a76d0e7cd0fcd8c44ed4f70d3fee346b5ddb3e3354b21ea8f1cd57467b4281af

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
Size

12.1MB
MD5

4a2326c51a11aebee89cc2bd4a1a436c
SHA1

5597e8165ee171b89ad1e3cc7156d64c3ce1c16a
SHA256

a76d0e7cd0fcd8c44ed4f70d3fee346b5ddb3e3354b21ea8f1cd57467b4281af
SHA512

d466a68c6667047ae7b66c1483141ddc0e0cf22af67b4cd6fe0c0e115f756b2070bf3898acb9f04280ca4b632fd7d57a7e759c19b7362456f7a0502e7b7567e6
SSDEEP

393216:H49zlXBsgP1OJ54iTRXtU6m/ovuFrFlhNb:H0FBfo5/UjllhB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\iQIYI\skin\download\download_progress_bk_mid.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\PersonalCenters.xml	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\listUI\listUI_page_pre_not_click.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\Menubar\travel_1.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\homepageRes\hp_focus_ctrl_bk.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\listUI\listUI_page_pre_def.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\register\sns2.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\listUI\filter_combo_bottom.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\homepageRes\homepageRes_TagTitle_Long_Hot_4.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\listUI\poster_bk_2.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\titleRes\search_left.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\HomePageTagLongVideoCtrl.xml	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\set\keydis.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\Menubar\life_2.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\label_bar_334_233.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\info\img\btB2.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\RecomItem.xml	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\common\selected.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\InsetControls\ic_PlayListPoster.xml	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\download\download_checkbox_selected.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\listUI\VD_center.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\InsetControls\ic_listviewbk_right_151.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\image\loginnamecom1.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\LoginWnd.xml	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\listUI\filter_sort_item_right_selected.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\listUI\filter_spline_line.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\image\ps_delete1.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\download\download_progress_bk_mid.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\Menubar\more_1.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\Push\push_imagetips.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\Upload\upload_item_uploading_normal.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\download\download_cancel_selected.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\Push\push_bk_mid.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\Menubar\car_1.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\listUI\btn_desktoped.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\InsetControls\ic_rollviewbk_right_284.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\PlayRecordMain.xml	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\AlbumInfo_right.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\cartoon\cartoon-middle.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\listUI\listUI_page_turn_hot.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PosterHomeEx.xml	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\Menubar\adv_2.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\InsetControls\ic_rollviewtextbk_hover_right_34.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\InsetControls\ic_rollviewtextbk_hover_left_30.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\listUI\filter_top_item_close.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\Menubar\cartoon_1.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\image\record_play2.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\videosquare\videosquare_itemex_floder_background.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\MyAccountInfo.xml	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\PosterDetail.xml	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\backtotop_hot.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\listUI\btn_favord_1.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\InsetControls\ic_transparentshade_30.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\Menubar\sports_2.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\homepageRes\homepageRes_HadFavoriteNormal.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\Upload\upload_wantto_upload_normal.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\billboard\billboard_ListHover_small.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\suggest\suggest_item_top.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\titleRes\title_max_selected.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\updateUI.swf	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File opened for modification	C:\Program Files (x86)\iQIYI\skin\PersonalCenter\image\playrecordBK1.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\right_n.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\homepageRes\homepageRes_TagTitle_Long_Normal_2.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
File created	C:\Program Files (x86)\iQIYI\skin\label_bar_120_160.png	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 736	4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe	92
PID 4140 wrote to memory of 736	4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe	92
PID 4140 wrote to memory of 736	4140	2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_4a2326c51a11aebee89cc2bd4a1a436c_icedid.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe" "\PinItem.vbs" /uninst /taskbar /item:"\QiyiClient.exe"
  2⤵
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\iQIYI\fkskin\UpdateClient\update_bk_bottom.png

Filesize
191B

MD5
42b90b1c325f0d1ff36a46ecb19b5ebb

SHA1
60190949be708ac806dab7bd40a54c7d608baa13

SHA256
0c45bcac4031a64640966f87b2f74d29d4157cb85e3065b7e85d164730fc3b8c

SHA512
0fcbe099146d9bd6a493498d7b223029aeecb76204f6e12e1d8166acd367c64c28def65fa6c6cb883e82c685b12bd06525c017014f5cc9d45573f9f2cc194414

Download Submit
C:\Program Files (x86)\iQIYI\fkskin\UpdateClient\update_bk_mid.png

Filesize
127B

MD5
cc868e039b3b070024530babd06e19c7

SHA1
cab6b14a51b27fdfdd6d1ef0aee6ad038a0b6406

SHA256
0b429673608d6a4dec0d06884cb71f97f5961b7d412f40350b918971038d4949

SHA512
7972d2aa096e6ef132e66f816c032ee14febffdbc28216649ea6c103b2c14e41711ac803c8d021637205a5228a535ef3528f83bd777eac51e08ebb5acc04efb9

Download Submit
C:\Program Files (x86)\iQIYI\fkskin\UpdateClient\update_close1.png

Filesize
256B

MD5
ab3c5f30382dcf44f53a1217db52c4d6

SHA1
3319e487f4e42fb8a743d14c32c4598a17c0c692

SHA256
819129b03327338e938581d3093710fca1c4b29bd8b93a1c072e0d4624ed474d

SHA512
bcf81b85ba7cce9697382fc60a4fbc7247170950aa1de7565807632c752f74597af5789a81e95ca9bb10911eb34d7952afbb30e11c87a0306d718b2c8f799b0a

Download Submit
C:\Program Files (x86)\iQIYI\fkskin\UpdateClient\update_close2.png

Filesize
279B

MD5
7756e8a0627d3698f8420763a3abd15e

SHA1
1b5f3dbb80f53359633ae1761295c89854bd0a66

SHA256
437b4c54b41d8980ae79e1c7aa37b092757a6c62b111d5c837a564ebe99a6c48

SHA512
08f7fb8c613c9ea921261ed5c4a1c1a102998e52867e32fe98dd08181f29e79bc5f9a53a5da04da5770ec688438e3142b88d7764596617d2439b808681ad9f63

Download Submit
C:\Program Files (x86)\iQIYI\skin\PersonalCenter\common\Close1.png

Filesize
216B

MD5
0fa970b2e1266fddf8a8b7e25169eb6d

SHA1
95b377900565671581c9c2ccd8962946b89e9f43

SHA256
1c58f4d8c0ee380c192f0b8fa21c617f5f73b1a162cc6ca510e9839a7cd6a326

SHA512
279c0a3c40fe516030d2f718156520ab0ba6de546ecd4f9c222ab92d780d4803e22dd1b58b9373bae80931e27b85ce6f22eccf7237a33d49b22192962e825646

Download Submit
C:\Program Files (x86)\iQIYI\skin\PersonalCenter\common\Close2.png

Filesize
243B

MD5
283d4d2e923ac3b43f0746d30a21a9c3

SHA1
c69df28d2de2a1e50d3d03bf6c149f2e0398932e

SHA256
8aebe8297c96b50ddf8f5427d00791b80f60b7e3785a0659b29cb6ce53da0f54

SHA512
01331e9889f766c11be22ea4cfa58215a33dbb0a11d95fa12f58e6b351610f6756116bd3f905382fefdbfafd26f85999621cc66ba5e2da8f8e3aa146c8bffa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiyi_install.ini

Filesize
40KB

MD5
0cc34e535eb775672044f4d1cdb7fb1e

SHA1
3c0e298bd3e4c7534592fd97f513bb8541eb7619

SHA256
d9c480bd7c141cf416cdd0e5445a834d6f26c7f6482d8590c771eee81159a83e

SHA512
bdbf68308f646189b28b840eaa160a8297247dc9a450c56354fc8b8cb3c38732ab96ec77a32682086a1bd04be9882a2ba59fea5afef0cd093708fa6d1161bcf9

Download Submit