70c3f67ea6d653a3fdd5bb8d2b7f4ba248fb186c2a34f42c38cdae350772afb9

Analysis

max time kernel
91s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 07:45

Target

2024-02-17_9e01a8b41f34c390328bf60904a1a787_icedid.exe
Size

278KB
MD5

9e01a8b41f34c390328bf60904a1a787
SHA1

5f0d8939085c3e32dbc2e7532c11b3c7d2bcdfdf
SHA256

70c3f67ea6d653a3fdd5bb8d2b7f4ba248fb186c2a34f42c38cdae350772afb9
SHA512

c341e1e3c09d3e24c05343d9f574b92834831139c0ea75ce3a1a78cbb6112a2e6bbe2e631fb5d5fd80c385042dbe352f544ed41e103ce43be751e37e55861d70
SSDEEP

3072:lxUm75Fku3eKeO213SJReOqdmErj+HyHnNVIPL/+ybbiW1u46Q7qV3lU8xM:fU8Dk11CJ1qDWUNVIT/bblS9x

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
5012	previous.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\instead\previous.exe	2024-02-17_9e01a8b41f34c390328bf60904a1a787_icedid.exe
File opened for modification	C:\Program Files\instead\previous.exe	2024-02-17_9e01a8b41f34c390328bf60904a1a787_icedid.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
860	4336	WerFault.exe	84
1076	4336	WerFault.exe	84

Suspicious use of SetWindowsHookEx 8 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 5012	4336	2024-02-17_9e01a8b41f34c390328bf60904a1a787_icedid.exe	85
PID 4336 wrote to memory of 5012	4336	2024-02-17_9e01a8b41f34c390328bf60904a1a787_icedid.exe	85
PID 4336 wrote to memory of 5012	4336	2024-02-17_9e01a8b41f34c390328bf60904a1a787_icedid.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-02-17_9e01a8b41f34c390328bf60904a1a787_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_9e01a8b41f34c390328bf60904a1a787_icedid.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Program Files\instead\previous.exe
  "C:\Program Files\instead\previous.exe" "33201"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1052
  2⤵
  - Program crash
  PID:860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1060
  2⤵
  - Program crash
  PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4336 -ip 4336
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4336 -ip 4336
1⤵
PID:3276

C:\Program Files\instead\previous.exe

Filesize
278KB

MD5
24540eb3c5581dd9acbed5943253b329

SHA1
90dbaec2a7ae8af70a9cfbfa9a263c08da46a6da

SHA256
ba22c76be0844e670b908732b02b5935d5c25efd16a31063d21eb40e1fab6cae

SHA512
61c236a20e1c1dd557614e5e21e1563b009abfd22122aeb4968fe6a326edaa65299a09a899c29c6c4c3fac06dfc6e12254f3bc2cfeb97c376f6a6f7fcbeee91c

Download Submit