411c8eb3ef8e0b820306ff9ddb997a2ae4503cdd8c07f74f0f3ff696eb3b8f66

Analysis

max time kernel
131s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17-09-2023 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Size

4.2MB
MD5

10fadf77d50818fc17f86b8dc0236ceb
SHA1

d6e5fa288d33b3f37d312dd03d0c1c4e928a5d4e
SHA256

411c8eb3ef8e0b820306ff9ddb997a2ae4503cdd8c07f74f0f3ff696eb3b8f66
SHA512

7a4fd2478b4c145c9b2194389be161a03014f09411655cb2db345cde6c8f283f705b142d19708f84d2696f0e048e5b62923c7b4dde19b556777fb6cd8a3d1e88
SSDEEP

98304:6yVDKiRyuGFy4+BQUtPeZKZMI0mohzqfP+UmSdcGrf:6BD+6giKWh+fPPyo

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000900000001558b-53.dat	acprotect
behavioral1/files/0x0007000000015c6a-58.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-1-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-8-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-12-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-2-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/files/0x000900000001558b-53.dat	upx
behavioral1/memory/1696-56-0x0000000074650000-0x0000000074888000-memory.dmp	upx
behavioral1/files/0x0007000000015c6a-58.dat	upx
behavioral1/memory/1696-60-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1696-61-0x0000000003F80000-0x0000000004414000-memory.dmp	upx
behavioral1/memory/1696-103-0x0000000074650000-0x0000000074888000-memory.dmp	upx
behavioral1/memory/1696-104-0x0000000003F80000-0x0000000004414000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
268	NETSTAT.EXE
2868	NETSTAT.EXE
2184	NETSTAT.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	NETSTAT.EXE
Token: SeDebugPrivilege	2184	NETSTAT.EXE
Token: SeDebugPrivilege	268	NETSTAT.EXE
Token: 33	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Token: SeIncBasePriorityPrivilege	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Token: 33	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Token: SeIncBasePriorityPrivilege	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1908	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	29
PID 1696 wrote to memory of 1908	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	29
PID 1696 wrote to memory of 1908	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	29
PID 1696 wrote to memory of 1908	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	29
PID 1908 wrote to memory of 2868	1908	cmd.exe	31
PID 1908 wrote to memory of 2868	1908	cmd.exe	31
PID 1908 wrote to memory of 2868	1908	cmd.exe	31
PID 1908 wrote to memory of 2868	1908	cmd.exe	31
PID 1908 wrote to memory of 2848	1908	cmd.exe	32
PID 1908 wrote to memory of 2848	1908	cmd.exe	32
PID 1908 wrote to memory of 2848	1908	cmd.exe	32
PID 1908 wrote to memory of 2848	1908	cmd.exe	32
PID 1696 wrote to memory of 2876	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	33
PID 1696 wrote to memory of 2876	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	33
PID 1696 wrote to memory of 2876	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	33
PID 1696 wrote to memory of 2876	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	33
PID 2876 wrote to memory of 2184	2876	cmd.exe	35
PID 2876 wrote to memory of 2184	2876	cmd.exe	35
PID 2876 wrote to memory of 2184	2876	cmd.exe	35
PID 2876 wrote to memory of 2184	2876	cmd.exe	35
PID 2876 wrote to memory of 1096	2876	cmd.exe	36
PID 2876 wrote to memory of 1096	2876	cmd.exe	36
PID 2876 wrote to memory of 1096	2876	cmd.exe	36
PID 2876 wrote to memory of 1096	2876	cmd.exe	36
PID 1696 wrote to memory of 2864	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	37
PID 1696 wrote to memory of 2864	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	37
PID 1696 wrote to memory of 2864	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	37
PID 1696 wrote to memory of 2864	1696	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	37
PID 2864 wrote to memory of 268	2864	cmd.exe	40
PID 2864 wrote to memory of 268	2864	cmd.exe	40
PID 2864 wrote to memory of 268	2864	cmd.exe	40
PID 2864 wrote to memory of 268	2864	cmd.exe	40
PID 2864 wrote to memory of 792	2864	cmd.exe	39
PID 2864 wrote to memory of 792	2864	cmd.exe	39
PID 2864 wrote to memory of 792	2864	cmd.exe	39
PID 2864 wrote to memory of 792	2864	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find "16870"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\SysWOW64\find.exe
    find "16870"
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find "16871"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\SysWOW64\find.exe
    find "16871"
    3⤵
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find "13941"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\find.exe
    find "13941"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab47EB.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar482C.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\ProgramData\ee\Plugins\owlform_free.dll

Filesize
1.8MB

MD5
225f6b7092c8f856fa4c0fd07799c859

SHA1
98a8e478d43bd3146760d3944fffcb29d5e94330

SHA256
d07b2c47d3808a00f78cc96ee7fea97f5e24fabffa94788f4277efec5a04ede6

SHA512
b68d18a9feeb783d294e6222052d4031a417b2673b056707ea7673041f10f20f0cd1da981d7ed8387dfaf67848667bdb63bf92d49d04d335e8f0ce9575dd554f

Download Submit
\ProgramData\ee\Plugins\rapidjson.dll

Filesize
192KB

MD5
2244857ed4d33e3ab8b32c1a09eaff39

SHA1
9af9d5bc1be9c202471075b5222500c409428fd0

SHA256
e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d

SHA512
c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590

Download Submit
\ee\Plugins\hp_socket4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
memory/1696-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-1-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-2-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-12-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-56-0x0000000074650000-0x0000000074888000-memory.dmp

Filesize
2.2MB

Download
memory/1696-8-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-60-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-61-0x0000000003F80000-0x0000000004414000-memory.dmp

Filesize
4.6MB

Download
memory/1696-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1696-103-0x0000000074650000-0x0000000074888000-memory.dmp

Filesize
2.2MB

Download
memory/1696-104-0x0000000003F80000-0x0000000004414000-memory.dmp

Filesize
4.6MB

Download