8f265df381ab5dc63a8def1167a489b8250ad643c25225f573ca95d61b4cee0c

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 17:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
Size

6.9MB
MD5

3d9af85955ad14d8cfd5091dde08c49c
SHA1

ee2461dc354f5ff647ca59a70af189f4a5a3b07f
SHA256

8f265df381ab5dc63a8def1167a489b8250ad643c25225f573ca95d61b4cee0c
SHA512

f5f9778e5da2258e2277f5b43081a011ab822314e3b9b410a00ddc4401ea8d700a28b2ade7d0155cdcbd5d4001bfcdbbe603f5417582f9d9a1f4022d9ffa7649
SSDEEP

98304:3+5xKM1Woww2E5T3DoXSG8kM8pNhS9Yw8y0C7V:wS7aTcXSL8Hwf0mV

Score

8^/10

persistence ransomware

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\AppData\\Local\\Temp/2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe"	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pigdesk.bmp"	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\Desktop\WallpaperStyle = "2"	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\Desktop\TileWallpaper = "2"	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
3508	2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe

C:\Users\Admin\AppData\Local\Temp\2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_3d9af85955ad14d8cfd5091dde08c49c_icedid_JC.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
6.9MB

MD5
2e50f25af79353407c5762b2ed006dac

SHA1
d84b6070d18240fd2feab6aa15e84fc2b2f9d3f7

SHA256
20e50be39d38e36745f2e2085ce7aa63e17d87f27205025c70e6b4d8d02a2d51

SHA512
7433c6d393126b0a43afb3c54139554a4e7a5088b8c8adcf73cdf4e44988e3d66485b1a10a327791090fb49a2c07bec1585e4b710b46c8b62bd14e311571f088

Download Submit