Analysis
-
max time kernel
127s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
-
Size
1.8MB
-
MD5
49c5944b6479ea290b5d2e85942675c7
-
SHA1
66a6165c74006a0f1016b86376e3c0025309c913
-
SHA256
c5211f5e916e3b8cadda77f5d79151ddef3eaae866cf9b320c1de172bced0718
-
SHA512
63293b50bfd9431c4cf879662bee1ab0c61389608371e9a16e62ac3a2d75d63b67af4cddf02fa20d05f1eb44b4699cff56d6360d9a17b992d3dff7ad3c91cc3d
-
SSDEEP
49152:OFNTtN/qP3DDTE8OdM18TjFJspDLoVMgdkk:OF/NSP3DKdM1SFJspDLOMgdP
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation @AE4594.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation WdExt.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation module_launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation kb50145.exe -
Executes dropped EXE 6 IoCs
pid Process 1840 @AE4594.tmp.exe 2176 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 1736 WdExt.exe 4624 module_launcher.exe 1380 kb50145.exe 1412 injector_s.exe -
Loads dropped DLL 2 IoCs
pid Process 1840 @AE4594.tmp.exe 1736 WdExt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Admin\\module_launcher.exe\"" module_launcher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1840 @AE4594.tmp.exe 1840 @AE4594.tmp.exe 1736 WdExt.exe 1736 WdExt.exe 4624 module_launcher.exe 4624 module_launcher.exe 4624 module_launcher.exe 4624 module_launcher.exe 4624 module_launcher.exe 4624 module_launcher.exe 4624 module_launcher.exe 4624 module_launcher.exe 1412 injector_s.exe 1412 injector_s.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1412 injector_s.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2176 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 2176 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4176 wrote to memory of 2920 4176 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 88 PID 4176 wrote to memory of 2920 4176 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 88 PID 4176 wrote to memory of 2920 4176 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 88 PID 4176 wrote to memory of 2920 4176 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 88 PID 4176 wrote to memory of 2920 4176 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe 88 PID 2920 wrote to memory of 1840 2920 explorer.exe 90 PID 2920 wrote to memory of 1840 2920 explorer.exe 90 PID 2920 wrote to memory of 1840 2920 explorer.exe 90 PID 2920 wrote to memory of 2176 2920 explorer.exe 92 PID 2920 wrote to memory of 2176 2920 explorer.exe 92 PID 2920 wrote to memory of 2176 2920 explorer.exe 92 PID 1840 wrote to memory of 3220 1840 @AE4594.tmp.exe 94 PID 1840 wrote to memory of 3220 1840 @AE4594.tmp.exe 94 PID 1840 wrote to memory of 3220 1840 @AE4594.tmp.exe 94 PID 1840 wrote to memory of 2536 1840 @AE4594.tmp.exe 96 PID 1840 wrote to memory of 2536 1840 @AE4594.tmp.exe 96 PID 1840 wrote to memory of 2536 1840 @AE4594.tmp.exe 96 PID 3220 wrote to memory of 1736 3220 cmd.exe 98 PID 3220 wrote to memory of 1736 3220 cmd.exe 98 PID 3220 wrote to memory of 1736 3220 cmd.exe 98 PID 1736 wrote to memory of 3080 1736 WdExt.exe 99 PID 1736 wrote to memory of 3080 1736 WdExt.exe 99 PID 1736 wrote to memory of 3080 1736 WdExt.exe 99 PID 3080 wrote to memory of 4624 3080 cmd.exe 101 PID 3080 wrote to memory of 4624 3080 cmd.exe 101 PID 3080 wrote to memory of 4624 3080 cmd.exe 101 PID 4624 wrote to memory of 3288 4624 module_launcher.exe 102 PID 4624 wrote to memory of 3288 4624 module_launcher.exe 102 PID 4624 wrote to memory of 3288 4624 module_launcher.exe 102 PID 3288 wrote to memory of 1380 3288 cmd.exe 104 PID 3288 wrote to memory of 1380 3288 cmd.exe 104 PID 3288 wrote to memory of 1380 3288 cmd.exe 104 PID 1380 wrote to memory of 1412 1380 kb50145.exe 105 PID 1380 wrote to memory of 1412 1380 kb50145.exe 105 PID 1380 wrote to memory of 1412 1380 kb50145.exe 105 PID 1380 wrote to memory of 4440 1380 kb50145.exe 106 PID 1380 wrote to memory of 4440 1380 kb50145.exe 106 PID 1380 wrote to memory of 4440 1380 kb50145.exe 106 PID 1412 wrote to memory of 3536 1412 injector_s.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe"C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe"C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 17368⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Roaming\injector_s.exe"C:\Users\Admin\AppData\Roaming\injector_s.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""11⤵PID:4440
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "5⤵PID:2536
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2176
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
849KB
MD55fa459f72469b2aa0275c91b56757dde
SHA16c55be0c1224528097519fd988a1e5b402092c8a
SHA25685919c8f8505cb368ed4809e42b681776b53bdfafdd1a1c853232f9b78cb58ad
SHA5121b8f067f515498ca4422ed6e66145f8959209428b32b843ee01d92ceed15bc07789d71107e47898a78315843407286ad55da688822510b2549ebbf090b74371f
-
Filesize
959KB
MD52a95ce552bc4a072f150010f24954278
SHA139e2ee745709c5978dc9b3e9c4ceb21dbb90a29e
SHA256b550c5c57d5c7ba93dd19119479d3b3ce3a291ec6ccfdde125c6223302342e47
SHA5123a54baa6c56fba65267fd2953277d247717cd39bc15deb56eb9e01382b84d631bb76af69304797cc286ea7b1c2d6971254def6fdc071320cfd5edd0843f2079d
-
Filesize
44B
MD5804bb96081db73d249b1d21573d8ea59
SHA1abf76e8d0702ce245bb7afbb513cdcc8bac6ab35
SHA256b1e4990bf84c402594a53a2a98011b8880239e790872de1f6c7b8b9cd1005cf5
SHA512d037dea300ffe466ab83c2a1c2c9a55693c36b546dbbcfa0a7a1ef477a3ea5c33f9831d71389466cf4c74192b417bf9ed0b7e0ad88d927f1ca997fcba254414c
-
Filesize
619KB
MD5713537a3f79d36f0eaeaf8e8fba96322
SHA1f03481707b940065e41ce008eda643eea78ffe40
SHA2565864a4bfc200c2d9aadfa8c9540da1af036c2c712309da9d88fa901e9582b950
SHA5120bf36c904e863d79d57b83e6e54371056b2fc0ddfa89b806519fbeb91c2ac4f9688d5c7d2619a496320d28cd008313fff61f92612dfe69c00d093917366189e3
-
Filesize
76KB
MD5ccf05ce9abe252cc7d68b2ff8ab6cfb7
SHA18739e9e007b62d9434bd5d06d5d312d255496a00
SHA256a1d30db63fcb26cfcc1e128f4b840ac1c822267a8f17de45cc2e2fc19147e41f
SHA512e2e56fa332b895fc54fd9a6ccd71952f11237f18d66b2342a47c7b707a65743d3f8b84efa5988257e657623cb748cb196e36a8839fb1cd5f600cb30623b2a29b
-
Filesize
960KB
MD5ff41dd9692f346480859d07f87f7a2c5
SHA1142607a69d29a91c3eedf01f6568c251c29c98f1
SHA2564ba92991a1d2766adfd09e7449adc4cb78454879a53b2d98791aab70eeaa1be1
SHA512fe39e615d732e4652583a41725b07be675296f7257561869876d4f851e43fe4c1828eaf70ed76b94fcfcf4a24366d204e8c95f5d7a7eaaa31198b55e90f52a0f
-
Filesize
76KB
MD58bf335774fbb62bbe1de03921dfe047a
SHA124fc750a20aebb52f23e84264d201f458106d95d
SHA256048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7
SHA512aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea
-
Filesize
172KB
MD56ff3155e619e2c601db536c88741e094
SHA1c71bfc0a9b11db33c801035e06d31a03e2901dd0
SHA256b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1
SHA5128a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc
-
Filesize
105B
MD5902a1098f800859502aec4eac3026495
SHA1a6b209e9aa15087670e830af5de8179b31abc897
SHA256ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd
SHA512cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77
-
Filesize
196B
MD5ea76e92bc178b934da0085ae56fac8fb
SHA177e38ea7f93f5e50752a0a71b12066fbcaa16ee8
SHA2569a9b32ef84f90989f879733bd5b57c33269b5ec3d4d413200cb0fa59ea255caf
SHA512c1cd5d5db1aa409705b3946d0ff83c3b3e9b36a2090af43028240ef5f8f89762b461bb708d38d13e43dcb06ebbf4a5fab47bbbc840d20b215b702270a18c5638
-
Filesize
122B
MD5b37090c9207307e2708db124ef72d1cb
SHA11523d234c7c318069c3c563739504a4a66366f71
SHA2560fc913a1097d2ccebb0a47af0097625f0f9022af0b28e75853535b9ac386068a
SHA51285dad0669c87ae39c4f6cf6c1aa20d3de417fe7f9cb07a54968854808a0fdd8ad7e1a1a4ddcd77a73290d345a6be0f2f7a99786c9ef0dc5da66d26cbe675099a
-
Filesize
107B
MD585eb3280f9675f88d00040cbea92277f
SHA12fece0a30b2153b4a9fee72fe5a637dee1967a2f
SHA256bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b
SHA5122641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298
-
Filesize
388KB
MD58d7db101a7211fe3309dc4dc8cf2dd0a
SHA16c2781eadf53b3742d16dab2f164baf813f7ac85
SHA25693db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a
SHA5128b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83
-
Filesize
188KB
MD51d1491e1759c1e39bf99a5df90311db3
SHA18bd6faed091bb00f879ef379715461130493e97f
SHA25622c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778
SHA512ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e