a9abffbf7fac864c13075b75f52103d1e4bdb3d305fb1b227b9c053d36d49dca

General

Target

2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe
Size

2.6MB
MD5

845f02489205ef95cc2f552402713c3d
SHA1

7536d6e888500cb305ffe09b049651a1bdfdceb9
SHA256

a9abffbf7fac864c13075b75f52103d1e4bdb3d305fb1b227b9c053d36d49dca
SHA512

474c1348f6ba1f402b57bef8a69f5d7294fc0548e76a35506ba25314394df1eb1989057d57784261019553927e18c7afc248f88219862a97a91ea8d5707e590a
SSDEEP

24576:5nWYXDaHMv6CorjqnyPQGzh0JONZejOuC+e4mOzrvxiI3ENyesg/jHLxQVIxX6L5:tl1vqjdPQRw/D4mizA0dizLrB51v4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000600000001e5df-2.dat	autoit_exe
behavioral2/files/0x000600000001e5df-3.dat	autoit_exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe
File created	C:\WINDOWS\Media\ActiveX.ocx	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2284	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
2996	64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2996	2284	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe	35
PID 2284 wrote to memory of 2996	2284	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe	35
PID 2284 wrote to memory of 2996	2284	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe	35
PID 2284 wrote to memory of 4356	2284	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe	102
PID 2284 wrote to memory of 4356	2284	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe	102
PID 2284 wrote to memory of 4356	2284	2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_845f02489205ef95cc2f552402713c3d_backswap_icedid.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe
  "C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2996
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s
  2⤵
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Filesize
334KB

MD5
5739f6f54834e7fa1733420f9a0ba0af

SHA1
13ed0802919c126223c270fd7ec99ac263ef575b

SHA256
6affd1703ac69182dd51310e0cd111aab67a9c01da0f3099fe78c763861f8d37

SHA512
178c9cfa3600f64dbfb0f036dc9c5aadd2269eb348e2a31ff3b6ec8a15ab1c4b2ce6bcb1cb372159e553192f3d95b03e8e361d399123579ab5fbba3ebb2eed8a

Download Submit
C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe

Filesize
287KB

MD5
81a87ae1cb0b03e4573650bfaa9c108b

SHA1
c6e210dbef1610641bc84cedad20d223ee8525e4

SHA256
cd056cec66b26abefd5154ce7b7fcb5eb4f63b6bee837d036b1ec2797afebfb9

SHA512
80e20ae6868fc88e26e4687405c036776821c52862533b088c38022785628bbae15377eb4ab2840438c8a3506460170e26095793c1a3b977a66e084fd9172142

Download Submit
C:\WINDOWS\Media\ActiveX.ocx

Filesize
12B

MD5
7e52c3ccf3ab977dd3812df45599f0d7

SHA1
21462e2b145f0d05364ad8c0845bb4a02c9ac0e5

SHA256
470dd78cb58c25d59d508ec6b6328104af76bcdcb5e83657bd69769798826a03

SHA512
42d59a27f66ec9fb70fea3d9005ed137989b0575c95c71935ce739b4bbbdf12d96c71ab0696c0b13af0746ab6812b354cef7cb1984a1572fbc6247cdcfb868c4

Download Submit

Analysis

Sharing