Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe
Resource
win7-20231215-en
General
-
Target
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe
-
Size
284KB
-
MD5
a9820e14c6ee34f91528d212fc017761
-
SHA1
d650db5f781c5e1912ba825f5f3e76b1c38a2219
-
SHA256
5035868c21ba7907c80da9b0b2040378b0f38fc9147cc7fbcc48971e73a02d90
-
SHA512
07c294e7eca1103f5490a36eed27600cd7e66ec9e2a4b1e28f1785cbb79fd5d338ca7267f4901a2fc751166b4dcfff065c3b26387cccfa07fe03b4850c59ae12
-
SSDEEP
6144:klDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:klDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sethome1875.exepid process 2808 sethome1875.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exepid process 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exedescription ioc process File created \??\c:\windows\system\sethome1875.exe 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe File opened for modification \??\c:\windows\system\sethome1875.exe 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exepid process 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exesethome1875.exepid process 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 2808 sethome1875.exe 2808 sethome1875.exe 2808 sethome1875.exe 2808 sethome1875.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exedescription pid process target process PID 2240 wrote to memory of 2808 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe sethome1875.exe PID 2240 wrote to memory of 2808 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe sethome1875.exe PID 2240 wrote to memory of 2808 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe sethome1875.exe PID 2240 wrote to memory of 2808 2240 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe sethome1875.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\windows\system\sethome1875.exec:\windows\system\sethome1875.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
965B
MD5c5ef8bbe857325d43faaac3bac5457b0
SHA136b43f42d50b17f3ce5631980f1b6ca1c910b7c0
SHA2562fa50d76f0239f04fb74f5b6f0f81dc4670ec28545224bb2a9bc69d08ae65ede
SHA512d6a90a1733ba27c213b3bb2000e18a275a10c83f4f1d6cfd3e4e8d6b8417c175589ca32896060f868fa013df928e9a7e75b94b0ce8986c1a8d3a72a5f463fe9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Filesize1KB
MD5ec1e0992615d27af9d52c03dfc63cbb2
SHA1ab266de1a3cd14851f2eb1095864b4c431e78b7d
SHA2567d38c5c42f47cf31a22c02241d0b21a4587a497fde57c573b6890b353a84af14
SHA51266a01ae6dc5c3361bb946d0bcb138e3932aa9422d7e7c8fdf3234e64c8a40ef2a7da3ac5d80b94df096f368e339ab91d53befce0b8230c044ac16c67187bde2d
-
Filesize
1KB
MD5c61bad82010a1fe67bee2ec6f21d0820
SHA10904203bd633fc58c5afafc091b8994b5154bc50
SHA25685832609a1c5b393ab7bb39829e55d06b7da42c3c82b1aa377c28319bf4ebb82
SHA5120da2d2ba83c09d2db00a0b443c9f4c5fabdbb4cd1949ca926d21483eda891dca426eb685f709321f21e64c6067ed827cc0c190744d7d5140412f0c870c2257ad
-
Filesize
284KB
MD528d4937426884f0380f1bc30852720b3
SHA1c12db0da67438fcea6fe357d1d2876b5b8805794
SHA2567ff2397655e3920869ceab2ea78556c9d5a59613434b30d9aa1577f6b4a65002
SHA512291c5848cd5b83dc7b8cf8201af8cf25ba62174f649d5b376402acda6018e2500c5cdab4c532544b7f1ae612d3b4cec838dd3bdf789917ce9465ffc777c2883f