ae4f4218c335c6566aee6608bd56c0e84a53d3a08beec5846d79cf0aad0784f6

General

Target

2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe
Size

701KB
MD5

e9b22be94f71a738e1cff829700b8520
SHA1

3f5cf33e93c3dc7b18a69550f12b7b2888f64f9a
SHA256

ae4f4218c335c6566aee6608bd56c0e84a53d3a08beec5846d79cf0aad0784f6
SHA512

ae3041d0ecab807379f32533b98c5e835eb8a1683ea492504186c41ba78cc8e6a9c18bb2746c12335c74d75545ee781bcff0bc3ff688da8893a7b3019db79f2c
SSDEEP

12288:q7bSAcO9nmofU3f5JblvsXWhW3FPOlNTHlGvYPlP5IzC1fshUQCvLo2k:0HnmlJblvSdFP8THlhqe1kh7

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 12 IoCs

resource	yara_rule
behavioral1/memory/1312-4-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1312-7-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1312-6-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1312-9-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1312-11-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1312-10-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1312-12-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2900-35-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1312-36-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2900-38-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2900-40-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2900-44-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Deletes itself 1 IoCs

pid	Process
2860	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2836	fdlaunchersa.exe
2900	fdlaunchersa.exe

Loads dropped DLL 3 IoCs

pid	Process
2836	fdlaunchersa.exe
2836	fdlaunchersa.exe
2900	fdlaunchersa.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2836 set thread context of 2900	2836	fdlaunchersa.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1312	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2088 wrote to memory of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2088 wrote to memory of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2088 wrote to memory of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2088 wrote to memory of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2088 wrote to memory of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2088 wrote to memory of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2088 wrote to memory of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2088 wrote to memory of 1312	2088	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	28
PID 2836 wrote to memory of 2900	2836	fdlaunchersa.exe	30
PID 2836 wrote to memory of 2900	2836	fdlaunchersa.exe	30
PID 2836 wrote to memory of 2900	2836	fdlaunchersa.exe	30
PID 2836 wrote to memory of 2900	2836	fdlaunchersa.exe	30
PID 2836 wrote to memory of 2900	2836	fdlaunchersa.exe	30
PID 2836 wrote to memory of 2900	2836	fdlaunchersa.exe	30
PID 2836 wrote to memory of 2900	2836	fdlaunchersa.exe	30
PID 2836 wrote to memory of 2900	2836	fdlaunchersa.exe	30
PID 2836 wrote to memory of 2900	2836	fdlaunchersa.exe	30
PID 1312 wrote to memory of 2860	1312	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	31
PID 1312 wrote to memory of 2860	1312	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	31
PID 1312 wrote to memory of 2860	1312	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	31
PID 1312 wrote to memory of 2860	1312	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	31
PID 1312 wrote to memory of 2860	1312	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	31
PID 1312 wrote to memory of 2860	1312	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	31
PID 1312 wrote to memory of 2860	1312	2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\2024-02-03_e9b22be94f71a738e1cff829700b8520_icedid.exe
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\5549.vbs"
    3⤵
    - Deletes itself
    PID:2860

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5549.vbs

Filesize
500B

MD5
f08109a35419671850cdf957caa30fdc

SHA1
22567ecc476e94204ae90d1faed27f7440766230

SHA256
85cbfb08762f04d83f6edb59eda3f1f21ae21e1cf16d332c700f007808a9e1d7

SHA512
d8637d66d366b413934acf3809ab51a031dd0401e7872e62e6ed2f1939c4ceb60ce5f8d5c46fcbf1e471876226bbcbcb4b04013985f7544b94fb30ede15ee7aa

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
2.1MB

MD5
199a2b971a186ce29e4099fd7294c673

SHA1
d66ee4cd917ed173204b97cccea932669e8f9666

SHA256
c38d22e983e2656fa706c7fa03917e8e7599343e8f58bf11b4da97d3a2f5553d

SHA512
a85578d46276e91bd2deb2e569ff7aec623529a14f83f2b37041b47fda8a9d852bc7df5c818e58721cb084e1382a9bce717ff013223b09f17b7f0902c71ecc58

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
1.1MB

MD5
9c3bdbbd4f87c35a86e7d5cb46f818b8

SHA1
725076bd9f2063e3e3a4fddffce0c91826a1baa2

SHA256
69e474ea7eae5bc5eadf3827fc3e528ad32ceaec7dead996dea544902405bf78

SHA512
13be16e63a86d2cab10952e52684f1562e235350d97c1e7f1b9c72b571b292ed5b48fb7ed628749b2d1c4c3fabc671e27dcc32a742c2e60be7ae9ffe1e8a048f

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
842KB

MD5
ce1592347e0d6e0af78c6fc7023ef51d

SHA1
03009539cf48e4704a842b9a94d25fad3fa885ba

SHA256
1293031a80e9bb77bb6db13957c6982f5f6fe93e2bf5cb98c8a47463e67bec1f

SHA512
d0c9a9369276e4c96770a41738e5f27ad3c97850542b7ab084d93859adaeeb1fa9c341d104384299d274325c9ddb9a7c3f9b7f1906279b39e539dec5d982e2ff

Download Submit
\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
660KB

MD5
a4ba931580d63803791a144f92f5d4ac

SHA1
53e03391c3ba99ae4e4b5c08765f3fbeb96627cf

SHA256
8777c95e0a4a710ca3d6831a58063c1bb98a0983bd5b22d7b47f01a6a5a5f4e5

SHA512
1eceec92c817d9e01147216a9056455cfbfec207aec52cf5fd3bbe240ad9edde61b75987e0c34e3f10edfb73e85d0d2a84760edd0e8eec7861a65de1399b25d3

Download Submit
\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
671KB

MD5
eeb60a92c6ead9203b1255d659e1b1de

SHA1
0d6920f874ffed1239b8e42c0d993ffedbccb5a5

SHA256
6357091e2f398bcd9d897a9cc48691c987fd8a9c6f459e99024b0ab1dd76a309

SHA512
063fa06f638f73793a35a7695cc66ed039b7361f05ff2fbb3ad55e47768883ed7068b596d9634d9de989b1e77ddc643aee7324a82605302a84b2e855034ab1b7

Download Submit
\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
769KB

MD5
616bc24cb2b394d5529e8344734f04c1

SHA1
8840f88ee4ab811341709f7ea4a7b2dd4db59ab0

SHA256
f0cc6031affef1f2f75c7ec4ea6cb39aff244ae706b9204500bc5240c737b0a0

SHA512
c9dcb7f6c99bc60d0e1fa76c101dde30831851ac4e6c7a807be5d2f04ef2e6e25d38b351969aedd3d6d65042af01cc478c15c2617b8dd50a690b50857ecb7167

Download Submit
memory/1312-36-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1312-2-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2900-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-35-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2900-38-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2900-40-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2900-44-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing