66595eae923deb9dc4cd623bd7f35f405b668b5ef7c64d57ad783dbcca20a214

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 12:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
Size

284KB
MD5

7f929f3dce90ec658201b61895e72038
SHA1

dc93134fd36c2499a59bcca2daf7b638d3c3b749
SHA256

66595eae923deb9dc4cd623bd7f35f405b668b5ef7c64d57ad783dbcca20a214
SHA512

e31876bdf998a3f45a65eabe5f3231ad567a4eb0dc089ecd3cdc98df11df22bf33855f463e11dbfa69e02a032b1f3d72964c1bc438482d968f24518d32d1c073
SSDEEP

6144:SlDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:SlDx7mlHZo7HoRv177ePH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4212	sethome7937.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system\sethome7937.exe	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
File opened for modification	\??\c:\windows\system\sethome7937.exe	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/"	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3268	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
3268	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3268	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
3268	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
3268	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
3268	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
4212	sethome7937.exe
4212	sethome7937.exe
4212	sethome7937.exe
4212	sethome7937.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4212	3268	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe	94
PID 3268 wrote to memory of 4212	3268	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe	94
PID 3268 wrote to memory of 4212	3268	2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268
- \??\c:\windows\system\sethome7937.exe
  c:\windows\system\sethome7937.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4212

Network

DNS

1235633.3322.org

2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

Remote address:

8.8.8.8:53

Request

1235633.3322.org

IN A

Response

1235633.3322.org

IN A

59.42.71.178
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

68.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

153.141.79.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.141.79.40.in-addr.arpa

IN PTR

Response

59.42.71.178:80

1235633.3322.org

2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

260 B
5
59.42.71.178:80

1235633.3322.org

2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

260 B
5
59.42.71.178:80

1235633.3322.org

2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

260 B
5
59.42.71.178:80

1235633.3322.org

2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

260 B
5

8.8.8.8:53

1235633.3322.org

dns

2024-02-18_7f929f3dce90ec658201b61895e72038_icedid.exe

62 B
78 B
1
1

DNS Request

1235633.3322.org

DNS Response

59.42.71.178
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

68.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

68.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

153.141.79.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

153.141.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk

Filesize
1KB

MD5
a619ecceb8a33d8e27ae4de1777e63e6

SHA1
04c8d8273845f5ea3f360a94d280f616d95cabf3

SHA256
75e3997940ef06ef7199774756d0d2326b30f29c0a433c531f7367954e7dce31

SHA512
e73af2f6a6f509766b1cab80ed453c1475e888863328c321d79deaa3605a85f6fdfe8a925603bb799e215ed0c554870ef1ace28fd22defeb82093914f5305723

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk

Filesize
1KB

MD5
e62d8348f69bcfa2e7c7daa81d376414

SHA1
ee6675371c472f68508321e1753afb62e65357fa

SHA256
c0868945edd37f1c0f0b72fad03dc8e8480e768d7f215e18bb09ef07c68c1bdc

SHA512
d0b7c93dbfca8e805ab2f9d07c8c41269c1e424fd6facf3aa06a79d93ed3f4044448f2a67d52c6ea4bc8aebd2b5330fb73d99d9678f3fe8af9b64e3832187cab

Download Submit
C:\Windows\System\sethome7937.exe

Filesize
284KB

MD5
a88b43c8e377890459aabe8af33927af

SHA1
5a7e063ceeb54fee1212752da27bac5bdfb41747

SHA256
3c3a68aae071cd63679d277482d031d2ff6f76687072225aa678564605682917

SHA512
2ccea46d37aeff023a5c11d6495a321c62587781a560f3901cf40e47f4a8e9585586f78ab223c32e1bed06c400f3817e6ec02c00cf37413b81be31a9eb5df4fb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.