95c05916fa06a693c22a4132cba139ddb32733bcd26b917e70f85c5990e99cab

Analysis

max time kernel
118s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
Size

284KB
MD5

a1e11f3a292eef2aeac0cb063c3b0de1
SHA1

c29f5dbbdf7d524e44bb68987e60e48f5dda419c
SHA256

95c05916fa06a693c22a4132cba139ddb32733bcd26b917e70f85c5990e99cab
SHA512

8d52ad54ad930f28b847fd8a69b57eb9bb3f3d61222603fb4fa6fdb5625529ad3e360a598de6e54ceb24e8e745ca79de14263bc078964889bb0ce960347547ea
SSDEEP

6144:klDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:klDx7mlHZo7HoRv177ePH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2216	sethome3546.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\sethome3546.exe	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
File created	\??\c:\windows\system\sethome3546.exe	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/"	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
2216	sethome3546.exe
2216	sethome3546.exe
2216	sethome3546.exe
2216	sethome3546.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2216	1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe	30
PID 1928 wrote to memory of 2216	1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe	30
PID 1928 wrote to memory of 2216	1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe	30
PID 1928 wrote to memory of 2216	1928	2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_a1e11f3a292eef2aeac0cb063c3b0de1_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928
- \??\c:\windows\system\sethome3546.exe
  c:\windows\system\sethome3546.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\abc.lnk

Filesize
965B

MD5
30c0b600abc3042f63da2eefd4b911d9

SHA1
ce51be965167657fc8caa7ebefa395d392bbaf64

SHA256
52fff9450ea9156d92d7b3b5b24e553eef48591083760eea0a78c02397078ad9

SHA512
7d7b0f56c3717895106bc4bedcc69166b69bee866a3e8e26b4415d7d66689435b55ad7d0938561344c2c4a54cd3f5552d273fd7ac251297b597a588d8dd55aff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

Filesize
1KB

MD5
5d2a60595e9920fc5d7945acd98e64cb

SHA1
84a4544cc524b8b2771723aadfd461174dde85a4

SHA256
7d91be3f8c03c960fcbb10c1856c840b761f7576c51c98d6358041d109821e07

SHA512
74ccda5f62336e705b175a5ec8bd354a7dd80c15c6574fc34a4e13ecf1ca8545a1cf7f16ccf83f639d8b1dd0ed590f28fabc56a2b11db1f3a66ab4b2355cc58c

Download Submit
C:\Users\abc.lnk

Filesize
1KB

MD5
0b64b528a2f09e7e7022a2a3a489e0b4

SHA1
5d4e564cd922a5443e8b92208cc67b4ee1539778

SHA256
4bbeefe81e0cd3c79cb16c4be9d983c38353bdabfc6358f33a8a436d43b0c338

SHA512
0e40414bdc05dde6455a6dc9613811392a83c77d979c814b9b6c7f435411c049e78e15bdb0f40ce73f23a79d22e3ffac9edf090db4ce05536b5bcd7811092d34

Download Submit
\Windows\system\sethome3546.exe

Filesize
284KB

MD5
02cb7658a4de64f1a04be4d94c28d4e2

SHA1
0c31970396c4320a6fe7bd49249165771bdff429

SHA256
e30fdf4e3831ef5c3446b746d6d9034c5247d4ef8b6212bed438f594ad512429

SHA512
ec5fea9c3fc301966973db73954b1c281660a3147c4ea3d01431d8f63ae3a36d841d16a59b6d1cbf66dcbc12022b765bede8d1c4970ddc79f16e97ca63292d8b

Download Submit