4f1c38b4d34de60bc41fbebbbf3293a711b0d7f22e9ac239f3c50eb64a9e3d75

General

Target

2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe
Size

43.7MB
MD5

e9d6ff7e1e524c254952f89ad3a84f5a
SHA1

e613a60114a7c84eb649e26e80a68c827f577c29
SHA256

4f1c38b4d34de60bc41fbebbbf3293a711b0d7f22e9ac239f3c50eb64a9e3d75
SHA512

31103c61fc70b23e1e2533a371257ce95d164426b3ed160fdba2bba6926d87615d0f442deed4e116ec677ad11a0ba03489c5653a5722f8daa5292eb2fc881942
SSDEEP

98304:uWoyJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJM:3oz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2816	fdlaunchersa.exe
3012	fdlaunchersa.exe

Loads dropped DLL 3 IoCs

pid	Process
2816	fdlaunchersa.exe
2816	fdlaunchersa.exe
3012	fdlaunchersa.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2816 set thread context of 3012	2816	fdlaunchersa.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2876	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2176 wrote to memory of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2176 wrote to memory of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2176 wrote to memory of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2176 wrote to memory of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2176 wrote to memory of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2176 wrote to memory of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2176 wrote to memory of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2176 wrote to memory of 2876	2176	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	25
PID 2816 wrote to memory of 3012	2816	fdlaunchersa.exe	30
PID 2816 wrote to memory of 3012	2816	fdlaunchersa.exe	30
PID 2816 wrote to memory of 3012	2816	fdlaunchersa.exe	30
PID 2816 wrote to memory of 3012	2816	fdlaunchersa.exe	30
PID 2816 wrote to memory of 3012	2816	fdlaunchersa.exe	30
PID 2816 wrote to memory of 3012	2816	fdlaunchersa.exe	30
PID 2816 wrote to memory of 3012	2816	fdlaunchersa.exe	30
PID 2816 wrote to memory of 3012	2816	fdlaunchersa.exe	30
PID 2816 wrote to memory of 3012	2816	fdlaunchersa.exe	30
PID 2876 wrote to memory of 2668	2876	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	29
PID 2876 wrote to memory of 2668	2876	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	29
PID 2876 wrote to memory of 2668	2876	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	29
PID 2876 wrote to memory of 2668	2876	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	29
PID 2876 wrote to memory of 2668	2876	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	29
PID 2876 wrote to memory of 2668	2876	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	29
PID 2876 wrote to memory of 2668	2876	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\2500.vbs"
    3⤵
    - Deletes itself
    PID:2668

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2500.vbs

Filesize
500B

MD5
367f47abf715f5ddd418dfbb98671b2e

SHA1
6063eb1cb73e2e403e988549e5d9d7792b54701b

SHA256
478c18f2b226ea67a05632f5b986225969a933f3b4fea269a692550ddd811b91

SHA512
6df234db352d9121e32a0182d8b67e0613e5d8748554a6c295845aee6702c4f216d2e99422d04543ca532f512e954a41ec3cf4773e88fe985d566b8664f9c84a

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
25KB

MD5
b8cc2bb1904a9597e257630e6bb266a4

SHA1
654fdc1df0bd5207ff88912d06ff3ca2919002c7

SHA256
11ad0adb3126d5170ad1194a229cef5fc597eaba827dbfa329784432d8b0ec07

SHA512
b1996c47c88297045cb80fe41a9fc73eba23f27e36cf288e0e91d9d0b7ee4628850ece0f7dce15ed2fa7fd041b0df245e51c0fc957d9c4b2eb50a3723046ffa8

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
7KB

MD5
cb2eb4ae9a65924ab3b69ebcd63bf450

SHA1
ade0f54522d1aac1090d1ca32338551a6bf12f2f

SHA256
7053cab65dcb429e670d10f1637905a12775019e88532d0f9d5cb0c696ddd364

SHA512
7dc77af1777f68259743b123e98f8ba4e0e6b988902a4889ad47f1b1ff66772673684a08a4a032ae4b9bb882b8358c5bba2f9073b69e7d4a0cb6613169324d45

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
7KB

MD5
c82abace7e77be132e4059f96099a5bb

SHA1
d82e95093ca57228ae71d524760cdda49e37ec7c

SHA256
1c838789c59cc594f720cf7e54d0cc4b1bcd7a6257a82c6cb5ef8e833224584c

SHA512
1e1d746c30e297989db1e0df409caebcf28909a4dfef5395c0e3597ed32b72360673fea36a6ef1e6df69b828b19537fd3e1965f704f99d5175bbf2cd075c786a

Download Submit
\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
17KB

MD5
c61479369d5715dbbd8fc5d8dc52332b

SHA1
10efbb2e2a7b3326f270f3f920431ce7da163e5f

SHA256
2876aeff4f24f356de0539f413e88a993b08659be1ee799bfc77a47c941e9d48

SHA512
b2b3006f0253ccdbb6e9919e2d72dc6e51b57bc38fe943ec99a955da765751e3d424114438ef873a2bfcfa04e368fcd2a13d7cea6fdbe3f1f4e71369ebb68f4c

Download Submit
\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
37KB

MD5
045cfde4ec70802bdf9405352404c2f7

SHA1
7f25cb9b754fba54fb020c405af6afe4af018c23

SHA256
6b2271e87192c6ce4525e9790642d6ff484ef048def07e8597a3fec7abe8e783

SHA512
0e5b74ddf26c74e1eb45aefa55402daf8b53bc5a1fe5a9aa0ee40261bb5f612b8449756f34beef6543bf3d801b0c64b35e634986c9ff9e907ae6c764215bf661

Download Submit
\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
13KB

MD5
11be961955be8799b86ab18d374dda47

SHA1
cbb1cc897ea67e6fadfe00ba8d1280f5bea3a9bc

SHA256
83348898e87bd0b72301f90e838a2f7ec9f3f96a84b7b934fd7eda3436d172d2

SHA512
6537d31766ca9142eb23d7f6b63302d7c383feb6e3a5796f390327ca8a51676e5953edabc821b3bf228e8e1dab04423d8670951b8cd29e7499a34e42ad402579

Download Submit
memory/2876-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2876-36-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/2876-2-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2876-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2876-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2876-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2876-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2876-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2876-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2876-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3012-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-35-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3012-39-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3012-41-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3012-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing