Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
-
Size
1.8MB
-
MD5
49c5944b6479ea290b5d2e85942675c7
-
SHA1
66a6165c74006a0f1016b86376e3c0025309c913
-
SHA256
c5211f5e916e3b8cadda77f5d79151ddef3eaae866cf9b320c1de172bced0718
-
SHA512
63293b50bfd9431c4cf879662bee1ab0c61389608371e9a16e62ac3a2d75d63b67af4cddf02fa20d05f1eb44b4699cff56d6360d9a17b992d3dff7ad3c91cc3d
-
SSDEEP
49152:OFNTtN/qP3DDTE8OdM18TjFJspDLoVMgdkk:OF/NSP3DKdM1SFJspDLOMgdP
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 320 @AE122A.tmp.exe 2364 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 2824 WdExt.exe -
Loads dropped DLL 7 IoCs
pid Process 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 320 @AE122A.tmp.exe 2820 cmd.exe 2820 cmd.exe 2824 WdExt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 320 @AE122A.tmp.exe 2824 WdExt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2364 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2364 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 2364 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2336 1512 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 28 PID 1512 wrote to memory of 2336 1512 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 28 PID 1512 wrote to memory of 2336 1512 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 28 PID 1512 wrote to memory of 2336 1512 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 28 PID 1512 wrote to memory of 2336 1512 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 28 PID 1512 wrote to memory of 2336 1512 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 28 PID 2336 wrote to memory of 320 2336 explorer.exe 29 PID 2336 wrote to memory of 320 2336 explorer.exe 29 PID 2336 wrote to memory of 320 2336 explorer.exe 29 PID 2336 wrote to memory of 320 2336 explorer.exe 29 PID 2336 wrote to memory of 2364 2336 explorer.exe 30 PID 2336 wrote to memory of 2364 2336 explorer.exe 30 PID 2336 wrote to memory of 2364 2336 explorer.exe 30 PID 2336 wrote to memory of 2364 2336 explorer.exe 30 PID 320 wrote to memory of 2820 320 @AE122A.tmp.exe 31 PID 320 wrote to memory of 2820 320 @AE122A.tmp.exe 31 PID 320 wrote to memory of 2820 320 @AE122A.tmp.exe 31 PID 320 wrote to memory of 2820 320 @AE122A.tmp.exe 31 PID 320 wrote to memory of 1764 320 @AE122A.tmp.exe 33 PID 320 wrote to memory of 1764 320 @AE122A.tmp.exe 33 PID 320 wrote to memory of 1764 320 @AE122A.tmp.exe 33 PID 320 wrote to memory of 1764 320 @AE122A.tmp.exe 33 PID 2820 wrote to memory of 2824 2820 cmd.exe 35 PID 2820 wrote to memory of 2824 2820 cmd.exe 35 PID 2820 wrote to memory of 2824 2820 cmd.exe 35 PID 2820 wrote to memory of 2824 2820 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "4⤵PID:1764
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2364
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
849KB
MD55fa459f72469b2aa0275c91b56757dde
SHA16c55be0c1224528097519fd988a1e5b402092c8a
SHA25685919c8f8505cb368ed4809e42b681776b53bdfafdd1a1c853232f9b78cb58ad
SHA5121b8f067f515498ca4422ed6e66145f8959209428b32b843ee01d92ceed15bc07789d71107e47898a78315843407286ad55da688822510b2549ebbf090b74371f
-
Filesize
959KB
MD52a95ce552bc4a072f150010f24954278
SHA139e2ee745709c5978dc9b3e9c4ceb21dbb90a29e
SHA256b550c5c57d5c7ba93dd19119479d3b3ce3a291ec6ccfdde125c6223302342e47
SHA5123a54baa6c56fba65267fd2953277d247717cd39bc15deb56eb9e01382b84d631bb76af69304797cc286ea7b1c2d6971254def6fdc071320cfd5edd0843f2079d
-
Filesize
121KB
MD5864484e1394eaaa2e9a8a63f01c97be0
SHA1d02a92d866232f22a8477ab99e6d27354fa310f2
SHA256e1a25be30164e6aca9bf97454be217f2b49e6f65fa4d3ac710637f6ef8a213a0
SHA51216919202ee3626ab829070dbe2f43bb5caa9bbaebf63f5de3fb9930825f71edd074855cac6349241705d6bf979203e0eb7f9df2c25d2bfab95ee210ac350568c
-
Filesize
960KB
MD59a5149b03c703767df223ca5d93a5115
SHA1b93beb97fb718be99fd522009c039a4a9e81cb92
SHA25693e2cbdd349e73c825714a9e00f9aa2bb05ca28c0699d3696da24002ceeef11b
SHA5128131317ac5e28484ef879f566550717c9b3082285f7300e86eb9bbcccf1a151bb3202475b56b9442d79a7041d2f623d3916b98ba2e2cdc88a9b5eae994efd153
-
Filesize
105B
MD5902a1098f800859502aec4eac3026495
SHA1a6b209e9aa15087670e830af5de8179b31abc897
SHA256ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd
SHA512cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77
-
Filesize
196B
MD5967c6e4fac3af1d7fea7f208ac75a724
SHA15d73713822d90c8984415831f5f4388bbd6a79dd
SHA2563274702d4e952f42f61018bed22e034969eac1364c151bbc7fa8d0cbff38a3de
SHA5121111b863cc2a349bdba8027e0c4dda2ce1c750dba86039a6c0d28b8bdc48a6984e322337e3c5d402651cf21640fdf8b25046e2d4ff984b3a161428227cf19035
-
Filesize
202KB
MD57ff15a4f092cd4a96055ba69f903e3e9
SHA1a3d338a38c2b92f95129814973f59446668402a8
SHA2561b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627
SHA5124b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae