1cb8637bdfdd8e34766e190d437e0faf032e422daac831c60da51aa9b355b6bd

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 19:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe
Size

735KB
MD5

76c0434129dea843bff45c52068cb38a
SHA1

2fbc2d88f33038ba941eb150fc3d8d0026ecd9b5
SHA256

1cb8637bdfdd8e34766e190d437e0faf032e422daac831c60da51aa9b355b6bd
SHA512

1555a6cf10bc18ff953300f203e44c1720f7fa1bf4fef5f0d67b8d197e334cf04e5cd97a9159df864c971e1ce441e2e4b03509ddb87c9207666f4893689ce249
SSDEEP

12288:hVn3OvVpoay/b227tMHn1obXHbGO9GCfqxv+T7y7+SHwRThQNSUf:hVqRc7tMH1uXaMT7E+SK8P

Score

9^/10

discovery

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023211-87.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	update_0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe

Executes dropped EXE 3 IoCs

pid	Process
4952	update_0.exe
1504	installhelper.exe
1976	installhelper.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\VideoDownloaderUltimate.exe = "11001"	update_0.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	update_0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4952	update_0.exe
4952	update_0.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3420	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe
2972	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe
2972	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2972	3420	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe	85
PID 3420 wrote to memory of 2972	3420	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe	85
PID 3420 wrote to memory of 2972	3420	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe	85
PID 2972 wrote to memory of 4952	2972	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe	88
PID 2972 wrote to memory of 4952	2972	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe	88
PID 2972 wrote to memory of 4952	2972	2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe	88
PID 4952 wrote to memory of 1504	4952	update_0.exe	89
PID 4952 wrote to memory of 1504	4952	update_0.exe	89
PID 4952 wrote to memory of 1504	4952	update_0.exe	89
PID 4952 wrote to memory of 1976	4952	update_0.exe	94
PID 4952 wrote to memory of 1976	4952	update_0.exe	94
PID 4952 wrote to memory of 1976	4952	update_0.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-02-01_76c0434129dea843bff45c52068cb38a_icedid.exe" /watch
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\update_0.exe
    "C:\Users\Admin\AppData\Local\Temp\update_0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\ProgramData\VideoDownloaderUltimateWinApp\tools\installhelper.exe
      "C:\ProgramData\VideoDownloaderUltimateWinApp\tools\installhelper.exe" /watchPid=4952
      4⤵
      Executes dropped EXE
      PID:1504
  - - C:\ProgramData\VideoDownloaderUltimateWinApp\tools\installhelper.exe
      "C:\ProgramData\VideoDownloaderUltimateWinApp\tools\installhelper.exe" /downloadffmpeg
      4⤵
      Executes dropped EXE
      PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VideoDownloaderUltimateWinApp\VideoCaptureUltimate.exe

Filesize
543KB

MD5
32bf6ad4dbf95fa8483f08872d8dd04c

SHA1
4aa97445b85d58ab0b05cc0db217ecdb913c1ef0

SHA256
b5abe8d10e1a62093a7374eb5927c26786eb83480d5b1826db4edd7ff56f9e1d

SHA512
e3c9885e4dc0e0daa0013b2922bc4e92555620bdc88a68109fc539a73064a81db8e447f8311672aacf24220c35c27cb96405993bd6b7b0c8877f94be9e0ce735

Download Submit
C:\ProgramData\VideoDownloaderUltimateWinApp\VideoDownloaderUltimate.exe

Filesize
555KB

MD5
fefdbadd7f58899083bb163fd0002f8a

SHA1
31b8bde7107514cafdc4d57c72a52c4e49d293a5

SHA256
dffe5c68ca4c70f1f8ceeb6f193c5f5890814950f2521e4e55e973b351359688

SHA512
b037a10cb47662e16528244eb7b59b95b8077fe53ac7734c2bd4117212fa59de290c404bd29dd9ba1169c4d290bf84e64aa8eee7ae28885623f3edca1731ac2d

Download Submit
C:\ProgramData\VideoDownloaderUltimateWinApp\tools\ffmpeg.7z

Filesize
15.9MB

MD5
12f5e708dd833b51532a6be0ed22e50b

SHA1
25be34a84a8fdfab20f14545ef90bebb6d6de1b3

SHA256
0c7f864c653f06edf78a1f83ceaa86316056cadb4507ceb745a9ff03b804f2f9

SHA512
7b0bc2850c8cb280e13ec873d8bc4f3aeaa41386dc1f2c66606c4d5e7a7e9329b88af27d3a74f423b9b1814f80a363c5712475a9cf2369321210be5cb3bcc244

Download Submit
C:\ProgramData\VideoDownloaderUltimateWinApp\tools\installhelper.exe

Filesize
786KB

MD5
f2e478471342012bacc14a5f9fb7efc5

SHA1
0399a24a166628136ad23542abe7148fb2f85a81

SHA256
1e37144c11b428e9d71dec81459b2def9159d01f7375cc2f118a16f49fcea957

SHA512
2fb81f0c4ca0a37e900fb744f9d735670c49da60f8ea78d28e845465fa7e694201ceb55ae89f9c2f9bf38f5c81916867ac641d90cfd693e67afab0b6f69427b7

Download Submit
C:\ProgramData\VideoDownloaderUltimateWinApp\tools\installhelper.exe

Filesize
1.1MB

MD5
ab7130fbe22a1d54b1c40ce0eeb161e0

SHA1
f75ebff2dde1094b44dc5d5a2d8199d3ce03afd6

SHA256
d6112b5dda8b29520e66c550507be115299ecd82032ba1e257695621632898ab

SHA512
fbfab00378fc0162e5e9a1606373c8d5f94f1f096c67fc93298ba902ccc693e1636060c31c1f0d8497385b71209eacf377e51bdb3e6ae9a032a9598eb4789abe

Download Submit
C:\ProgramData\VideoDownloaderUltimateWinApp\tools\installhelper.exe

Filesize
628KB

MD5
b50daa5d0368dd3ce9a0bdb5a64b1fd3

SHA1
ede8fb38bc90bbd2f374df8bc8893ef861f69ba7

SHA256
cb4134241152c563bed14854f8d22d3181cc1086f1a8424efd59900b9b4b0d7c

SHA512
0c76ff54cfda61ca19f8dfb750fa8c49d9a51efd74256b7db3725af523f6661246396090e6615b7476f30dc72428228357fd09cc65dbdcbc3b6739bf9b530655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
48e408c459ee9068379fd44f27ceaf5f

SHA1
fd974db848a8b35bf6162b7719935b96cf4be804

SHA256
f46c5da04170c2cd094c14b99eaefa7b98716064d92f15de33c6b7e1655ce87a

SHA512
c424a47cc669bf6e2c567aa66c0aa0fa5e8710763f74d7ea85ca460b92b992c766cef7c44ffac5709e6fa304980770c7b80cd2ca45801b32aa3a9b46b931dfa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
c1de9ee67bd7ac7a8b6e8b78da9e5c39

SHA1
8eb4a644402c7a20007984b3f0281e585f27454c

SHA256
c6fc18342acdaaa5016c32fe26c30a85de63bce9f04663cde049e8432581bf0a

SHA512
dbd6625b7137090d999929308ad79a6ae3ee532e72e67f812441358362ea92b9168a0180ade82f887532e1b0739b82079ac73dc43918184f8ce08dbb134c330b

Download Submit
C:\Users\Admin\AppData\Local\Temp\54634578.log

Filesize
40B

MD5
85ab0fb99ee569fcc5bae67fde77b694

SHA1
78a87b7b7a088c4932ebd1c3f4d55347be07de72

SHA256
67f37beada98e4b69d27326f8d12f2c457a7c309cf6c8536e4e8b05aa749b61c

SHA512
e4e06c16f2ec22deb4fe919f88f6b9ff2699f418a41b00e35a46f147dfff4d9b210517f747f88683474f82b2b5ce6d006e17be42efb10b019daa8d83e844e42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\update_0.exe

Filesize
2.8MB

MD5
c3052f114b6d2bef1a21648f4a46d768

SHA1
19b1eacf4e74ac06b8ad76196120cd69ca307b4d

SHA256
3579b788a2c4022bffc5bb0021e776405a724d76502a15357fc866b43347ad26

SHA512
7830daba7988d1e9cecbd781c45c10941b513336fa82dc2a3cf030e6c62ebbdbd1099a271edb2134afc16b3f0f2dd119b3c9ca0300edfd9cd6abb09657a2e365

Download Submit
C:\Users\Admin\AppData\Local\Temp\update_0.exe

Filesize
1.2MB

MD5
e1359a97c1be1644202ec4180e54e843

SHA1
a2af069262916da16a2d009a3af2b50e6ebb660d

SHA256
5fbb803f66caed5b7f64ece537890dd0f1df8ba4fa30c1ac624c996c93b21f4c

SHA512
cc2a21758e46bb68233e24ccf3fcf5ede3a51627211e714e0a34de1ba5cb0f388acee1d9c1fbb26eaa1468aea4b541e7a6ee4fe390b1391199cd67ae899db3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\update_0.exe

Filesize
1.4MB

MD5
0dd49fe6ab303f0840e562359452fae5

SHA1
c440cd2553d89056b008ec926a781a5856150b9e

SHA256
d228ab50718bd27aab8cb6092aa5cb4b485ba82728a92d9cdddb5c2d62d1b06a

SHA512
ff23a1aeaa96f0f0a8a45c692dd6b9b98f38c859aa5572be2bc3001cba457483d4572d8c9be97b73a92dd098054d30b24be3ed903e64d85345de5799e589da29

Download Submit