Analysis

  • max time kernel
    127s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 23:25

General

  • Target

    2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe

  • Size

    1.8MB

  • MD5

    49c5944b6479ea290b5d2e85942675c7

  • SHA1

    66a6165c74006a0f1016b86376e3c0025309c913

  • SHA256

    c5211f5e916e3b8cadda77f5d79151ddef3eaae866cf9b320c1de172bced0718

  • SHA512

    63293b50bfd9431c4cf879662bee1ab0c61389608371e9a16e62ac3a2d75d63b67af4cddf02fa20d05f1eb44b4699cff56d6360d9a17b992d3dff7ad3c91cc3d

  • SSDEEP

    49152:OFNTtN/qP3DDTE8OdM18TjFJspDLoVMgdkk:OF/NSP3DKdM1SFJspDLOMgdP

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3536
      • C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4176
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1840
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3220
              • C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
                "C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1736
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3080
                  • C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
                    "C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 1736
                    8⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:4624
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3288
                      • C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
                        "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"
                        10⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:1380
                        • C:\Users\Admin\AppData\Roaming\injector_s.exe
                          "C:\Users\Admin\AppData\Roaming\injector_s.exe"
                          11⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:1412
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""
                          11⤵
                            PID:4440
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
                5⤵
                  PID:2536
              • C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
                "C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2176

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe

                Filesize

                849KB

                MD5

                5fa459f72469b2aa0275c91b56757dde

                SHA1

                6c55be0c1224528097519fd988a1e5b402092c8a

                SHA256

                85919c8f8505cb368ed4809e42b681776b53bdfafdd1a1c853232f9b78cb58ad

                SHA512

                1b8f067f515498ca4422ed6e66145f8959209428b32b843ee01d92ceed15bc07789d71107e47898a78315843407286ad55da688822510b2549ebbf090b74371f

              • C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe

                Filesize

                959KB

                MD5

                2a95ce552bc4a072f150010f24954278

                SHA1

                39e2ee745709c5978dc9b3e9c4ceb21dbb90a29e

                SHA256

                b550c5c57d5c7ba93dd19119479d3b3ce3a291ec6ccfdde125c6223302342e47

                SHA512

                3a54baa6c56fba65267fd2953277d247717cd39bc15deb56eb9e01382b84d631bb76af69304797cc286ea7b1c2d6971254def6fdc071320cfd5edd0843f2079d

              • C:\Users\Admin\AppData\Local\Temp\a0x.bat

                Filesize

                44B

                MD5

                804bb96081db73d249b1d21573d8ea59

                SHA1

                abf76e8d0702ce245bb7afbb513cdcc8bac6ab35

                SHA256

                b1e4990bf84c402594a53a2a98011b8880239e790872de1f6c7b8b9cd1005cf5

                SHA512

                d037dea300ffe466ab83c2a1c2c9a55693c36b546dbbcfa0a7a1ef477a3ea5c33f9831d71389466cf4c74192b417bf9ed0b7e0ad88d927f1ca997fcba254414c

              • C:\Users\Admin\AppData\Local\Temp\tmp4B13.tmp

                Filesize

                619KB

                MD5

                713537a3f79d36f0eaeaf8e8fba96322

                SHA1

                f03481707b940065e41ce008eda643eea78ffe40

                SHA256

                5864a4bfc200c2d9aadfa8c9540da1af036c2c712309da9d88fa901e9582b950

                SHA512

                0bf36c904e863d79d57b83e6e54371056b2fc0ddfa89b806519fbeb91c2ac4f9688d5c7d2619a496320d28cd008313fff61f92612dfe69c00d093917366189e3

              • C:\Users\Admin\AppData\Local\Temp\tmp4B46.tmp

                Filesize

                76KB

                MD5

                ccf05ce9abe252cc7d68b2ff8ab6cfb7

                SHA1

                8739e9e007b62d9434bd5d06d5d312d255496a00

                SHA256

                a1d30db63fcb26cfcc1e128f4b840ac1c822267a8f17de45cc2e2fc19147e41f

                SHA512

                e2e56fa332b895fc54fd9a6ccd71952f11237f18d66b2342a47c7b707a65743d3f8b84efa5988257e657623cb748cb196e36a8839fb1cd5f600cb30623b2a29b

              • C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

                Filesize

                960KB

                MD5

                ff41dd9692f346480859d07f87f7a2c5

                SHA1

                142607a69d29a91c3eedf01f6568c251c29c98f1

                SHA256

                4ba92991a1d2766adfd09e7449adc4cb78454879a53b2d98791aab70eeaa1be1

                SHA512

                fe39e615d732e4652583a41725b07be675296f7257561869876d4f851e43fe4c1828eaf70ed76b94fcfcf4a24366d204e8c95f5d7a7eaaa31198b55e90f52a0f

              • C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe

                Filesize

                76KB

                MD5

                8bf335774fbb62bbe1de03921dfe047a

                SHA1

                24fc750a20aebb52f23e84264d201f458106d95d

                SHA256

                048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7

                SHA512

                aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea

              • C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe

                Filesize

                172KB

                MD5

                6ff3155e619e2c601db536c88741e094

                SHA1

                c71bfc0a9b11db33c801035e06d31a03e2901dd0

                SHA256

                b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1

                SHA512

                8a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc

              • C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

                Filesize

                105B

                MD5

                902a1098f800859502aec4eac3026495

                SHA1

                a6b209e9aa15087670e830af5de8179b31abc897

                SHA256

                ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd

                SHA512

                cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

              • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

                Filesize

                196B

                MD5

                ea76e92bc178b934da0085ae56fac8fb

                SHA1

                77e38ea7f93f5e50752a0a71b12066fbcaa16ee8

                SHA256

                9a9b32ef84f90989f879733bd5b57c33269b5ec3d4d413200cb0fa59ea255caf

                SHA512

                c1cd5d5db1aa409705b3946d0ff83c3b3e9b36a2090af43028240ef5f8f89762b461bb708d38d13e43dcb06ebbf4a5fab47bbbc840d20b215b702270a18c5638

              • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

                Filesize

                122B

                MD5

                b37090c9207307e2708db124ef72d1cb

                SHA1

                1523d234c7c318069c3c563739504a4a66366f71

                SHA256

                0fc913a1097d2ccebb0a47af0097625f0f9022af0b28e75853535b9ac386068a

                SHA512

                85dad0669c87ae39c4f6cf6c1aa20d3de417fe7f9cb07a54968854808a0fdd8ad7e1a1a4ddcd77a73290d345a6be0f2f7a99786c9ef0dc5da66d26cbe675099a

              • C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

                Filesize

                107B

                MD5

                85eb3280f9675f88d00040cbea92277f

                SHA1

                2fece0a30b2153b4a9fee72fe5a637dee1967a2f

                SHA256

                bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b

                SHA512

                2641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298

              • C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

                Filesize

                388KB

                MD5

                8d7db101a7211fe3309dc4dc8cf2dd0a

                SHA1

                6c2781eadf53b3742d16dab2f164baf813f7ac85

                SHA256

                93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

                SHA512

                8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

              • C:\Users\Admin\AppData\Roaming\injector_s.exe

                Filesize

                188KB

                MD5

                1d1491e1759c1e39bf99a5df90311db3

                SHA1

                8bd6faed091bb00f879ef379715461130493e97f

                SHA256

                22c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778

                SHA512

                ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e

              • memory/1840-13-0x0000000010000000-0x0000000010015000-memory.dmp

                Filesize

                84KB