704d27b07b4f97fc831c88d023bc29605bd24e80e216f8d86bdb6c703dbeaefa

General

Target

2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
Size

8.2MB
MD5

873536a64014e250e6df021f5303ed3d
SHA1

606a8e69eaa608dea7b2523594799358dbec3318
SHA256

704d27b07b4f97fc831c88d023bc29605bd24e80e216f8d86bdb6c703dbeaefa
SHA512

34e91680840214b61da11285dc13149aa5e4d702333393c4c7fdd8a2d9fe43412d9c8febd533912aabc5477c27633ae7d6deeb75cb8d4c7067085bc1ff5e4248
SSDEEP

196608:bQ8CI3RhWYLyXo6/8Ro6M8gFLOyomFHKnPMfUx+NcIOS:bEjQ+FZUkNcIj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

@AEEDF.tmp.exe2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exeWdExt.exe

pid process

2192 @AEEDF.tmp.exe
3068 2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
1160 WdExt.exe
Loads dropped DLL 7 IoCs

Processes:

explorer.exe@AEEDF.tmp.execmd.exeWdExt.exe

pid process

1944 explorer.exe
1944 explorer.exe
1944 explorer.exe
2192 @AEEDF.tmp.exe
1628 cmd.exe
1628 cmd.exe
1160 WdExt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

@AEEDF.tmp.exeWdExt.exe

pid process

2192 @AEEDF.tmp.exe
1160 WdExt.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe

pid process

3068 2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
3068 2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe

pid	process
2192	@AEEDF.tmp.exe
3068	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
1160	WdExt.exe

pid	process
1944	explorer.exe
1944	explorer.exe
1944	explorer.exe
2192	@AEEDF.tmp.exe
1628	cmd.exe
1628	cmd.exe
1160	WdExt.exe

pid	process
2192	@AEEDF.tmp.exe
1160	WdExt.exe

pid	process
3068	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
3068	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exeexplorer.exe2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exenet.exe@AEEDF.tmp.execmd.exe

description	pid	process	target process
PID 2152 wrote to memory of 1944	2152	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	explorer.exe
PID 2152 wrote to memory of 1944	2152	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	explorer.exe
PID 2152 wrote to memory of 1944	2152	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	explorer.exe
PID 2152 wrote to memory of 1944	2152	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	explorer.exe
PID 2152 wrote to memory of 1944	2152	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	explorer.exe
PID 2152 wrote to memory of 1944	2152	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	explorer.exe
PID 1944 wrote to memory of 2192	1944	explorer.exe	@AEEDF.tmp.exe
PID 1944 wrote to memory of 2192	1944	explorer.exe	@AEEDF.tmp.exe
PID 1944 wrote to memory of 2192	1944	explorer.exe	@AEEDF.tmp.exe
PID 1944 wrote to memory of 2192	1944	explorer.exe	@AEEDF.tmp.exe
PID 1944 wrote to memory of 3068	1944	explorer.exe	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
PID 1944 wrote to memory of 3068	1944	explorer.exe	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
PID 1944 wrote to memory of 3068	1944	explorer.exe	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
PID 1944 wrote to memory of 3068	1944	explorer.exe	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
PID 1944 wrote to memory of 3068	1944	explorer.exe	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
PID 1944 wrote to memory of 3068	1944	explorer.exe	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
PID 1944 wrote to memory of 3068	1944	explorer.exe	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
PID 3068 wrote to memory of 2672	3068	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	net.exe
PID 3068 wrote to memory of 2672	3068	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	net.exe
PID 3068 wrote to memory of 2672	3068	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	net.exe
PID 3068 wrote to memory of 2672	3068	2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe	net.exe
PID 2672 wrote to memory of 2972	2672	net.exe	net1.exe
PID 2672 wrote to memory of 2972	2672	net.exe	net1.exe
PID 2672 wrote to memory of 2972	2672	net.exe	net1.exe
PID 2672 wrote to memory of 2972	2672	net.exe	net1.exe
PID 2192 wrote to memory of 1628	2192	@AEEDF.tmp.exe	cmd.exe
PID 2192 wrote to memory of 1628	2192	@AEEDF.tmp.exe	cmd.exe
PID 2192 wrote to memory of 1628	2192	@AEEDF.tmp.exe	cmd.exe
PID 2192 wrote to memory of 1628	2192	@AEEDF.tmp.exe	cmd.exe
PID 2192 wrote to memory of 1240	2192	@AEEDF.tmp.exe	cmd.exe
PID 2192 wrote to memory of 1240	2192	@AEEDF.tmp.exe	cmd.exe
PID 2192 wrote to memory of 1240	2192	@AEEDF.tmp.exe	cmd.exe
PID 2192 wrote to memory of 1240	2192	@AEEDF.tmp.exe	cmd.exe
PID 1628 wrote to memory of 1160	1628	cmd.exe	WdExt.exe
PID 1628 wrote to memory of 1160	1628	cmd.exe	WdExt.exe
PID 1628 wrote to memory of 1160	1628	cmd.exe	WdExt.exe
PID 1628 wrote to memory of 1160	1628	cmd.exe	WdExt.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\@AEEDF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\@AEEDF.tmp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
4⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start spooler
4⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start spooler
5⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@AEEDF.tmp.exe

Filesize
1.7MB

MD5
14a2e8591d4f03d3b6266fc678871c86

SHA1
547cbbb8092431e4c22611281cd4d715e21bb89b

SHA256
77db225957a11f50ed612a2bc1e8d1959def0c785a3d036ebbcdb6a0521e202c

SHA512
bab96112201a2a0b47aec6c87b0eaf703902a1fcb2cf045911c75c5b8456a89bf34bfc2a284fa1fb49630187db8c1efea8805c4018c663399bcaa27a71e66557

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11DC.tmp

Filesize
1.0MB

MD5
df2c63605573c2398d796370c11cb26c

SHA1
efba97e2184ba3941edb008fcc61d8873b2b1653

SHA256
07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8

SHA512
d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
6b309e2237bc4742cf487df2c567dde8

SHA1
e16f4fccfb187bb23b03ccb1a7ab53c521f1e4fb

SHA256
602bb190f3bab2b897bd17b2bea439905e9ed6e0a030beb91e2923ab3701580c

SHA512
1a9c11c2fd568fe547788ba9811890529522be1196da4e9ef9f1707122250d2292b60b8d56f9a41c0d0e415c0c30d5872b546510a691576b41e271e864e27b25

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
194B

MD5
30f2974853d6ccd8f788f90bcc6fc777

SHA1
9d3ba2b7b902cd7f7fe53717e0e750312fac3866

SHA256
f6d6c91966a41d3cb304c81ea98eb1d0d385f03aedc3d80719108defb624fef4

SHA512
8b0dbf0dec9a66d3caf02134a528b9af36f18211ba36f7025bb93250dae02d47e88f5ca1d5e6d13053592d3e0faea22bf5edd1873320c293d1d687817d0cd7cd

Download Submit
\Users\Admin\AppData\Local\Temp\2024-02-12_873536a64014e250e6df021f5303ed3d_icedid.exe

Filesize
6.5MB

MD5
430af32a256f6d309c23f009e9e5d09c

SHA1
54ec90b1d57892104b6f2ab112cc58a0950b352a

SHA256
6401a4eb147848a7026d968adbae5118c673917f2cfdc282eec32c76a129f565

SHA512
79b2bd0dbbe5291690875f25d1f8842ef6b784301b6571efb0e84748fb96cbc40358f14e432da5554faad6627ed06cce6572eeedeaa223acb653c8afeaba241c

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/2192-17-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing