bfa331f27117414c0a3ddbb37147e61218327308b4380b98affd64245e73d7c0

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2023, 14:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
Size

1.7MB
MD5

401aa8d6b8388a465081663d0d68c3aa
SHA1

f27621c83102d4ecf82229429aba940c1e986fee
SHA256

bfa331f27117414c0a3ddbb37147e61218327308b4380b98affd64245e73d7c0
SHA512

df14b05685c0486ec86c63d9f0cdafc964b59fab2dd8146f065e8a19d0646ca58e4f3135590a17a8b75778bb8a46b80ac47cd9f53b8b6b1bc1108b1b2a60e596
SSDEEP

24576:dDU6nNzl7Xlb2d9qmc3SCyJTE4XX/385g1S3t0fZn:dDrNT2domciCux/385g17x

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MsIo64\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\MsIo64.sys"	662013f14884409e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EneIo64\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\EneIo64.sys"	662013f14884409e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\101463d65d9\IMAGEPATH = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\101463d65d9.bin"	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\103415d7ad4\IMAGEPATH = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\103415d7ad4.bin"	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NalDrv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\NalDrv.sys"	662013f14884409e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RTCore64\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\RTCore64.sys"	662013f14884409e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Gdrv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Gdrv.sys"	662013f14884409e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ATSZIO\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ATSZIO.sys"	662013f14884409e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EneTechIo64\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\EneTechIo64.sys"	662013f14884409e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\102de9de343\IMAGEPATH = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\102de9de343.bin"	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\GLCKIo2\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\GLCKIo2.sys"	662013f14884409e.exe

Executes dropped EXE 1 IoCs

pid	Process
1860	662013f14884409e.exe

Loads dropped DLL 1 IoCs

pid	Process
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe

Suspicious behavior: LoadsDriver 12 IoCs

pid	Process
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
1860	662013f14884409e.exe
1860	662013f14884409e.exe
1860	662013f14884409e.exe
1860	662013f14884409e.exe
1860	662013f14884409e.exe
1860	662013f14884409e.exe
1860	662013f14884409e.exe
1860	662013f14884409e.exe
1860	662013f14884409e.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
Token: SeSystemEnvironmentPrivilege	1860	662013f14884409e.exe
Token: SeDebugPrivilege	1860	662013f14884409e.exe
Token: SeLoadDriverPrivilege	1860	662013f14884409e.exe
Token: SeDebugPrivilege	1860	662013f14884409e.exe
Token: SeLoadDriverPrivilege	1860	662013f14884409e.exe
Token: SeDebugPrivilege	1860	662013f14884409e.exe
Token: SeLoadDriverPrivilege	1860	662013f14884409e.exe
Token: SeDebugPrivilege	1860	662013f14884409e.exe
Token: SeLoadDriverPrivilege	1860	662013f14884409e.exe
Token: SeDebugPrivilege	1860	662013f14884409e.exe
Token: SeLoadDriverPrivilege	1860	662013f14884409e.exe
Token: SeDebugPrivilege	1860	662013f14884409e.exe
Token: SeLoadDriverPrivilege	1860	662013f14884409e.exe
Token: SeDebugPrivilege	1860	662013f14884409e.exe
Token: SeLoadDriverPrivilege	1860	662013f14884409e.exe
Token: SeDebugPrivilege	1860	662013f14884409e.exe
Token: SeLoadDriverPrivilege	1860	662013f14884409e.exe
Token: SeDebugPrivilege	1860	662013f14884409e.exe
Token: SeLoadDriverPrivilege	1860	662013f14884409e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1860	4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe	87
PID 4968 wrote to memory of 1860	4968	2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe	87

C:\Users\Admin\AppData\Local\Temp\2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_401aa8d6b8388a465081663d0d68c3aa_icedid_JC.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\662013f14884409e.exe
  "C:\Users\Admin\AppData\Local\Temp\662013f14884409e.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\662013f14884409e.exe

Filesize
456KB

MD5
b37b7cb0d855149fc56b7d76fa40d54f

SHA1
e402a250ec28e5d5c3f30dc706bdd729ac87b922

SHA256
2281727177c49d7f6519b62407d4de86911a773e3d2ebf63a2b9d9827ab8bc45

SHA512
08089b1e712061522edfa9e317bc44c6f7af474e3cf7adf56390f9131a9bbef14371319f25b613587fd935a1ad42014852b8bdae4a4ea6223783e686efa42357

Download Submit
C:\Users\Admin\AppData\Local\Temp\662013f14884409e.exe

Filesize
456KB

MD5
b37b7cb0d855149fc56b7d76fa40d54f

SHA1
e402a250ec28e5d5c3f30dc706bdd729ac87b922

SHA256
2281727177c49d7f6519b62407d4de86911a773e3d2ebf63a2b9d9827ab8bc45

SHA512
08089b1e712061522edfa9e317bc44c6f7af474e3cf7adf56390f9131a9bbef14371319f25b613587fd935a1ad42014852b8bdae4a4ea6223783e686efa42357

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSDrv_x86.dll

Filesize
1.0MB

MD5
7ee6f958fd421ca52e47e454456c1027

SHA1
474509f7b95b6d4e2b870710cf5dc1268006b6a7

SHA256
8a205bf5ad3537c521aa4cec7eb8341e55bbf2ce633dada2577b68f02ffec3c2

SHA512
cd33d08a2335716af06928c35a2507f52b11111caa54a995b8f1e9cd6bd907c5b962e68896360f40dfb04c243f845963aefe9d6730ab362c222e3f9826ab5548

Download Submit
memory/4968-5-0x0000000074C50000-0x0000000074D5C000-memory.dmp

Filesize
1.0MB

Download
memory/4968-34-0x0000000074C50000-0x0000000074D5C000-memory.dmp

Filesize
1.0MB

Download