97c1f79c3e954209f8db93f42ff91f291e084e102b4c80cf9abc172d8dd83ef4

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

635b4808e39d6bbd870fdd05ba0cbbfc_icedid_JC.exe
Size

22.6MB
MD5

635b4808e39d6bbd870fdd05ba0cbbfc
SHA1

b63b5e17d576470a6016458055675a6d9d890065
SHA256

97c1f79c3e954209f8db93f42ff91f291e084e102b4c80cf9abc172d8dd83ef4
SHA512

fe6d6e595241590392263f2de04e8e1d82cf5c5d00d288f38fcf30ada7f90da441e5a51a616d9cd9337e4bde39ef1c3ae6aa236e9576512878ef60963a26c167
SSDEEP

393216:lKtxJ6cHoSShHswbGsevhadltwq+B6nyg3/jjYap/nUDZXeltvy+XZtns/G:lgJ67tHd61sltl+Bgygoap/UDdgtxrD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3576	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
3576	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3576	autorun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2772	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2948	635b4808e39d6bbd870fdd05ba0cbbfc_icedid_JC.exe
2948	635b4808e39d6bbd870fdd05ba0cbbfc_icedid_JC.exe
3576	autorun.exe
3576	autorun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3576	2948	635b4808e39d6bbd870fdd05ba0cbbfc_icedid_JC.exe	81
PID 2948 wrote to memory of 3576	2948	635b4808e39d6bbd870fdd05ba0cbbfc_icedid_JC.exe	81
PID 2948 wrote to memory of 3576	2948	635b4808e39d6bbd870fdd05ba0cbbfc_icedid_JC.exe	81

C:\Users\Admin\AppData\Local\Temp\635b4808e39d6bbd870fdd05ba0cbbfc_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\635b4808e39d6bbd870fdd05ba0cbbfc_icedid_JC.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\635b4808e39d6bbd870fdd05ba0cbbfc_icedid_JC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg

Filesize
3KB

MD5
fc2a595f574b1ead82a6dcf06492c985

SHA1
400626784368fb9825a954ab8e14238054a277d1

SHA256
ee9a4903a8df90eff4c5b65a8073e564a3581cf73772a72eb82396e69932e769

SHA512
06506e70170a85a2d697550bfb555a19e210e93b972a38a482448cf8eca335605583d04f74f5fdd2911203c58aaca2f55b946c2dfe754ecf17c6b1763b7e37db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\0001-windows-7.btn

Filesize
3KB

MD5
967fdfe0a01c083804673b4976ad6730

SHA1
5d05ade6dd0d1d67ea7879cd8f7779ef53abbd4c

SHA256
72eda9d49bcd0cd3b540f75c4215714378afbb1ce40afcbb7a0b246ab2a44f21

SHA512
50acacf15fa4cfa8319f789fb534cdb4a8d559ceb3e5e832b32015ff2fbee2c3902abfc83bc2493d57298ed32d0aeb6817e077758c4c2c956432b1d3f3c738d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Polycope_mecanique_du_point_materiel_SMP_S1.pdf

Filesize
4.3MB

MD5
6c9ece9a2840bcd823c4516832327a0e

SHA1
71563541ee5d96730cedd78566a06a9b0abd661b

SHA256
5e133a302b9ec6fb1e9ac68d8d6bd3ff74df406ed9a841d5021afc6566ed1449

SHA512
824637ff9602dc5ff177662d5c99a66b2a1d620c9d6c1fa6586c11173cef723d241d75d1dfcff08f7b5b5d9bb3ee7206f834aa45a6d11f468b41954591b47b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\28fa329bdcd547dd194486954026bdcb_large.jpeg

Filesize
1.4MB

MD5
cd531ebd7191e54325f251c14864188a

SHA1
bf0fda3637f91f7906007f408cc22b7cf60af134

SHA256
d2e3896a4f34b38553847f88ca1a93c67a95abe6e4c34d6b7a0fddb5912ba5c8

SHA512
69cd7250e0f52daa98092a8711017fd0d129c41da0fbea3ddfe17056eed137c06b114313d273ebc357c6f9b878764c15b60c8a65a3d2ceb74bec61008e0f54d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\FacebookIcon.jpg

Filesize
53KB

MD5
df7d5c5296fc9a2785ae874018957a41

SHA1
4257174c32d18b286bedbeb9593bf5adb7a36745

SHA256
a763ef5760eadb7b259421bd75c310f4598da8d3a54ab2bc831aae258b757ae5

SHA512
8d5afe7fb755a36ccafd9902615ad47398d6d9673daf84e2763b3c591fe067e3fb5fd6d6c6494f3f6a69a2e8fcf9964353f2dfbe0642d00a25ffd79a4a5d97be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
1.0MB

MD5
61c2870af298fcd73055013f684e45d1

SHA1
3dc7c313054cd83f88924ddb31e5b7ec34d29e62

SHA256
6d38cb6e148c28185d9c3a0c4800baa42563a8547a951820b219ca951abaa098

SHA512
b097e213bd4b33202bcc3c218114feb395ca7fcce9ef514bf16c648a796730b776837b809ded97517bd3320fa87b0e6e3d1ff3be872f1488d28c392cb8bc1d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\Book-icon.ico

Filesize
16KB

MD5
d5d06a5c10b681df2136933dfa840f42

SHA1
d02be6dbe82516086c35ba226f538e1fffe0311e

SHA256
2f7cfb7f0833077fa2b20d0382348c90310775ebf0dfee0e19a81de1238f1f45

SHA512
d2fc15292e835ce28e6d156d9fc9046896005d908a3496149140a3056b9a8d0239165f0364b1d1d6ae67201198b56d8fdc1c4e2894d89e47c3a33968ec97b8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\Book-icon.ico

Filesize
16KB

MD5
d5d06a5c10b681df2136933dfa840f42

SHA1
d02be6dbe82516086c35ba226f538e1fffe0311e

SHA256
2f7cfb7f0833077fa2b20d0382348c90310775ebf0dfee0e19a81de1238f1f45

SHA512
d2fc15292e835ce28e6d156d9fc9046896005d908a3496149140a3056b9a8d0239165f0364b1d1d6ae67201198b56d8fdc1c4e2894d89e47c3a33968ec97b8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
6.6MB

MD5
ebd815fd954563ded6211e66c229d29f

SHA1
41679c42af25f55ba6fa25d57fa179827feddca9

SHA256
a862ac8a9780eabfae019fc100978f167a00f4e343423369f76fbd3ebcc3e9eb

SHA512
811452de2d143284894714ec050e5befbf51149addcda041c239eb7054cebb440ae3a8d78683c20a0674aa2a6878a5f7c9a01591ebca0efd596aa9a531edf1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
6.6MB

MD5
ebd815fd954563ded6211e66c229d29f

SHA1
41679c42af25f55ba6fa25d57fa179827feddca9

SHA256
a862ac8a9780eabfae019fc100978f167a00f4e343423369f76fbd3ebcc3e9eb

SHA512
811452de2d143284894714ec050e5befbf51149addcda041c239eb7054cebb440ae3a8d78683c20a0674aa2a6878a5f7c9a01591ebca0efd596aa9a531edf1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
318KB

MD5
bdd4aaeada7f7636705ccd5707b8c9f4

SHA1
60694b97f5ab5e7f009e1d8d510809e1f3ca88b6

SHA256
fea5ac5993963871b02fbf45e9e6a887aef621ff3351bb21cd3143865e7fc6b6

SHA512
c82ea4a241664e628029e989c9b657174026c3410c5e3b1ae92ba8c3db002145bd068a6aa3caa95cc64fad4cab0fc4c30ea5f6b2ef9d3290e0828e83ffad4c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
318KB

MD5
bdd4aaeada7f7636705ccd5707b8c9f4

SHA1
60694b97f5ab5e7f009e1d8d510809e1f3ca88b6

SHA256
fea5ac5993963871b02fbf45e9e6a887aef621ff3351bb21cd3143865e7fc6b6

SHA512
c82ea4a241664e628029e989c9b657174026c3410c5e3b1ae92ba8c3db002145bd068a6aa3caa95cc64fad4cab0fc4c30ea5f6b2ef9d3290e0828e83ffad4c9f

Download Submit