1b1c5a350db6f50dff2795a60e66326516087f686df86393b1183f26141806ee

General

Target

2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
Size

3.2MB
MD5

673ec9946966504e0d8d87cf8bf0fb15
SHA1

1348b01163e263e3c9aee874ca6cb94d85d3c855
SHA256

1b1c5a350db6f50dff2795a60e66326516087f686df86393b1183f26141806ee
SHA512

9d51b5bcbd41d7bafb359b46bf203ff9dc5e5f128f5990e8afc362f7dd7b301769323b84744c84aa09f9ab3f1bbf69a89cc601ab5dfe5c62c0606c5f9b084429
SSDEEP

98304:84uTo0ZCKFwlCNZTOoqXAx88BqcVu1pggGsgBsCESpQ3v:84e7vNZTcAyhyyWgGppqv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2352	svchost.exe
2176	xzw.exe

Loads dropped DLL 3 IoCs

pid	Process
1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs

pid	Process
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe
2352	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2352	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
2352	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 2352	1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	18
PID 1392 wrote to memory of 2352	1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	18
PID 1392 wrote to memory of 2352	1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	18
PID 1392 wrote to memory of 2352	1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	18
PID 1392 wrote to memory of 2176	1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	19
PID 1392 wrote to memory of 2176	1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	19
PID 1392 wrote to memory of 2176	1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	19
PID 1392 wrote to memory of 2176	1392	2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe	19

C:\Users\Admin\AppData\Local\Temp\2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-06_673ec9946966504e0d8d87cf8bf0fb15_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2352
- C:\Users\Admin\AppData\Roaming\xzw.exe
  "C:\Users\Admin\AppData\Roaming\xzw.exe"
  2⤵
  - Executes dropped EXE
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
45KB

MD5
576fcd36485dda7d350a9743a4dd3fe6

SHA1
899bff896ccb8572b83904a22cb57ddbc9e28a0e

SHA256
1916bbcfeca6feea5147b0fb213a5342fb15c4d960f07ae70ad1a0656ad31d55

SHA512
18a1f85bcbd1472868eef3a2a74d3b0ef5ec0fbb751f9f6d594f31ce82c5ad425902034313a257ab9a8b8b0d40955d748d4db6c4418ed3e8b11f158b93f9fdf8

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
105KB

MD5
193874bb98b83fa42731d228683c4b92

SHA1
5af40bd61c7e9da926519d7e64344b75db2bd779

SHA256
a7941a5bbedac45c82b726836d3265d1a5e8741ae2e5f780bd309eb7cd7766c5

SHA512
94a864cc90e09327d6a6a18021f56cc07db7fd07cde2b67a7e12adc84b4cd9029f7779c194fd58728c620fed30629193c57a48c2bc799bb07148a13c028d24e4

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
92KB

MD5
7516bee51d29447b9cc7d5a37065cb06

SHA1
ef605d450dd5ab9a6ba035928c82ab2e9c9dccca

SHA256
5fac2f0caf9b156b8ab03a45191c682e822c0076d1e1370c095e64c55c511708

SHA512
219249e8586bdd65f8e1ca79067f411c6384dc92629ab08869fd086f9a266ca8803c4091096243552b960a1041d110bf872e64eb9b0df08537f72d6fe8a63b07

Download Submit
C:\Users\Admin\AppData\Roaming\xzw.exe

Filesize
176KB

MD5
b5d4f38b11591e2b56825a1095123895

SHA1
a461450231e1b64ffd04b0649257491b14823b0e

SHA256
5d496fff1451c9c85bf3e8314555f60611b19be62b90de7da07b2d480012fbcd

SHA512
f8b61b21a45627a5404de7caec3d267d9e341c48d0cfe92b88634d85bfc70eafbf39ab34420eecc69e0ab425b4bba06cae73fdb1d1c93ff235b89524b04b2fd2

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
64KB

MD5
9afb40b7100dfea0e06f2fb92977c090

SHA1
7ff86bfc26eed22a51ac13e45617188d6abe3853

SHA256
75d780670f38ec019e1657fde4c014d83ae5a619f718769f98fdbc9d19d69c7c

SHA512
fa4bb1ba7cc189d2e434f16038a0a969f3f21957981efa2f9e18d8e0b0f165e8859072d0bb5dfb0b25ea9863d2054da2f0cb5389696042e0aaf4a22873084286

Download Submit
\Users\Admin\AppData\Roaming\xzw.exe

Filesize
77KB

MD5
92bdde8b1e46bf297b8688c63c2a9cb8

SHA1
2aa179848b5c68908a51cceb4903d84a009f469b

SHA256
21c5a7d0975437f9f53d61a4edef557d626e397254a8bee4f74c9f68edff4cad

SHA512
b475654c92ad8f56e115653f4b06928c83adf3b7fd63bf67f6bc8a0fb97c7fc467c980cc1ed9698b9b5614734a3fac184080db88625aa4240d6b0645dadcdb9b

Download Submit
\Users\Admin\AppData\Roaming\xzw.exe

Filesize
140KB

MD5
f31ab678ff4ee8d31cd9edb122a563a3

SHA1
fbafa87196c6942215ab5281202177b1b77e14f6

SHA256
92d3290ece73f6391809beb212b78c0bddcd3789572d19ae0122bce4b14de225

SHA512
68056172759166dd1bddcba77bd544c7afe5e1b31fe476a41d014750b719875231bf19631ff2636e0a1ad8c751eea10bc877764d518aa46e4d356945408a3e92

Download Submit
memory/1392-8-0x0000000003610000-0x00000000037DA000-memory.dmp

Filesize
1.8MB

Download
memory/1392-19-0x0000000003610000-0x000000000373B000-memory.dmp

Filesize
1.2MB

Download
memory/2176-20-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2176-21-0x0000000075C10000-0x0000000075C57000-memory.dmp

Filesize
284KB

Download
memory/2176-44-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2352-31-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-43-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-34-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-35-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-38-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-40-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-41-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-32-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-9-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-46-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-47-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-48-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-49-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2352-51-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing