66595eae923deb9dc4cd623bd7f35f405b668b5ef7c64d57ad783dbcca20a214

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 12:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
Size

284KB
MD5

7f929f3dce90ec658201b61895e72038
SHA1

dc93134fd36c2499a59bcca2daf7b638d3c3b749
SHA256

66595eae923deb9dc4cd623bd7f35f405b668b5ef7c64d57ad783dbcca20a214
SHA512

e31876bdf998a3f45a65eabe5f3231ad567a4eb0dc089ecd3cdc98df11df22bf33855f463e11dbfa69e02a032b1f3d72964c1bc438482d968f24518d32d1c073
SSDEEP

6144:SlDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:SlDx7mlHZo7HoRv177ePH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	sethome3591.exe

Loads dropped DLL 2 IoCs

pid	Process
1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\sethome3591.exe	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
File created	\??\c:\windows\system\sethome3591.exe	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/"	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
2808	sethome3591.exe
2808	sethome3591.exe
2808	sethome3591.exe
2808	sethome3591.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2808	1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe	33
PID 1152 wrote to memory of 2808	1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe	33
PID 1152 wrote to memory of 2808	1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe	33
PID 1152 wrote to memory of 2808	1152	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152
- \??\c:\windows\system\sethome3591.exe
  c:\windows\system\sethome3591.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\abc.lnk

Filesize
965B

MD5
2583ac58ece26a3e823051196cca472f

SHA1
8dd1f653eee66deedbdbb33f07b1282a93735b6c

SHA256
68ea95fb45453a51a958fff5fa991895416903e950883746a04fcea169ef12c1

SHA512
21a07ba6fe4ca5e4d0ec7b94cbe0f713861eff7a5c02a72af0cc105129aa6812973a50fdb44c48d14792ea287c37628218ba71747e5ce0e68eec8bc852864324

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

Filesize
1KB

MD5
d08bde17f00d7174861a08246edcdc14

SHA1
be4bfd8d6e61179c3c540a8817bb75d43614a1d9

SHA256
ffacba6cd77cd2aa4532f23bf25148c4f942a038946293444f28b57abc69113f

SHA512
ca2939cb3eff9adae45a63830ef8de1593632e6a1867eaf7ed39e5376c9bb3d8b617ab6de45bb47895b3331f2090ea070618b4d6ca846209e3ad66d11f698fb4

Download Submit
C:\Users\abc.lnk

Filesize
1KB

MD5
a52c727f356575486e4a3d671ee4372f

SHA1
a50eb9fef8a8e2089b681851a1fa43c11b614814

SHA256
11613024328f8c5455af58096e0323b6bae29932be0b731018a7a7f6ba6f833e

SHA512
34a60ebcdaf53c5cfca8e2db9d4a4d5bfcf5ef32175664dba056c8b5c3b0e762795255b125484674e36a3a1a0b9877d4e70cc092edb69603ed86e4fd44edcd40

Download Submit
\Windows\system\sethome3591.exe

Filesize
284KB

MD5
7e7469f85c78f68a1148dc41949ab660

SHA1
3fbedef2f8101738838573bed8259f01b470d183

SHA256
53492ba0da15914831f06cf0807ef84069b5bde682ff0fe01a4ce2c1f7eb0dce

SHA512
b02f1788d4a11b56edcb7556820dc7a884b5a8eeb61336c92752d4f1728743d11edfe283c3f47f3ab14c2a65219f9ce6ec229e90d2f3ab2225adf2929b5e2ff3

Download Submit