Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe
Resource
win7-20231129-en
General
-
Target
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe
-
Size
284KB
-
MD5
d7554de78f0ab89f10608a30f7bd2e6e
-
SHA1
719dd3575f1535f18a11aa5836c77e41e5d32c30
-
SHA256
1b9352c16a98c3dcf715b2eec06fd0320345c73fe00b2f842a9420856ddb31ed
-
SHA512
9b2b6b4ba640d67093b0d6873c5e4b014c3d3824e963744f8f00e43e1fa0766ba6845eb8eaf822a19087d96fb475b8a5cfb90886a9e32cf6804fb3985a3b4f40
-
SSDEEP
6144:9lDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:9lDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sethome3607.exepid process 860 sethome3607.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exepid process 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exedescription ioc process File created \??\c:\windows\system\sethome3607.exe 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe File opened for modification \??\c:\windows\system\sethome3607.exe 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exepid process 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exesethome3607.exepid process 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 860 sethome3607.exe 860 sethome3607.exe 860 sethome3607.exe 860 sethome3607.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exedescription pid process target process PID 2216 wrote to memory of 860 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe sethome3607.exe PID 2216 wrote to memory of 860 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe sethome3607.exe PID 2216 wrote to memory of 860 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe sethome3607.exe PID 2216 wrote to memory of 860 2216 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe sethome3607.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\windows\system\sethome3607.exec:\windows\system\sethome3607.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Filesize1KB
MD5f962863cac8489bf5aa10943ecd0fdac
SHA1252edfc87c2da0a557b08a4a219f18dcee89a8e1
SHA25686e8cc27b632f5adc63699611a7d3b8c88ef98c288b5d08a510caf7f52c89250
SHA512b29b3b835f250675f5b23e3007c38f1176ac24d9b9f7b8f180a45818610533a69329a9cd997d6447b1193b11d680af1a9532d017b4a28904825333b374a29204
-
Filesize
1KB
MD5102f629e4caf8de753ec23af0e040a97
SHA1fa557c3fe9a81ba35900dd21ff3933932da9d0c7
SHA25631c51efb14908e32b73c4a2f97823f4eeb1ca85989c6219856266c401a7f352b
SHA5122e9038eb7ae212d1f3b6a945327740fa2c3195ba36cf2697946e89c6649027f76e1ac134af8fe10a805231865896f0369c9676d04115c477cc2f2e6596f5fd38
-
Filesize
284KB
MD58ade9479eea589e9f515d9cd25f3cdc6
SHA1f3991bcdbd61fe502f7302df7799cdf3732f3bbd
SHA256d46512488119f40eeafb6fe359749ff077139cb100aaff0d7ff2f1476540b133
SHA512a2cf31e66c2a01d29c29e046e5ff7121ecbae71a30dc58c14b74db072470b8308d7bb55106ee4a21afc37e7627d4ebb0aadfe590931555327bfff2c21eeb1ae2