d3e4b0b7c96a4890bee894537aab2ad78b49b6b85a97246d4bf2537e21aa82d2

General

Target

2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe
Size

43.8MB
MD5

1e439861e140f4250e4577294d287908
SHA1

9b3a24e45b04c82aef1b85085414b8d3302c1af1
SHA256

d3e4b0b7c96a4890bee894537aab2ad78b49b6b85a97246d4bf2537e21aa82d2
SHA512

2db9e062cd76d154a83d0e0141ec2706961594f7522730ac03b932df20b793cc10e41d718270c95921b4ff27f683c0703e5c2cfffbf939877071921ad7a5b3cc
SSDEEP

98304:aWopJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJM:7oM

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 12 IoCs

resource	yara_rule
behavioral1/memory/2208-4-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-6-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-7-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-9-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-11-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-10-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-12-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-19-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-37-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2680-39-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2680-41-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2680-45-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 2 IoCs

pid	Process
2544	fdlaunchersa.exe
2680	fdlaunchersa.exe

Loads dropped DLL 3 IoCs

pid	Process
2544	fdlaunchersa.exe
2544	fdlaunchersa.exe
2680	fdlaunchersa.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 2544 set thread context of 2680	2544	fdlaunchersa.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2208	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 1932 wrote to memory of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 1932 wrote to memory of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 1932 wrote to memory of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 1932 wrote to memory of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 1932 wrote to memory of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 1932 wrote to memory of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 1932 wrote to memory of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 1932 wrote to memory of 2208	1932	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	28
PID 2544 wrote to memory of 2680	2544	fdlaunchersa.exe	30
PID 2544 wrote to memory of 2680	2544	fdlaunchersa.exe	30
PID 2544 wrote to memory of 2680	2544	fdlaunchersa.exe	30
PID 2544 wrote to memory of 2680	2544	fdlaunchersa.exe	30
PID 2544 wrote to memory of 2680	2544	fdlaunchersa.exe	30
PID 2544 wrote to memory of 2680	2544	fdlaunchersa.exe	30
PID 2544 wrote to memory of 2680	2544	fdlaunchersa.exe	30
PID 2544 wrote to memory of 2680	2544	fdlaunchersa.exe	30
PID 2544 wrote to memory of 2680	2544	fdlaunchersa.exe	30
PID 2208 wrote to memory of 2832	2208	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	31
PID 2208 wrote to memory of 2832	2208	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	31
PID 2208 wrote to memory of 2832	2208	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	31
PID 2208 wrote to memory of 2832	2208	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	31
PID 2208 wrote to memory of 2832	2208	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	31
PID 2208 wrote to memory of 2832	2208	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	31
PID 2208 wrote to memory of 2832	2208	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\7820.vbs"
    3⤵
    PID:2832

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7820.vbs

Filesize
500B

MD5
d2d65dceaa8bafdd12665c28328133bb

SHA1
45e15ba7b83476dc698d447e4b0336ff364e6875

SHA256
0322aeec0edc22dd99855f8c8123ee903337d130a1de351805247416e7140cc3

SHA512
19d359fc65cfe024bfc6fca133d7a4695e3201665260e255b234aa9236e60885c2ecf3423c65c29fe7e5ce6d81a2bc66cff655a00fdd62bf0a418ae85814509d

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
4.1MB

MD5
9f09e022104442e9701ed853ef3a1b08

SHA1
8bd6ec9b1dc3517a6c23230ce3164ecaea4de473

SHA256
79bd6877771bf952ea1d3b583857786854dcda218656ffb148c43be5eb1340ef

SHA512
f1f4d2bf091368c0a123ef4c6f6ca235cd7dc1078b3fb1a1844f5771d28a5bf26f4573ecf7cb98cc4b40578b5fd9db386983fadbca36f71175d5be11277e4aa7

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
33.2MB

MD5
a167c588f1cc7acf5336f0f5e1b4cbf7

SHA1
29c44843341c05579d239f21acc2c8934ca4e66a

SHA256
90f77670ef4202f7e41de13d2b330ea3a0a20dc953fd274f632d5502cb6b7ca5

SHA512
ac82f5eb282fee705dfd64bee9c51aa7a3706c35c44a8625343aa4dfb6697af0a760b37964d8337f27675dc8635e6c7e7553770ed8d4d4c41ac4340740a49fe1

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
4.2MB

MD5
f4405b8ab16415ac36f96ed7e8945357

SHA1
1897d55cd246455b652f5534dcda70bdf4f0e747

SHA256
3caa26f200a5ff2d7fe4f39e0b4b0eac1b4644382898261bed626aefc1c2db24

SHA512
15398323cd282d53a8b362ea1b16635a836a84507931d2f9700fa2be46b3b2985d6344589c1151de6d36dcccdbc5c94c99020ed90fd5fe82c9a224e06e3b2ed2

Download Submit
\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
31.8MB

MD5
713150012229d31f28ca23c61fbd77d8

SHA1
2a39018d6543b003b20a77d3189e4b6b5d1650ca

SHA256
68ce73b07fbe9a746fb85c1778a4862e92713604f7f78db26cca91cbcc27400c

SHA512
038bfb8d6285b85f15118b71e46109037663a04127c6648ac32fa4ee8040f14f4ea8caeaf9cef282a37d27599aae17209ddb511e0f042a0ee2d11ae89722eafa

Download Submit
\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
7.2MB

MD5
ed202de8c024d1d516dec6b66ccee4bc

SHA1
1e0a104c0ff85868e8e04a8808dd20ab1a325a24

SHA256
73072582029b225f759f9a411e79c870dba3bc3c1982b6769922dd2768265549

SHA512
1c387c6d83bbc6f0e22422e74e3e2bc24e38a51460372f4c0c067838ab34455f61b4b7d19862c87dbaf8aede241a4b0f63ef11654417ad32bd40a66639a65d7a

Download Submit
\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
5.8MB

MD5
3f70ac18f3c4c8dea21a6fe97558d870

SHA1
ecb9cb19d557839a3a8c30ea18d326038c67d757

SHA256
0e322559bf6e75cd3f0d7eccb676f6cbfd7c24463866b793af3cd231c4d6986d

SHA512
7802be98b0513a2b6325c71c6d28bb06c10939ad7b1a830a0ac67bcc5e196ba97c56aa99f37eab3d97610ff0853ab8fe920340639d3350a62b74af917ed234de

Download Submit
memory/2208-19-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2208-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-2-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-36-0x0000000000420000-0x0000000000486000-memory.dmp

Filesize
408KB

Download
memory/2680-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-39-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-41-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing