc2507f3789597f5a50388237c05d
SSDEEP

24576:11wOZcTsKDqqywaTm0Z1heUSWGgx6PtaKzonK:z5iFyScGg6JoK

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
Token: SeBackupPrivilege	5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
Token: SeSecurityPrivilege	5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
Token: SeSecurityPrivilege	5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
Token: SeSecurityPrivilege	5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
Token: SeSecurityPrivilege	3236	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 3236	5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe	91
PID 5100 wrote to memory of 3236	5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe	91
PID 5100 wrote to memory of 3236	5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe	91
PID 5100 wrote to memory of 3236	5100	0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe	91

C:\Users\Admin\AppData\Local\Temp\0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0b1d3c602ee13d079b90d40371f338d6_icedid_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3236-151-0x0000000000B70000-0x0000000000BE4000-memory.dmp

Filesize
464KB

Download
memory/3236-148-0x00000000778D2000-0x00000000778D3000-memory.dmp

Filesize
4KB

Download
memory/3236-157-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/3236-154-0x0000000000B70000-0x0000000000BE4000-memory.dmp

Filesize
464KB

Download
memory/3236-152-0x0000000002600000-0x0000000002800000-memory.dmp

Filesize
2.0MB

Download
memory/3236-141-0x0000000000B70000-0x0000000000BE4000-memory.dmp

Filesize
464KB

Download
memory/3236-143-0x0000000000B70000-0x0000000000BE4000-memory.dmp

Filesize
464KB

Download
memory/3236-145-0x0000000000B70000-0x0000000000BE4000-memory.dmp

Filesize
464KB

Download
memory/3236-144-0x0000000000B70000-0x0000000000BE4000-memory.dmp

Filesize
464KB

Download
memory/5100-134-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/5100-140-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/5100-150-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5100-133-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/5100-137-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5100-136-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/5100-135-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download