fcd959776cf1c7b86e31ac27b6bc9156f062371534fe2e7507182ae1e862da6d

General

Target

2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe
Size

1.9MB
MD5

b3e86c1f0cd4d3c80b6358ba5d04a4fc
SHA1

31792f3ad45d997a4f75f53f735077cc47067c9c
SHA256

fcd959776cf1c7b86e31ac27b6bc9156f062371534fe2e7507182ae1e862da6d
SHA512

0210447bcb0dd2a77241feab6c79f82ecc127680707105b4fef0031edccf465ed7a2d14253e2feab171a5904080a196c0588c00ee172d51716cfd298a2908edf
SSDEEP

24576:bvnizplWJhtl3hUt0oOYSzfwi2p/xdHATun37YWX4+33IQkQrEH7Y7:biglPTD2p/gTunLrIM

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000012248-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x0008000000012248-1.dat	upx
behavioral1/memory/2040-37-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2040-43-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2580	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe
2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe
2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe
2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2580	2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe	29
PID 2040 wrote to memory of 2580	2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe	29
PID 2040 wrote to memory of 2580	2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe	29
PID 2040 wrote to memory of 2580	2040	2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_b3e86c1f0cd4d3c80b6358ba5d04a4fc_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2040.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2040.log

Filesize
1020B

MD5
4b688abda9e171ecd8c1b6e701c2ddc5

SHA1
a13fa88144f0b8e994e26d39849e39829a314dca

SHA256
dd901c28d1ede23f17fae7d45bb16cd45da5931ee40e998f097a06a59fd83ffa

SHA512
cfb52b36ebec24919e6990e8ff6a8dfbc018a39631d7d431cde2289c5d1fca1b8e3b39b934dbd7fe8e3fe54b76da96deca6b15b58672ed6e829c10cd7291368b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2040.log

Filesize
661B

MD5
75d75ca8030f89ce67c55f6923863ceb

SHA1
9ff00914de259fc082889e8e23619215a330d622

SHA256
d1d51a5745945183ac648fa5ed855bedc5b5a0aa6bd6b04b23fd0d6e5b99ae66

SHA512
2908be2ec0ff3ffc8823ae5f02d521716e9fabdba21eaeec23bfad0389394ccb452cef6608b216fc62d26eb4322387a01b009417fd3070be525e8d58f2d57c0c

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/2040-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2040-17-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2040-37-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2040-43-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2040-44-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing