Malware Analysis Report

2025-08-05 20:46

Sample ID 240302-3ejczaag37
Target 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid
SHA256 c5211f5e916e3b8cadda77f5d79151ddef3eaae866cf9b320c1de172bced0718
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c5211f5e916e3b8cadda77f5d79151ddef3eaae866cf9b320c1de172bced0718

Threat Level: Shows suspicious behavior

The file 2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:25

Reported

2024-03-02 23:28

Platform

win7-20240215-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 1512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 1512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 1512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 1512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 1512 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 2336 wrote to memory of 320 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe
PID 2336 wrote to memory of 320 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe
PID 2336 wrote to memory of 320 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe
PID 2336 wrote to memory of 320 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe
PID 2336 wrote to memory of 2364 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
PID 2336 wrote to memory of 2364 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
PID 2336 wrote to memory of 2364 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
PID 2336 wrote to memory of 2364 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
PID 320 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
PID 2820 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
PID 2820 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
PID 2820 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "

C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

"C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 windowsupdate.microsoft.com udp

Files

C:\Users\Admin\AppData\Local\Temp\@AE122A.tmp.exe

MD5 2a95ce552bc4a072f150010f24954278
SHA1 39e2ee745709c5978dc9b3e9c4ceb21dbb90a29e
SHA256 b550c5c57d5c7ba93dd19119479d3b3ce3a291ec6ccfdde125c6223302342e47
SHA512 3a54baa6c56fba65267fd2953277d247717cd39bc15deb56eb9e01382b84d631bb76af69304797cc286ea7b1c2d6971254def6fdc071320cfd5edd0843f2079d

C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe

MD5 5fa459f72469b2aa0275c91b56757dde
SHA1 6c55be0c1224528097519fd988a1e5b402092c8a
SHA256 85919c8f8505cb368ed4809e42b681776b53bdfafdd1a1c853232f9b78cb58ad
SHA512 1b8f067f515498ca4422ed6e66145f8959209428b32b843ee01d92ceed15bc07789d71107e47898a78315843407286ad55da688822510b2549ebbf090b74371f

memory/320-17-0x0000000010000000-0x0000000010015000-memory.dmp

\Users\Admin\AppData\Roaming\Temp\mydll.dll

MD5 7ff15a4f092cd4a96055ba69f903e3e9
SHA1 a3d338a38c2b92f95129814973f59446668402a8
SHA256 1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627
SHA512 4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

MD5 902a1098f800859502aec4eac3026495
SHA1 a6b209e9aa15087670e830af5de8179b31abc897
SHA256 ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd
SHA512 cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

MD5 967c6e4fac3af1d7fea7f208ac75a724
SHA1 5d73713822d90c8984415831f5f4388bbd6a79dd
SHA256 3274702d4e952f42f61018bed22e034969eac1364c151bbc7fa8d0cbff38a3de
SHA512 1111b863cc2a349bdba8027e0c4dda2ce1c750dba86039a6c0d28b8bdc48a6984e322337e3c5d402651cf21640fdf8b25046e2d4ff984b3a161428227cf19035

C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

MD5 9a5149b03c703767df223ca5d93a5115
SHA1 b93beb97fb718be99fd522009c039a4a9e81cb92
SHA256 93e2cbdd349e73c825714a9e00f9aa2bb05ca28c0699d3696da24002ceeef11b
SHA512 8131317ac5e28484ef879f566550717c9b3082285f7300e86eb9bbcccf1a151bb3202475b56b9442d79a7041d2f623d3916b98ba2e2cdc88a9b5eae994efd153

C:\Users\Admin\AppData\Local\Temp\tmp14D9.tmp

MD5 864484e1394eaaa2e9a8a63f01c97be0
SHA1 d02a92d866232f22a8477ab99e6d27354fa310f2
SHA256 e1a25be30164e6aca9bf97454be217f2b49e6f65fa4d3ac710637f6ef8a213a0
SHA512 16919202ee3626ab829070dbe2f43bb5caa9bbaebf63f5de3fb9930825f71edd074855cac6349241705d6bf979203e0eb7f9df2c25d2bfab95ee210ac350568c

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:25

Reported

2024-03-02 23:28

Platform

win10v2004-20240226-en

Max time kernel

127s

Max time network

133s

Command Line

C:\Windows\Explorer.EXE

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Admin\\module_launcher.exe\"" C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\injector_s.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4176 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 4176 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 4176 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 4176 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 4176 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe C:\Windows\SysWOW64\explorer.exe
PID 2920 wrote to memory of 1840 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe
PID 2920 wrote to memory of 1840 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe
PID 2920 wrote to memory of 1840 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe
PID 2920 wrote to memory of 2176 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
PID 2920 wrote to memory of 2176 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
PID 2920 wrote to memory of 2176 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe
PID 1840 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
PID 3220 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
PID 3220 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
PID 1736 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
PID 3080 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
PID 3080 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
PID 4624 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 3288 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
PID 3288 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
PID 3288 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
PID 1380 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe C:\Users\Admin\AppData\Roaming\injector_s.exe
PID 1380 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe C:\Users\Admin\AppData\Roaming\injector_s.exe
PID 1380 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe C:\Users\Admin\AppData\Roaming\injector_s.exe
PID 1380 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\injector_s.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "

C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

"C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "

C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe

"C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 1736

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "

C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe

"C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"

C:\Users\Admin\AppData\Roaming\injector_s.exe

"C:\Users\Admin\AppData\Roaming\injector_s.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@AE4594.tmp.exe

MD5 2a95ce552bc4a072f150010f24954278
SHA1 39e2ee745709c5978dc9b3e9c4ceb21dbb90a29e
SHA256 b550c5c57d5c7ba93dd19119479d3b3ce3a291ec6ccfdde125c6223302342e47
SHA512 3a54baa6c56fba65267fd2953277d247717cd39bc15deb56eb9e01382b84d631bb76af69304797cc286ea7b1c2d6971254def6fdc071320cfd5edd0843f2079d

memory/1840-13-0x0000000010000000-0x0000000010015000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-03-02_49c5944b6479ea290b5d2e85942675c7_icedid.exe

MD5 5fa459f72469b2aa0275c91b56757dde
SHA1 6c55be0c1224528097519fd988a1e5b402092c8a
SHA256 85919c8f8505cb368ed4809e42b681776b53bdfafdd1a1c853232f9b78cb58ad
SHA512 1b8f067f515498ca4422ed6e66145f8959209428b32b843ee01d92ceed15bc07789d71107e47898a78315843407286ad55da688822510b2549ebbf090b74371f

C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

MD5 8d7db101a7211fe3309dc4dc8cf2dd0a
SHA1 6c2781eadf53b3742d16dab2f164baf813f7ac85
SHA256 93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a
SHA512 8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

MD5 902a1098f800859502aec4eac3026495
SHA1 a6b209e9aa15087670e830af5de8179b31abc897
SHA256 ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd
SHA512 cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

MD5 ea76e92bc178b934da0085ae56fac8fb
SHA1 77e38ea7f93f5e50752a0a71b12066fbcaa16ee8
SHA256 9a9b32ef84f90989f879733bd5b57c33269b5ec3d4d413200cb0fa59ea255caf
SHA512 c1cd5d5db1aa409705b3946d0ff83c3b3e9b36a2090af43028240ef5f8f89762b461bb708d38d13e43dcb06ebbf4a5fab47bbbc840d20b215b702270a18c5638

C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

MD5 ff41dd9692f346480859d07f87f7a2c5
SHA1 142607a69d29a91c3eedf01f6568c251c29c98f1
SHA256 4ba92991a1d2766adfd09e7449adc4cb78454879a53b2d98791aab70eeaa1be1
SHA512 fe39e615d732e4652583a41725b07be675296f7257561869876d4f851e43fe4c1828eaf70ed76b94fcfcf4a24366d204e8c95f5d7a7eaaa31198b55e90f52a0f

C:\Users\Admin\AppData\Local\Temp\tmp4B13.tmp

MD5 713537a3f79d36f0eaeaf8e8fba96322
SHA1 f03481707b940065e41ce008eda643eea78ffe40
SHA256 5864a4bfc200c2d9aadfa8c9540da1af036c2c712309da9d88fa901e9582b950
SHA512 0bf36c904e863d79d57b83e6e54371056b2fc0ddfa89b806519fbeb91c2ac4f9688d5c7d2619a496320d28cd008313fff61f92612dfe69c00d093917366189e3

C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe

MD5 6ff3155e619e2c601db536c88741e094
SHA1 c71bfc0a9b11db33c801035e06d31a03e2901dd0
SHA256 b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1
SHA512 8a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc

C:\Users\Admin\AppData\Local\Temp\tmp4B46.tmp

MD5 ccf05ce9abe252cc7d68b2ff8ab6cfb7
SHA1 8739e9e007b62d9434bd5d06d5d312d255496a00
SHA256 a1d30db63fcb26cfcc1e128f4b840ac1c822267a8f17de45cc2e2fc19147e41f
SHA512 e2e56fa332b895fc54fd9a6ccd71952f11237f18d66b2342a47c7b707a65743d3f8b84efa5988257e657623cb748cb196e36a8839fb1cd5f600cb30623b2a29b

C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

MD5 b37090c9207307e2708db124ef72d1cb
SHA1 1523d234c7c318069c3c563739504a4a66366f71
SHA256 0fc913a1097d2ccebb0a47af0097625f0f9022af0b28e75853535b9ac386068a
SHA512 85dad0669c87ae39c4f6cf6c1aa20d3de417fe7f9cb07a54968854808a0fdd8ad7e1a1a4ddcd77a73290d345a6be0f2f7a99786c9ef0dc5da66d26cbe675099a

C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

MD5 85eb3280f9675f88d00040cbea92277f
SHA1 2fece0a30b2153b4a9fee72fe5a637dee1967a2f
SHA256 bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b
SHA512 2641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298

C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe

MD5 8bf335774fbb62bbe1de03921dfe047a
SHA1 24fc750a20aebb52f23e84264d201f458106d95d
SHA256 048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7
SHA512 aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea

C:\Users\Admin\AppData\Roaming\injector_s.exe

MD5 1d1491e1759c1e39bf99a5df90311db3
SHA1 8bd6faed091bb00f879ef379715461130493e97f
SHA256 22c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778
SHA512 ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e

C:\Users\Admin\AppData\Local\Temp\a0x.bat

MD5 804bb96081db73d249b1d21573d8ea59
SHA1 abf76e8d0702ce245bb7afbb513cdcc8bac6ab35
SHA256 b1e4990bf84c402594a53a2a98011b8880239e790872de1f6c7b8b9cd1005cf5
SHA512 d037dea300ffe466ab83c2a1c2c9a55693c36b546dbbcfa0a7a1ef477a3ea5c33f9831d71389466cf4c74192b417bf9ed0b7e0ad88d927f1ca997fcba254414c