c570c0cbe07dcd23a0355b380cef39315d54f4297b04f2004ac2cacbd4b8438e

General

Target

2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe
Size

451KB
MD5

0ca819729b2fa5bb78afe9c2a86db932
SHA1

a953793b902d874852808a1962d209458fd436c0
SHA256

c570c0cbe07dcd23a0355b380cef39315d54f4297b04f2004ac2cacbd4b8438e
SHA512

5cfd075c049b7389759b33d97c5e20771e495ef9601c040705c0042606c1cd6596e63094079004b3f7ee57531d75e11d963d67e4a0b3b7c56eb11442ad5065b8
SSDEEP

12288:GeDz6eYFlnCxjMyn72/KkAtydem3nM6Bi:lz6HcCikESnMAi

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 10 IoCs

resource	yara_rule
behavioral1/memory/2976-0-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/3000-18-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000d00000001232b-15.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/3048-19-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2976-11-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2832-27-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2832-25-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000a000000013a3f-28.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/3048-29-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/3000-30-0x0000000000400000-0x0000000000414000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Executes dropped EXE 3 IoCs

pid	Process
3000	MSWDM.EXE
3048	MSWDM.EXE
2832	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe
File opened for modification	C:\Windows\dev8B8.tmp	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe
File opened for modification	C:\Windows\dev8B8.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3000	2976	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe	28
PID 2976 wrote to memory of 3000	2976	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe	28
PID 2976 wrote to memory of 3000	2976	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe	28
PID 2976 wrote to memory of 3000	2976	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe	28
PID 2976 wrote to memory of 3048	2976	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe	29
PID 2976 wrote to memory of 3048	2976	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe	29
PID 2976 wrote to memory of 3048	2976	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe	29
PID 2976 wrote to memory of 3048	2976	2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe	29
PID 3048 wrote to memory of 2832	3048	MSWDM.EXE	30
PID 3048 wrote to memory of 2832	3048	MSWDM.EXE	30
PID 3048 wrote to memory of 2832	3048	MSWDM.EXE	30
PID 3048 wrote to memory of 2832	3048	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2976
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3000
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev8B8.tmp!C:\Users\Admin\AppData\Local\Temp\2024-02-20_0ca819729b2fa5bb78afe9c2a86db932_icedid.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev8B8.tmp!C:\Users\Admin\AppData\Local\Temp\2024-02-20_0CA819729B2FA5BB78AFE9C2A86DB932_ICEDID.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-02-20_0CA819729B2FA5BB78AFE9C2A86DB932_ICEDID.EXE

Filesize
451KB

MD5
7a57ad5ee5490cd9585ddebe2e1d54ae

SHA1
2e6bc5f99ba4b1e8efb5e9d87951fd4a1eaea0e6

SHA256
79bcca3cc7b45f65995ddeaa2953132512e4eea19846bba4cbab08c7188cee55

SHA512
62059b7867bed041b66e2f3926a1cf774fa1a29db5948512f55b04e6c6e19dec7eeab690151ca2621973f74e49aebd8a8a84efef7b450e5ab81825680a612d8b

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
38KB

MD5
e21a541344286e51592acce76b637e82

SHA1
30a6f6e590b946009d7221d4ffe27418c843e8da

SHA256
97aacb297c3340cdf0a9695fea697d8d8b32b100972ff3e71d1885432a376ca6

SHA512
6727954d470bf5e4274345235f18af714926bde575641dd5f0035363b3ff1030f95fc1d18caff2b64b165903ab139cf4a4325b6cf1ac2159030365ddc65a6145

Download Submit
C:\Windows\dev8B8.tmp

Filesize
413KB

MD5
4a143a48c4c617b2489a23ffa8f32987

SHA1
9b7fb5e1665216588c4abb378da2cf78d1955e3c

SHA256
e1ab536325edd0624e1f15ac00a08737aa5c32f4cc629f52e2a121f33e8b2aef

SHA512
941436ea1c73d6333868b8fa2ed24ef213e7b213a02701fa5e8f5202c57a5044ceb030a15ea31e1ba6b42bca642786c79bb667ff8218f2b75b400ad51ec6fe5a

Download Submit
memory/2832-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2832-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2976-17-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/2976-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2976-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2976-13-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/3000-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3000-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3048-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3048-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads