9c71a5d8c88d358cc47c48dfdea424f5b90a43ed17eeff1a14f768de3ee32ef3

Analysis

max time kernel
149s
max time network
132s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe
Size

2.6MB
MD5

ae81bc18ce346f3f98ec02f9f2b330f1
SHA1

c4d7805ad1e88f47d1c03d16103a7f7bec1349f3
SHA256

9c71a5d8c88d358cc47c48dfdea424f5b90a43ed17eeff1a14f768de3ee32ef3
SHA512

b2bff57c21328b9e32f1d95f2360b5431a6a7b40a08bf0736a64eeb591819df0e1410946a9112619c136e85e37567384cf94710d9ac691a3acbde5e61d7aa618
SSDEEP

24576:5nWYXDaHMv6CorjqnyPQGzh0JONZejOuC+e4mOzrvxiI3ENyesg/jHLxQVIxX6Lu:tl1vqjdPQRw/D4mizA0dizLrB51vX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Loads dropped DLL 1 IoCs

pid	Process
944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000d0000000122a8-4.dat	autoit_exe
behavioral1/files/0x000d0000000122a8-5.dat	autoit_exe
behavioral1/files/0x000d0000000122a8-1.dat	autoit_exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe
File created	C:\WINDOWS\Media\ActiveX.ocx	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1640"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.64ma.com	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.64ma.com\ = "1640"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\64ma.com\Total = "1640"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\64ma.com\NumberOfSubdomains = "1"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\64ma.com	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
804	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 804	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	16
PID 944 wrote to memory of 804	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	16
PID 944 wrote to memory of 804	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	16
PID 944 wrote to memory of 804	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	16
PID 944 wrote to memory of 2680	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	30
PID 944 wrote to memory of 2680	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	30
PID 944 wrote to memory of 2680	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	30
PID 944 wrote to memory of 2680	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	30
PID 944 wrote to memory of 2680	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	30
PID 944 wrote to memory of 2680	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	30
PID 944 wrote to memory of 2680	944	2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe	30

C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
"C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:804

C:\Users\Admin\AppData\Local\Temp\2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_ae81bc18ce346f3f98ec02f9f2b330f1_backswap_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s
  2⤵
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Filesize
93KB

MD5
7139f7c94d6f13155e9088dc9a9a01fd

SHA1
bec54c2a2f185d6c8d1289ab608fc05abdd1a224

SHA256
8b2fa1341dc9f705ed2daa939f98aa7e70b020a5bd674880af48f417ac8906b2

SHA512
e5165887a17824f52f2c1968c96194dc201435a2a247c2b057101845ec88572ddaf27615aa4a2a3065c4737f7bfecde6bfe63a8643e5ec3ef2cd6793cc0b44f8

Download Submit
C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Filesize
382KB

MD5
7cc2dae1e0b947ad5f3deae0a0fd7818

SHA1
cd304fc9811c33a057c69c2d6b3f8461b7a73ecc

SHA256
4627a3af8f8baf5058bfeb58505d756db72185d266755c1ff521c6e6ba6db949

SHA512
e3e6f4e0816912f95750b6a78ccf3251d7262edbdb52efa12ab6dde0443dc93ae7e6fc6193e5933e728c6c7a676cc2b9642ad765e241d0b86a98812ecfb7c0fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
981c33e30899e653d316560474c440da

SHA1
c44c83fcfc1dfc720ef4ba7ccc6651089c65bcd2

SHA256
08996814d123098c9e16fbba6ee6760f267c9b94f181a6d17100aa3fba97e8b5

SHA512
f1679b54e812cc9536970acd0620722419302841ba2f0974d327f699c8ed7949f1d7838eb552584dbb5ef58be787b7f4b25590f895e18ff8b4000ec9d8f5b6d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bc395f7ec0d8a1f1e68319520b1d79b6

SHA1
cc8441c8d725066d457cc4253c1a43317ab38440

SHA256
c0462a2ded986ec97efb63c383f1672422983d2ad61af04e0c78525f4d85a8b7

SHA512
7badf8ce9f0908df5fc4b244d4e548e5bf4bd816945234d028efdc414a2444c322c0e7e5e660903f45dc6cd4824a37eb0f1d841bb3e89b7545ae957ff1144c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\1K1DJGNG\live.64ma[1].xml

Filesize
3KB

MD5
ffda861b67c4fae80f24a2f9957b8f09

SHA1
54986873fd4102384fe62e6366c2623783c47e63

SHA256
a764cade9696b72cdbec3b40819b2e2f624f41218f5bf374ec277239fd994e53

SHA512
280a54ecf5f2758097c369a952ddbaad3a7f84b5c9fbe62835decd690aeb6043bfdbf2f460ac9400c022878d683af09378fbc709e039cf8c66e588d7f97156bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar31BF.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\WINDOWS\Media\ActiveX.ocx

Filesize
12B

MD5
7e632764879f2cfb7ef019bc75a1c7e1

SHA1
c1871d156d96d6145e3bea7ef1ca740c53a5c803

SHA256
285453be49d595873486e56d3ea4ebd6a6af34b5b57946fccbfe21a3a8ed0ead

SHA512
0a78e757d6850a075e5279e22fbed2d7169af3448901e5e4e85af3b681e5b29171033cdb346a6326586edb542c237108b925c628fa87fcc27ce0c415eca283c7

Download Submit
\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Filesize
384KB

MD5
70409f992136ef21a0e2d9394cf2dd21

SHA1
6e03e3eac1f0727058ed87d9741640750bd18152

SHA256
eed6789f0e8eaa8277fb5f98be24cabe782b7695597bb8d1fb9aa17d40b27b10

SHA512
91ec1a2cb885d57850cb09bb2f856d342dca35a9e87a1c3dbdbbfd8c2cc548c80c5b5b3973a5b507e498aadfeb1adda5e32ee051b0c0a923b1f2f9dff724ed41

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads