4f1c38b4d34de60bc41fbebbbf3293a711b0d7f22e9ac239f3c50eb64a9e3d75

General

Target

2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe
Size

43.7MB
MD5

e9d6ff7e1e524c254952f89ad3a84f5a
SHA1

e613a60114a7c84eb649e26e80a68c827f577c29
SHA256

4f1c38b4d34de60bc41fbebbbf3293a711b0d7f22e9ac239f3c50eb64a9e3d75
SHA512

31103c61fc70b23e1e2533a371257ce95d164426b3ed160fdba2bba6926d87615d0f442deed4e116ec677ad11a0ba03489c5653a5722f8daa5292eb2fc881942
SSDEEP

98304:uWoyJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJM:3oz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe

Deletes itself 1 IoCs

pid	Process
1808	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3376	fdlaunchersa.exe
384	fdlaunchersa.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1568 set thread context of 1592	1568	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	92
PID 3376 set thread context of 384	3376	fdlaunchersa.exe	98

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1592	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe
1592	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1592	1568	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	92
PID 1568 wrote to memory of 1592	1568	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	92
PID 1568 wrote to memory of 1592	1568	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	92
PID 1568 wrote to memory of 1592	1568	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	92
PID 1568 wrote to memory of 1592	1568	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	92
PID 3376 wrote to memory of 384	3376	fdlaunchersa.exe	98
PID 3376 wrote to memory of 384	3376	fdlaunchersa.exe	98
PID 3376 wrote to memory of 384	3376	fdlaunchersa.exe	98
PID 3376 wrote to memory of 384	3376	fdlaunchersa.exe	98
PID 3376 wrote to memory of 384	3376	fdlaunchersa.exe	98
PID 1592 wrote to memory of 1808	1592	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	99
PID 1592 wrote to memory of 1808	1592	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	99
PID 1592 wrote to memory of 1808	1592	2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe	99

C:\Users\Admin\AppData\Local\Temp\2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\2024-01-08_e9d6ff7e1e524c254952f89ad3a84f5a_icedid.exe
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\7794.vbs"
    3⤵
    - Deletes itself
    PID:1808

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
  2⤵
  - Executes dropped EXE
  PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7794.vbs

Filesize
500B

MD5
367f47abf715f5ddd418dfbb98671b2e

SHA1
6063eb1cb73e2e403e988549e5d9d7792b54701b

SHA256
478c18f2b226ea67a05632f5b986225969a933f3b4fea269a692550ddd811b91

SHA512
6df234db352d9121e32a0182d8b67e0613e5d8748554a6c295845aee6702c4f216d2e99422d04543ca532f512e954a41ec3cf4773e88fe985d566b8664f9c84a

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
1.1MB

MD5
c9934843f200ab4df3352cfd469b1fcb

SHA1
43f40507302e9192d762f86440ac1038f92d28f7

SHA256
738ca974004c530e8e186005950bd69f0f332a0090e9cd8b5d3de31f2fef149f

SHA512
e52ff57fbde310ca2ff20840a7820022f98eabaf958af44b0a8033706057185fcd77f94e7796db8b70225b6b2ced97788a8c6713bfc465a46edb9adad03631b2

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
473KB

MD5
c77056cd2cb673e03ba4ad25e9a22994

SHA1
80f6a22f19fdf6ae8f546e53cbe8b3b46bf39b7b

SHA256
5191a03c383dff54a08395a25ca2c4d003dcdc62cf72822361499cc36d3a309d

SHA512
2f2bc8bd7978dfc6c0e0091f0b4b94de8c3b8ab7b82e3634a6d199961201578d77e5f2a88cc4037d711b09dfe352333a240c305a0693d386e40b97965e71502f

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
1.2MB

MD5
571640a14801954fc5353ee98edb3e41

SHA1
7708a5d23ce28b7b70eae72c0dd427957309d23b

SHA256
3d323c9eda75973b17c9d0bd91a381af9254c81a2f06d45bf2887262170c2be1

SHA512
57299ae74d14cb24147f522248229f1440c0ebc1e03f1fd679dbb8e91ac1a0bc4b6d8ebeffa9d717193d39f6173a42ceabb1d65643158ec7ebefdda9ac482a3f

Download Submit
memory/384-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/384-27-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/384-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/384-33-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1592-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1592-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1592-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1592-2-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1592-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1592-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1592-25-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing