d1194b88997b4bf9aded2febf56432514c675314442cfd119573da00e8477e7d

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe
Size

4.0MB
MD5

b00803d786570487ed283bafd7ad7550
SHA1

978bd4d20989516d6d54d44437c82551909e7a93
SHA256

d1194b88997b4bf9aded2febf56432514c675314442cfd119573da00e8477e7d
SHA512

4235ad434f5fd3df1b0c9e48d15c0bf8edc07b28646dc1d0e9cc2ced54bb8056039912ff0f624c76ac46ff8cf44a34c2f2a159aaf5fc526dfd99bc57b4d61cba
SSDEEP

98304:81ZjPBp6mvIdR5fmBsTnzixI8aho6xoAdpXybDZh3Pe/R6hxvWbrtUTrUHOZ:E+5ZnXh12AdpXybDZh3Pe/Ux+NcIOZ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2008	@AE1A83.tmp.exe
3008	2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe
2328	WdExt.exe
1612	launch.exe

Loads dropped DLL 9 IoCs

pid	Process
2076	explorer.exe
2076	explorer.exe
2076	explorer.exe
2008	@AE1A83.tmp.exe
1648	cmd.exe
1648	cmd.exe
2328	WdExt.exe
3040	cmd.exe
3040	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2008	@AE1A83.tmp.exe
2328	WdExt.exe
1612	launch.exe
1612	launch.exe
1612	launch.exe
1612	launch.exe
1612	launch.exe
1612	launch.exe
1612	launch.exe
1612	launch.exe
1612	launch.exe
1612	launch.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2076	2276	2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe	28
PID 2276 wrote to memory of 2076	2276	2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe	28
PID 2276 wrote to memory of 2076	2276	2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe	28
PID 2276 wrote to memory of 2076	2276	2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe	28
PID 2276 wrote to memory of 2076	2276	2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe	28
PID 2276 wrote to memory of 2076	2276	2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe	28
PID 2076 wrote to memory of 2008	2076	explorer.exe	29
PID 2076 wrote to memory of 2008	2076	explorer.exe	29
PID 2076 wrote to memory of 2008	2076	explorer.exe	29
PID 2076 wrote to memory of 2008	2076	explorer.exe	29
PID 2076 wrote to memory of 3008	2076	explorer.exe	30
PID 2076 wrote to memory of 3008	2076	explorer.exe	30
PID 2076 wrote to memory of 3008	2076	explorer.exe	30
PID 2076 wrote to memory of 3008	2076	explorer.exe	30
PID 2076 wrote to memory of 3008	2076	explorer.exe	30
PID 2076 wrote to memory of 3008	2076	explorer.exe	30
PID 2076 wrote to memory of 3008	2076	explorer.exe	30
PID 2008 wrote to memory of 1648	2008	@AE1A83.tmp.exe	31
PID 2008 wrote to memory of 1648	2008	@AE1A83.tmp.exe	31
PID 2008 wrote to memory of 1648	2008	@AE1A83.tmp.exe	31
PID 2008 wrote to memory of 1648	2008	@AE1A83.tmp.exe	31
PID 2008 wrote to memory of 1028	2008	@AE1A83.tmp.exe	33
PID 2008 wrote to memory of 1028	2008	@AE1A83.tmp.exe	33
PID 2008 wrote to memory of 1028	2008	@AE1A83.tmp.exe	33
PID 2008 wrote to memory of 1028	2008	@AE1A83.tmp.exe	33
PID 1648 wrote to memory of 2328	1648	cmd.exe	35
PID 1648 wrote to memory of 2328	1648	cmd.exe	35
PID 1648 wrote to memory of 2328	1648	cmd.exe	35
PID 1648 wrote to memory of 2328	1648	cmd.exe	35
PID 2328 wrote to memory of 3040	2328	WdExt.exe	36
PID 2328 wrote to memory of 3040	2328	WdExt.exe	36
PID 2328 wrote to memory of 3040	2328	WdExt.exe	36
PID 2328 wrote to memory of 3040	2328	WdExt.exe	36
PID 3040 wrote to memory of 1612	3040	cmd.exe	38
PID 3040 wrote to memory of 1612	3040	cmd.exe	38
PID 3040 wrote to memory of 1612	3040	cmd.exe	38
PID 3040 wrote to memory of 1612	3040	cmd.exe	38
PID 3040 wrote to memory of 1612	3040	cmd.exe	38
PID 3040 wrote to memory of 1612	3040	cmd.exe	38
PID 3040 wrote to memory of 1612	3040	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\@AE1A83.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AE1A83.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2328
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      PID:1028
- - C:\Users\Admin\AppData\Local\Temp\2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe"
    3⤵
    - Executes dropped EXE
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@AE1A83.tmp.exe

Filesize
1.7MB

MD5
0fdc502969fb26a0e7b944c4b4e2b654

SHA1
dddf54dc786762d9bb72dff6e8a0f89622229be0

SHA256
cd7b8e7054def7b65436b15ca2f2cbfe6bcd121dbbfdb8e0ea1deb8fe641460d

SHA512
ee61d15c4806fd64764baec95209c71930bef28112205de78bfeab47c6e27deacc26f3adfec4fc20e22470ced5c310fefc3e362750bbeab391c91aa8c8513993

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D03.tmp

Filesize
229KB

MD5
6f90e1169d19dfde14d6f753f06c862b

SHA1
e9bca93c68d7df73d000f4a6e6eb73a343682ac5

SHA256
70a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc

SHA512
f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
433f3efbfd64aeaef9eca910fde5c1cb

SHA1
f21dedf09c2c40b00ee0218394de66f74605110b

SHA256
105c5c1ae9b40a5504d36dda8c2c7c236f624a7ea91e29f49b811473b5d790ac

SHA512
9dc38c270949fa6d1fe28e051ec951ac2d428b20e98d45af9cd5bdc256453b3ee47398329cf9c83fc5dc8528077944210ec181fc5181a3e47a666fdf2b4f1790

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
fd05c88013132f8a1c9bc60b9810c706

SHA1
6b222d151810a1f697e37b1c7610049febaac279

SHA256
a6bd23521a94356df5f6179c176218473480c714879dfee64afe3f73d62971e2

SHA512
479f4cde9ec9e395c4de0870f6f9c19e7ac54743fa7ff29d2c8f3c98c0bef15ecda870bb8737062728688c1d1a31cdf8a330290933c58ab78d465b0fb9bb0287

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
126B

MD5
34467238d4f5524306ba7d66d6430420

SHA1
0d0c799344d1779ff112c40aaafcbfdbc6ffb4fe

SHA256
66ad172f8070fc6d07e677c0e4496283e695128294848487aaa1042d8272975c

SHA512
4a16e1da4024c24e46fb89a742611624dc850ad9d56f06002c95a606fea225200e82baf9b3b427410f759bec2658e4f1c75e4eb526e29ee1f11bebb664eddab3

Download Submit
\Users\Admin\AppData\Local\Temp\2024-03-11_b00803d786570487ed283bafd7ad7550_icedid.exe

Filesize
2.3MB

MD5
ad57d6438f8306524d50b18bb0e0d496

SHA1
22307508f50a0f345d3ee6eb667d85defe4b7b3b

SHA256
4f50eb7a751fed543a66ec75a25b2a93ee88c6ae58377a479741755e9a60d137

SHA512
af6b73d1c3c6d5adea4f2b1fd0c1a4fdcef2a4ce033b32fee75f9e2381c90e284ced0c9108e374c0c79c0a3dd9bc43c9828c2c5e72e6cfcf1fdc26019c5f1295

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/1612-268-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2008-12-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download