d3e4b0b7c96a4890bee894537aab2ad78b49b6b85a97246d4bf2537e21aa82d2

General

Target

2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe
Size

43.8MB
MD5

1e439861e140f4250e4577294d287908
SHA1

9b3a24e45b04c82aef1b85085414b8d3302c1af1
SHA256

d3e4b0b7c96a4890bee894537aab2ad78b49b6b85a97246d4bf2537e21aa82d2
SHA512

2db9e062cd76d154a83d0e0141ec2706961594f7522730ac03b932df20b793cc10e41d718270c95921b4ff27f683c0703e5c2cfffbf939877071921ad7a5b3cc
SSDEEP

98304:aWopJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJM:7oM

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 10 IoCs

resource	yara_rule
behavioral2/memory/908-0-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/908-2-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/908-4-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/908-5-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/908-6-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/908-7-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/908-24-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1148-26-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1148-28-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1148-33-0x0000000000400000-0x000000000040F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe

Deletes itself 1 IoCs

pid	Process
1648	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3540	fdlaunchersa.exe
1148	fdlaunchersa.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 908	1812	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	90
PID 3540 set thread context of 1148	3540	fdlaunchersa.exe	94

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
908	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe
908	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 908	1812	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	90
PID 1812 wrote to memory of 908	1812	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	90
PID 1812 wrote to memory of 908	1812	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	90
PID 1812 wrote to memory of 908	1812	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	90
PID 1812 wrote to memory of 908	1812	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	90
PID 3540 wrote to memory of 1148	3540	fdlaunchersa.exe	94
PID 3540 wrote to memory of 1148	3540	fdlaunchersa.exe	94
PID 3540 wrote to memory of 1148	3540	fdlaunchersa.exe	94
PID 3540 wrote to memory of 1148	3540	fdlaunchersa.exe	94
PID 3540 wrote to memory of 1148	3540	fdlaunchersa.exe	94
PID 908 wrote to memory of 1648	908	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	95
PID 908 wrote to memory of 1648	908	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	95
PID 908 wrote to memory of 1648	908	2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe	95

C:\Users\Admin\AppData\Local\Temp\2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\2024-02-28_1e439861e140f4250e4577294d287908_icedid.exe
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\2724.vbs"
    3⤵
    - Deletes itself
    PID:1648

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe
  2⤵
  - Executes dropped EXE
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2724.vbs

Filesize
500B

MD5
d2d65dceaa8bafdd12665c28328133bb

SHA1
45e15ba7b83476dc698d447e4b0336ff364e6875

SHA256
0322aeec0edc22dd99855f8c8123ee903337d130a1de351805247416e7140cc3

SHA512
19d359fc65cfe024bfc6fca133d7a4695e3201665260e255b234aa9236e60885c2ecf3423c65c29fe7e5ce6d81a2bc66cff655a00fdd62bf0a418ae85814509d

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
9.8MB

MD5
c67d73a819e1d74845d297accf76641d

SHA1
d6f9cf7c2f3a89c71914f24ae99f02e55daa14a6

SHA256
f36bdede56e0c89270ab58d1aa7e194a6fd31a56637986ec36ba6d799fb53eba

SHA512
760c59d29f2f2881634a3f048989f1a0fb49bbbc5fcccac35f5202d13105b406670c93463530bea3e195196bdc03fff8a98d47fc227e93d1015d3f1db6cbeda6

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
8.5MB

MD5
3397e6a2925831c181780a708be58eaa

SHA1
451f494fd5725c608e8ccbf1e297aae8a7ba23eb

SHA256
2a1fae997d798c8e2e9c7b0fc0cd48e3c11491acc5d68f25ff1ef70bbf532626

SHA512
43f97f564e6b7a37a26e43d688a4763bd8113c953cd85790313ba9e18c0061a9fdf6c6ae672d718c01ad89b7b31f7dd682bc17c31b4a01fdfe0ebbb969108d51

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fdlaunchersa.exe

Filesize
5.1MB

MD5
651ef7bd5c46cb22201868cec4a54cb4

SHA1
b32bb1ae65082e73bcd3ede610dd101010afad14

SHA256
9a956e6fca176a7953ae797036a01eb7b2fd62b2be056a3e8a5b08603403aa38

SHA512
ecae80356cfbcdce3ef5d9123c33eff2a65c6df3f3627b647a1a49849f97904ca2505eb0e81b4ae57df14b71509c8db7c9461253a5c6556029a2669d88ecc017

Download Submit
memory/908-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/908-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/908-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/908-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/908-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/908-22-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/908-24-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/908-2-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1148-26-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1148-28-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1148-33-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing