f574f42aab3c9986f192fc75a434361e510f79ea526c08b886fba1f6c1af7a71

General

Target

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
Size

1.4MB
MD5

cceddb47dad13963ae2d664109b3f784
SHA1

50e90f05c5d3da8d68a5b0e3749d3bf6068033d7
SHA256

f574f42aab3c9986f192fc75a434361e510f79ea526c08b886fba1f6c1af7a71
SHA512

a149ac7ed4ff4a6d77fe476be860c15c923e09ec078d8f96c0f9a4f9300d01b2f1ad136c112db1bcfac834c02e66999b29ea0cf318d8c32644f6c519d541e513
SSDEEP

24576:QDhCfuvRglazfWGhJtex/BQOi0jamJuwCTkfM2tqnq+:2hCftazfWoJtexpQn0jawHScMC+

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

4CC9.tmp

pid process

2336 4CC9.tmp
Loads dropped DLL 2 IoCs

Processes:

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

pid process

1720 2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
1720 2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2336	4CC9.tmp

pid	process
1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

Drops file in System32 directory 64 IoCs

Processes:

4CC9.tmp

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\dplayx.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\mfc40.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\mstext40.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\VBAME.DLL	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msrd2x40.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\setupSNK.exe	4CC9.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\atl110.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\explorer.exe	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msvcrt20.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\d3dim700.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	4CC9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\MSCOMCTL.OCX	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\odbcjt32.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\regedit.exe	4CC9.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msrd3x40.dll	4CC9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\dpwsockx.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\InstallShield\setup.exe	4CC9.tmp
File created	C:\Windows\SysWOW64\ir32_32.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msjter40.dll	4CC9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll	4CC9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\crtdll.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\ir41_32.ax	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\mswdat10.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\rdvgumd32.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\migration\MediaPlayer-DLMigPlugin.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msexcl40.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\audiodev.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	4CC9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll	4CC9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll	4CC9.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\dmscript.dll	4CC9.tmp
File created	C:\Windows\SysWOW64\dplaysvr.exe	4CC9.tmp

Drops file in Program Files directory 64 IoCs

Processes:

4CC9.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll	4CC9.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCDDS.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSAutogen.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OARTCONV.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\MSGR3FR.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\System\MSMAPI\1033\MSMAPI32.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLVBS.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST64.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPLACE.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1XTOR.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CORE.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnvpxy.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INLAUNCH.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TaxonomyControl.dll	4CC9.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	4CC9.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\WTSP61MS.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodLite.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FBIBLIO.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\Synchronization.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\MSCONV97.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OFFOWC.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WWLIB.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	4CC9.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FSTOCK.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\xmlrw.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUTHZAX.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONMAIN.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SSGEN.DLL	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	4CC9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	4CC9.tmp

Drops file in Windows directory 48 IoCs

Processes:

4CC9.tmp

description	ioc	process
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CORPerfMonExt.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.VisualBasic.Activities.Compiler.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\sqmapi.dll	4CC9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AdoNetDiag.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	4CC9.tmp
File created	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	4CC9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	4CC9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_x86	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfdll.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsecimpl.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.Thunk.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll	4CC9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_gac_x86	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll	4CC9.tmp
File created	C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	4CC9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_X86.dll	4CC9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_x86.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\FileTracker.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounter.dll	4CC9.tmp
File created	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	4CC9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.OracleClient.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupEngine.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUi.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MmcAspExt.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll	4CC9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtilLib.dll	4CC9.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll	4CC9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

pid process

1720 2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

pid	process
1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

description	pid	process	target process
PID 1720 wrote to memory of 2336	1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	4CC9.tmp
PID 1720 wrote to memory of 2336	1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	4CC9.tmp
PID 1720 wrote to memory of 2336	1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	4CC9.tmp
PID 1720 wrote to memory of 2336	1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	4CC9.tmp
PID 1720 wrote to memory of 1496	1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	Reader_sl.exe
PID 1720 wrote to memory of 1496	1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	Reader_sl.exe
PID 1720 wrote to memory of 1496	1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	Reader_sl.exe
PID 1720 wrote to memory of 1496	1720	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	Reader_sl.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\4CC9.tmp
C:\Users\Admin\AppData\Local\Temp\4CC9.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2336

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
2⤵
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4CC9.tmp

Filesize
64KB

MD5
f46f842765ca73ba39616a77f0206606

SHA1
64a97fc2cf6b8061a9420a87c0f8a988fc8b9d32

SHA256
4018d672b148c0f57a33a6282949241d56e0e416d60d38c78cb17381765e29ca

SHA512
f77d97a192626f754bc8c902cec6df841dc0775338bd8bc49b8c4a863e56fc9208981708e39397fdc83f62efa3586101ad1c5c4ec3cd94a1d117170c20588b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
848B

MD5
2b11b032d5af4920c4973edc436ea93d

SHA1
4aa8d79696478d20e7837dc6a0fb63338b222e88

SHA256
5208c10fcf325adf921721d4e36f71393a180a51efb6d4cc50e7eef2573ce449

SHA512
648beaf6065a5e937c9a5fd7b34ef0fb4daba79a967183244cbe8321e1402f1dbeee6ac4916184b3d6b130cc40aa881a6e6c81ee9bc08db7a162c7fbfb539065

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
64KB

MD5
083c891abc563301a8fb52bb8706a403

SHA1
ad38dba313710cbf9cf63b9adee96deaa264d308

SHA256
44742cab8f45a9ae37fa70e1e350839ca29881ab8e0cde0624ccd6ad662e408d

SHA512
1fefaeaffdffc791dd70c19629b3d57e07dcc08e9a359b13684083b05d7df5e2d944222d86e1964025b226239cfa17e7247399038c4f4ccae81acdd0f427f9eb

Download Submit
\Users\Admin\AppData\Local\Temp\4CC9.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/1720-1-0x00000000008F0000-0x000000000093A000-memory.dmp

Filesize
296KB

Download
memory/1720-0-0x00000000008F0000-0x000000000093A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads