07faa17ea26ffc500052fc73a26068b9c70860e470ef7273483bd50abd159a53

Analysis

max time kernel
189s
max time network
144s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe
Size

712KB
MD5

0e8ec104afb5fcaa9e3888919bc3583f
SHA1

ddfc72f8b189525dd0b1714c28aa9e164302bed4
SHA256

07faa17ea26ffc500052fc73a26068b9c70860e470ef7273483bd50abd159a53
SHA512

d1bd7afe1e6b444138163335c9c88a0c3c6ed649bb3f5bf6bde54471e9555d74fbe04805797dda3405f0642f5e4ae5496a262dbe0d26d646ad67fa6d3579840a
SSDEEP

12288:TcKs7ID+pX37Zv0b5h8coJ7526o2YGBHWiSAdW2qjFsL6Ko6nmbE1uShqnmt:TcKF1h8cm2wHOSWFsWbIu0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3036	2388.tmp

Loads dropped DLL 2 IoCs

pid	Process
2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe
2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	2388.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffilt.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPWEC.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\rt3d.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia100.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSStr32.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSAutogen.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmgdsrv.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUTHZAX.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DLGSETP.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup	2388.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\msitss55.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolap100.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSetupPS.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IETAG.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	2388.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1STAR.DLL	2388.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api	2388.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPLACE.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EMSMDB32.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	2388.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp	2388.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL	2388.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pidgenx.dll	2388.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	2388.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	2388.tmp

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe
2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe
2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe
2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe
2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe
2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3036	2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe	29
PID 2180 wrote to memory of 3036	2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe	29
PID 2180 wrote to memory of 3036	2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe	29
PID 2180 wrote to memory of 3036	2180	NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_0e8ec104afb5fcaa9e3888919bc3583f_icedid_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\2388.tmp
  C:\Users\Admin\AppData\Local\Temp\2388.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2388.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\2388.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\2388.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
\Users\Admin\AppData\Local\Temp\2388.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
\Users\Admin\AppData\Local\Temp\2388.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/2180-0-0x0000000001BE0000-0x0000000001C2D000-memory.dmp

Filesize
308KB

Download
memory/2180-1-0x0000000001BE0000-0x0000000001C2D000-memory.dmp

Filesize
308KB

Download