Analysis
-
max time kernel
105s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe
Resource
win7-20231215-en
General
-
Target
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe
-
Size
284KB
-
MD5
a9820e14c6ee34f91528d212fc017761
-
SHA1
d650db5f781c5e1912ba825f5f3e76b1c38a2219
-
SHA256
5035868c21ba7907c80da9b0b2040378b0f38fc9147cc7fbcc48971e73a02d90
-
SHA512
07c294e7eca1103f5490a36eed27600cd7e66ec9e2a4b1e28f1785cbb79fd5d338ca7267f4901a2fc751166b4dcfff065c3b26387cccfa07fe03b4850c59ae12
-
SSDEEP
6144:klDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:klDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sethome4984.exepid process 3952 sethome4984.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exedescription ioc process File opened for modification \??\c:\windows\system\sethome4984.exe 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe File created \??\c:\windows\system\sethome4984.exe 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exepid process 3924 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 3924 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exesethome4984.exepid process 3924 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 3924 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 3924 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 3924 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe 3952 sethome4984.exe 3952 sethome4984.exe 3952 sethome4984.exe 3952 sethome4984.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exedescription pid process target process PID 3924 wrote to memory of 3952 3924 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe sethome4984.exe PID 3924 wrote to memory of 3952 3924 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe sethome4984.exe PID 3924 wrote to memory of 3952 3924 2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe sethome4984.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_a9820e14c6ee34f91528d212fc017761_icedid.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\windows\system\sethome4984.exec:\windows\system\sethome4984.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk
Filesize1KB
MD5e62d8348f69bcfa2e7c7daa81d376414
SHA1ee6675371c472f68508321e1753afb62e65357fa
SHA256c0868945edd37f1c0f0b72fad03dc8e8480e768d7f215e18bb09ef07c68c1bdc
SHA512d0b7c93dbfca8e805ab2f9d07c8c41269c1e424fd6facf3aa06a79d93ed3f4044448f2a67d52c6ea4bc8aebd2b5330fb73d99d9678f3fe8af9b64e3832187cab
-
Filesize
1KB
MD5a619ecceb8a33d8e27ae4de1777e63e6
SHA104c8d8273845f5ea3f360a94d280f616d95cabf3
SHA25675e3997940ef06ef7199774756d0d2326b30f29c0a433c531f7367954e7dce31
SHA512e73af2f6a6f509766b1cab80ed453c1475e888863328c321d79deaa3605a85f6fdfe8a925603bb799e215ed0c554870ef1ace28fd22defeb82093914f5305723
-
Filesize
169KB
MD5ed346a15af69e2c25a9d3eb00b451d59
SHA15156306c250e63c2b22bf92515c53059f94d2efa
SHA256b154b04f079a8d310b4bcd5e13edd1d804587ef7f76f23d3fe53b1f00781b1bf
SHA51263a4230f38e250fe42e3d17a95820dd1c72cd32b000a95fa11e5d39da3ded0bfa549c6a9223f432a17281752c8cd91fbb2a133093530b08c1a4ae8d01af6f244
-
Filesize
284KB
MD58dc7349b99516fa250453e804e31b1b4
SHA13e98a126f39356812abf651350f5651db9a8757d
SHA2567f2c34c2f462fa25d90b7691f21a0f0d63c73f9d106c6e74b237521573a917c5
SHA5123105f3c4ee350e7b74efdd8272d8ff1aa48d93d60d6deb3141cf09e03934266c9709e13ab67ee5857aff0a803328736cab8ba82918d6952b7de4ca13d32ea182