Analysis Overview
SHA256
9d5530e0f6f0ab505d97cd6e85873203553dd0594ce9602b03e23dd62a87c725
Threat Level: Known bad
The file 2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid was found to be: Known bad.
Malicious Activity Summary
Kinsing
Executes dropped EXE
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:38
Reported
2024-01-25 17:41
Platform
win7-20231215-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Panel\Autorun.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Panel\Autorun.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| File opened for modification | C:\Program Files\Panel\Autorun.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| N/A | N/A | C:\Program Files\Panel\Autorun.exe | N/A |
| N/A | N/A | C:\Program Files\Panel\Autorun.exe | N/A |
| N/A | N/A | C:\Program Files\Panel\Autorun.exe | N/A |
| N/A | N/A | C:\Program Files\Panel\Autorun.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe"
C:\Program Files\Panel\Autorun.exe
"C:\Program Files\Panel\Autorun.exe" "33201"
Network
Files
\Program Files\Panel\Autorun.exe
| MD5 | 7a7ac635ee9e9d42bd1a0a8ed3228a02 |
| SHA1 | 061032c4a9ddb23feeb9a60d0487f1edd7c50a14 |
| SHA256 | 2f629d9c18dad0894034d337c499ca9c1946b0687db0dd3d14ae0fb5ce3d7007 |
| SHA512 | 28d9f4891146a2ded565e402e9d63af09325d2ed896d5457b20eb9a75a6d9c8e32cc394e0dca1b791ff9a3a02548e6f4a371046ca1c19b8fe2466cfec19b8774 |
C:\Program Files\Panel\Autorun.exe
| MD5 | 1bb5d4406c8e6d50651ef254926196c4 |
| SHA1 | 3271472866a7432e4ad96d3d6d862a1abdaea35c |
| SHA256 | f9eb1a7892da587b0af95e6d9098eab8c30d97a20a65571b8b31a31882cd589b |
| SHA512 | 445d699cce1b1d8c23286dd8ad48f9c4ae47443fd75d5c23a71ec58f678a7b7269e7c00fa40f022deb89d5effd6b51afc12df59e5e0f8b2775236307c925922c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:38
Reported
2024-01-25 17:41
Platform
win10v2004-20231222-en
Max time kernel
88s
Max time network
149s
Command Line
Signatures
Kinsing
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Autorun\compact.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Autorun\compact.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| File opened for modification | C:\Program Files\Autorun\compact.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | N/A |
| N/A | N/A | C:\Program Files\Autorun\compact.exe | N/A |
| N/A | N/A | C:\Program Files\Autorun\compact.exe | N/A |
| N/A | N/A | C:\Program Files\Autorun\compact.exe | N/A |
| N/A | N/A | C:\Program Files\Autorun\compact.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4616 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | C:\Program Files\Autorun\compact.exe |
| PID 4616 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | C:\Program Files\Autorun\compact.exe |
| PID 4616 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe | C:\Program Files\Autorun\compact.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe"
C:\Program Files\Autorun\compact.exe
"C:\Program Files\Autorun\compact.exe" "33201"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Program Files\Autorun\compact.exe
| MD5 | 7872aa02192a2d998d3ea1e3b1adcaa6 |
| SHA1 | 901b87f39e11912bef405bde3c163b866d372267 |
| SHA256 | 72f3676de225f84a9739a8ddf403960ca1278e2c0c73b0155423461d3cd4ec52 |
| SHA512 | ab620508ec473267baf7d9dc188784205ef5f5557b4aac78ab04bfd51057b9d549b3a9ebfa5344188499c3ea9d0ec0cc01467f0dd3907a2c8379c7442c196f25 |