411c8eb3ef8e0b820306ff9ddb997a2ae4503cdd8c07f74f0f3ff696eb3b8f66

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2023, 10:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Size

4.2MB
MD5

10fadf77d50818fc17f86b8dc0236ceb
SHA1

d6e5fa288d33b3f37d312dd03d0c1c4e928a5d4e
SHA256

411c8eb3ef8e0b820306ff9ddb997a2ae4503cdd8c07f74f0f3ff696eb3b8f66
SHA512

7a4fd2478b4c145c9b2194389be161a03014f09411655cb2db345cde6c8f283f705b142d19708f84d2696f0e048e5b62923c7b4dde19b556777fb6cd8a3d1e88
SSDEEP

98304:6yVDKiRyuGFy4+BQUtPeZKZMI0mohzqfP+UmSdcGrf:6BD+6giKWh+fPPyo

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023220-52.dat	acprotect
behavioral2/files/0x0006000000023222-58.dat	acprotect
behavioral2/files/0x0006000000023222-60.dat	acprotect
behavioral2/files/0x0006000000023220-66.dat	acprotect
behavioral2/files/0x0006000000023222-69.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2816-2-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-1-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-8-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-12-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-24-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-44-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/files/0x0006000000023220-52.dat	upx
behavioral2/memory/2816-56-0x0000000072FD0000-0x0000000073208000-memory.dmp	upx
behavioral2/files/0x0006000000023222-58.dat	upx
behavioral2/memory/2816-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2816-64-0x0000000003B40000-0x0000000003FD4000-memory.dmp	upx
behavioral2/files/0x0006000000023222-60.dat	upx
behavioral2/memory/2816-65-0x0000000003B40000-0x0000000003FD4000-memory.dmp	upx
behavioral2/files/0x0006000000023220-66.dat	upx
behavioral2/files/0x0006000000023222-69.dat	upx
behavioral2/memory/2816-72-0x0000000072FD0000-0x0000000073208000-memory.dmp	upx
behavioral2/memory/2816-73-0x0000000003B40000-0x0000000003FD4000-memory.dmp	upx
behavioral2/memory/2816-90-0x0000000072FD0000-0x0000000073208000-memory.dmp	upx
behavioral2/memory/2816-91-0x0000000003B40000-0x0000000003FD4000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3952	NETSTAT.EXE
3528	NETSTAT.EXE
1572	NETSTAT.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	NETSTAT.EXE
Token: SeDebugPrivilege	3528	NETSTAT.EXE
Token: SeDebugPrivilege	1572	NETSTAT.EXE
Token: 33	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Token: SeIncBasePriorityPrivilege	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Token: SeDebugPrivilege	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Token: 33	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
Token: SeIncBasePriorityPrivilege	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2376	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	87
PID 2816 wrote to memory of 2376	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	87
PID 2816 wrote to memory of 2376	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	87
PID 2376 wrote to memory of 3952	2376	cmd.exe	89
PID 2376 wrote to memory of 3952	2376	cmd.exe	89
PID 2376 wrote to memory of 3952	2376	cmd.exe	89
PID 2376 wrote to memory of 1172	2376	cmd.exe	90
PID 2376 wrote to memory of 1172	2376	cmd.exe	90
PID 2376 wrote to memory of 1172	2376	cmd.exe	90
PID 2816 wrote to memory of 3632	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	91
PID 2816 wrote to memory of 3632	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	91
PID 2816 wrote to memory of 3632	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	91
PID 3632 wrote to memory of 3528	3632	cmd.exe	93
PID 3632 wrote to memory of 3528	3632	cmd.exe	93
PID 3632 wrote to memory of 3528	3632	cmd.exe	93
PID 3632 wrote to memory of 3432	3632	cmd.exe	94
PID 3632 wrote to memory of 3432	3632	cmd.exe	94
PID 3632 wrote to memory of 3432	3632	cmd.exe	94
PID 2816 wrote to memory of 3184	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	95
PID 2816 wrote to memory of 3184	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	95
PID 2816 wrote to memory of 3184	2816	2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe	95
PID 3184 wrote to memory of 1572	3184	cmd.exe	97
PID 3184 wrote to memory of 1572	3184	cmd.exe	97
PID 3184 wrote to memory of 1572	3184	cmd.exe	97
PID 3184 wrote to memory of 4544	3184	cmd.exe	98
PID 3184 wrote to memory of 4544	3184	cmd.exe	98
PID 3184 wrote to memory of 4544	3184	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_10fadf77d50818fc17f86b8dc0236ceb_icedid_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find "16870"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Windows\SysWOW64\find.exe
    find "16870"
    3⤵
    PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find "16871"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- - C:\Windows\SysWOW64\find.exe
    find "16871"
    3⤵
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c netstat -ano | find "13941"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\SysWOW64\find.exe
    find "13941"
    3⤵
    PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ee\Plugins\owlform_free.dll

Filesize
1.8MB

MD5
225f6b7092c8f856fa4c0fd07799c859

SHA1
98a8e478d43bd3146760d3944fffcb29d5e94330

SHA256
d07b2c47d3808a00f78cc96ee7fea97f5e24fabffa94788f4277efec5a04ede6

SHA512
b68d18a9feeb783d294e6222052d4031a417b2673b056707ea7673041f10f20f0cd1da981d7ed8387dfaf67848667bdb63bf92d49d04d335e8f0ce9575dd554f

Download Submit
C:\ProgramData\ee\Plugins\owlform_free.dll

Filesize
1.8MB

MD5
225f6b7092c8f856fa4c0fd07799c859

SHA1
98a8e478d43bd3146760d3944fffcb29d5e94330

SHA256
d07b2c47d3808a00f78cc96ee7fea97f5e24fabffa94788f4277efec5a04ede6

SHA512
b68d18a9feeb783d294e6222052d4031a417b2673b056707ea7673041f10f20f0cd1da981d7ed8387dfaf67848667bdb63bf92d49d04d335e8f0ce9575dd554f

Download Submit
C:\ProgramData\ee\Plugins\owlform_free.dll

Filesize
1.8MB

MD5
225f6b7092c8f856fa4c0fd07799c859

SHA1
98a8e478d43bd3146760d3944fffcb29d5e94330

SHA256
d07b2c47d3808a00f78cc96ee7fea97f5e24fabffa94788f4277efec5a04ede6

SHA512
b68d18a9feeb783d294e6222052d4031a417b2673b056707ea7673041f10f20f0cd1da981d7ed8387dfaf67848667bdb63bf92d49d04d335e8f0ce9575dd554f

Download Submit
C:\ProgramData\ee\Plugins\rapidjson.dll

Filesize
192KB

MD5
2244857ed4d33e3ab8b32c1a09eaff39

SHA1
9af9d5bc1be9c202471075b5222500c409428fd0

SHA256
e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d

SHA512
c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590

Download Submit
C:\ProgramData\ee\Plugins\rapidjson.dll

Filesize
192KB

MD5
2244857ed4d33e3ab8b32c1a09eaff39

SHA1
9af9d5bc1be9c202471075b5222500c409428fd0

SHA256
e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d

SHA512
c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590

Download Submit
C:\ee\Plugins\hp_socket4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
C:\ee\Plugins\hp_socket4c.dll

Filesize
792KB

MD5
6637599f87ab11b6238f2f24c55797fc

SHA1
a84090bed39c91503300ab3bd78883001bf71aac

SHA256
65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac

SHA512
8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828

Download Submit
memory/2816-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-24-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-2-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-44-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-12-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-56-0x0000000072FD0000-0x0000000073208000-memory.dmp

Filesize
2.2MB

Download
memory/2816-8-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-64-0x0000000003B40000-0x0000000003FD4000-memory.dmp

Filesize
4.6MB

Download
memory/2816-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-65-0x0000000003B40000-0x0000000003FD4000-memory.dmp

Filesize
4.6MB

Download
memory/2816-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-67-0x0000000004090000-0x00000000040B7000-memory.dmp

Filesize
156KB

Download
memory/2816-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-1-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2816-72-0x0000000072FD0000-0x0000000073208000-memory.dmp

Filesize
2.2MB

Download
memory/2816-73-0x0000000003B40000-0x0000000003FD4000-memory.dmp

Filesize
4.6MB

Download
memory/2816-90-0x0000000072FD0000-0x0000000073208000-memory.dmp

Filesize
2.2MB

Download
memory/2816-91-0x0000000003B40000-0x0000000003FD4000-memory.dmp

Filesize
4.6MB

Download