Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe
Resource
win7-20231129-en
General
-
Target
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe
-
Size
284KB
-
MD5
d7554de78f0ab89f10608a30f7bd2e6e
-
SHA1
719dd3575f1535f18a11aa5836c77e41e5d32c30
-
SHA256
1b9352c16a98c3dcf715b2eec06fd0320345c73fe00b2f842a9420856ddb31ed
-
SHA512
9b2b6b4ba640d67093b0d6873c5e4b014c3d3824e963744f8f00e43e1fa0766ba6845eb8eaf822a19087d96fb475b8a5cfb90886a9e32cf6804fb3985a3b4f40
-
SSDEEP
6144:9lDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:9lDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sethome7453.exepid process 2140 sethome7453.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exedescription ioc process File created \??\c:\windows\system\sethome7453.exe 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe File opened for modification \??\c:\windows\system\sethome7453.exe 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exepid process 2348 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 2348 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exesethome7453.exepid process 2348 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 2348 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 2348 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 2348 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe 2140 sethome7453.exe 2140 sethome7453.exe 2140 sethome7453.exe 2140 sethome7453.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exedescription pid process target process PID 2348 wrote to memory of 2140 2348 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe sethome7453.exe PID 2348 wrote to memory of 2140 2348 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe sethome7453.exe PID 2348 wrote to memory of 2140 2348 2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe sethome7453.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d7554de78f0ab89f10608a30f7bd2e6e_icedid.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\windows\system\sethome7453.exec:\windows\system\sethome7453.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk
Filesize1KB
MD571b9524d8a13c39ccac5d199914ecbb9
SHA1c30f59c559c29e9d99915f15bdc54f363bd5c122
SHA256881a06995cd6eca3bf8748c3a4d9c53affb2a5c5070ce3625aeb9950aa591b30
SHA51288ed6245c9be0f7715e8de7ea0b4d39ad369436417893a02a1af565ca796513ef93ae3a1c12060028d446692687cb7b115c76982d42d192344b5c7297318cf4e
-
Filesize
1KB
MD529c5d6f634b1be9b4e6f0ea49ed97af5
SHA115feb056a84d6427d5617e87abc64b40282f736c
SHA256256587619cee8fc9fe5fa76e8dac0bf14c50ba98d64bcedcf971b99045f73b1f
SHA512441df58c778aed5929c3eb403b7b07acac6f7a110b666327c27f5b2a7b06696776e95321aee083cacefd08a668fecc82a9c86fac70d302467dedad2635f5feb4
-
Filesize
284KB
MD5c6cc7254ccd2e5ab51c21f357284ca11
SHA11fceba7af6534a71c1fad8471316960dee1865da
SHA256c8ea35c03c8cf72917130235344e192599d4d6aa61fae78470a892edda772043
SHA512b62ff0c1eab20886c59457b19dfbe4e16314580bd9bb36e4ece228314ed21c9d4eabb7b4dc3b0836ff7a4317ac8baf65a055e01b8c9c01fc22e1a409443395be